From 4b071f2db7d6a765d02b564259515cbbd7823aa6 Mon Sep 17 00:00:00 2001 From: Amruth Pillai Date: Wed, 29 Apr 2026 19:54:21 +0200 Subject: [PATCH] update ipAddressHeaders --- src/integrations/auth/config.ts | 5 +++-- src/integrations/orpc/rate-limit.ts | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/integrations/auth/config.ts b/src/integrations/auth/config.ts index ebd1a6c1a..6a442379c 100644 --- a/src/integrations/auth/config.ts +++ b/src/integrations/auth/config.ts @@ -15,17 +15,18 @@ import { username } from "better-auth/plugins/username"; import { eq, or } from "drizzle-orm"; import { createElement } from "react"; +import { rateLimitConfig } from "@/integrations/rate-limit/config"; import { env } from "@/utils/env"; import { hashPassword, verifyPassword } from "@/utils/password"; import { generateId, toUsername } from "@/utils/string"; import { isAllowedOAuthRedirectUri, parseAllowedHostList } from "@/utils/url-security"; -import { rateLimitConfig } from "@/integrations/rate-limit/config"; import { schema } from "../drizzle"; import { db } from "../drizzle/client"; import { lower } from "../drizzle/helpers"; import { sendEmail } from "../email/service"; import { ResetPasswordEmail, VerifyEmail, VerifyEmailChange } from "../email/templates/auth"; +import { TRUSTED_IP_HEADERS } from "../orpc/rate-limit"; export const authBaseUrl = process.env.BETTER_AUTH_URL ?? env.APP_URL; @@ -266,7 +267,7 @@ const getAuthConfig = () => { advanced: { database: { generateId }, useSecureCookies: env.APP_URL.startsWith("https://"), - ipAddress: { ipAddressHeaders: ["x-forwarded-for", "cf-connecting-ip"] }, + ipAddress: { ipAddressHeaders: TRUSTED_IP_HEADERS }, }, emailAndPassword: { diff --git a/src/integrations/orpc/rate-limit.ts b/src/integrations/orpc/rate-limit.ts index 24a55c2ec..a4abcb2ba 100644 --- a/src/integrations/orpc/rate-limit.ts +++ b/src/integrations/orpc/rate-limit.ts @@ -8,7 +8,7 @@ type ContextWithHeaders = { user?: { id: string } | null; }; -const TRUSTED_IP_HEADERS = ["cf-connecting-ip", "x-forwarded-for", "x-real-ip", "true-client-ip"] as const; +export const TRUSTED_IP_HEADERS = ["CF-Connecting-IP", "X-Forwarded-For", "X-Real-IP", "True-Client-IP"]; function getTrustedIp(headers?: Headers): string | null { if (!headers) return null;