From edb4d7df3a9544de8dcbafe1f162ed882114e9d3 Mon Sep 17 00:00:00 2001
From: ari melody <ari@arimelody.me>
Date: Fri, 7 Feb 2025 17:15:02 +0000
Subject: [PATCH] trim extra IPs from x-forwarded-for header

---
 bundle.sh        | 2 +-
 controller/ip.go | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/bundle.sh b/bundle.sh
index dc7c023..277bb9c 100755
--- a/bundle.sh
+++ b/bundle.sh
@@ -6,4 +6,4 @@ if [ ! -f arimelody-web ]; then
     exit 1
 fi
 
-tar czvf arimelody-web.tar.gz arimelody-web admin/components/ admin/views/ admin/static/ views/ public/ schema-migration/
+tar czf arimelody-web.tar.gz arimelody-web admin/components/ admin/views/ admin/static/ views/ public/ schema-migration/
diff --git a/controller/ip.go b/controller/ip.go
index ae9d587..233d76a 100644
--- a/controller/ip.go
+++ b/controller/ip.go
@@ -14,6 +14,8 @@ func ResolveIP(app *model.AppState, r *http.Request) string {
     if slices.Contains(app.Config.TrustedProxies, addr) {
         forwardedFor := r.Header.Get("x-forwarded-for")
         if len(forwardedFor) > 0 {
+            // discard extra IPs; cloudflare tends to append their nodes
+            forwardedFor = strings.Split(forwardedFor, ", ")[0]
             return forwardedFor
         }
     }