Use actix-remote-ip crate to determine user remote IP address

Cargo.lock

@@ -108,6 +108,17 @@ dependencies = [
  "syn 1.0.109",
 ]
 
+[[package]]
+name = "actix-remote-ip"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7629b357d4705cf3f1e31f989f48ecd56027112f7d52dcf06dd96ee197065f8e"
+dependencies = [
+ "actix-web",
+ "futures-util",
+ "log",
+]
+
 [[package]]
 name = "actix-router"
 version = "0.5.1"
@@ -547,6 +558,7 @@ version = "0.1.4"
 dependencies = [
  "actix",
  "actix-identity",
+ "actix-remote-ip",
  "actix-session",
  "actix-web",
  "aes-gcm",

Cargo.toml

@@ -10,6 +10,7 @@ actix = "0.13.0"
 actix-identity = "0.5.2"
 actix-web = "4"
 actix-session = { version = "0.7.2", features = ["cookie-session"] }
+actix-remote-ip = "0.1.0"
 clap = { version = "4.2.1", features = ["derive", "env"] }
 include_dir = "0.7.3"
 log = "0.4.17"

src/controllers/login_api.rs

@@ -1,9 +1,9 @@
 use crate::actors::users_actor;
 use crate::actors::users_actor::UsersActor;
 use crate::data::action_logger::{Action, ActionLogger};
-use crate::data::remote_ip::RemoteIP;
 use actix::Addr;
 use actix_identity::Identity;
+use actix_remote_ip::RemoteIP;
 use actix_web::{web, HttpRequest, HttpResponse, Responder};
 use webauthn_rs::prelude::PublicKeyCredential;
 

src/controllers/login_controller.rs

@@ -1,5 +1,6 @@
 use actix::Addr;
 use actix_identity::Identity;
+use actix_remote_ip::RemoteIP;
 use actix_web::{web, HttpRequest, HttpResponse, Responder};
 use askama::Template;
 use std::sync::Arc;
@@ -14,7 +15,6 @@ use crate::controllers::base_controller::{
 use crate::data::action_logger::{Action, ActionLogger};
 use crate::data::login_redirect::LoginRedirect;
 use crate::data::provider::{Provider, ProvidersManager};
-use crate::data::remote_ip::RemoteIP;
 use crate::data::session_identity::{SessionIdentity, SessionStatus};
 use crate::data::user::User;
 use crate::data::webauthn_manager::WebAuthManagerReq;

src/controllers/providers_controller.rs

@@ -2,6 +2,7 @@ use std::sync::Arc;
 
 use actix::Addr;
 use actix_identity::Identity;
+use actix_remote_ip::RemoteIP;
 use actix_web::{web, HttpRequest, HttpResponse, Responder};
 use askama::Template;
 
@@ -16,7 +17,6 @@ use crate::data::action_logger::{Action, ActionLogger};
 use crate::data::login_redirect::LoginRedirect;
 use crate::data::provider::{ProviderID, ProvidersManager};
 use crate::data::provider_configuration::ProviderConfigurationHelper;
-use crate::data::remote_ip::RemoteIP;
 use crate::data::session_identity::{SessionIdentity, SessionStatus};
 
 #[derive(askama::Template)]

src/controllers/settings_controller.rs

@@ -1,4 +1,5 @@
 use actix::Addr;
+use actix_remote_ip::RemoteIP;
 use actix_web::{web, HttpResponse, Responder};
 use askama::Template;
 
@@ -9,7 +10,7 @@ use crate::constants::{APP_NAME, MAX_FAILED_LOGIN_ATTEMPTS, MIN_PASS_LEN};
 use crate::data::action_logger::{Action, ActionLogger};
 use crate::data::app_config::AppConfig;
 use crate::data::current_user::CurrentUser;
-use crate::data::remote_ip::RemoteIP;
+
 use crate::data::user::User;
 
 pub(crate) struct BaseSettingsPage<'a> {
@@ -45,6 +46,7 @@ impl<'a> BaseSettingsPage<'a> {
 #[template(path = "settings/account_details.html")]
 struct AccountDetailsPage<'a> {
     _p: BaseSettingsPage<'a>,
+    remote_ip: String,
 }
 
 #[derive(Template)]
@@ -55,11 +57,12 @@ struct ChangePasswordPage<'a> {
 }
 
 /// Account details page
-pub async fn account_settings_details_route(user: CurrentUser) -> impl Responder {
+pub async fn account_settings_details_route(user: CurrentUser, ip: RemoteIP) -> impl Responder {
     let user = user.into();
     HttpResponse::Ok().body(
         AccountDetailsPage {
             _p: BaseSettingsPage::get("Account details", &user, None, None),
+            remote_ip: ip.0.to_string(),
         }
         .render()
         .unwrap(),

src/data/action_logger.rs

@@ -4,6 +4,7 @@ use std::pin::Pin;
 
 use actix::Addr;
 use actix_identity::Identity;
+use actix_remote_ip::RemoteIP;
 use actix_web::dev::Payload;
 use actix_web::{web, Error, FromRequest, HttpRequest};
 
@@ -12,7 +13,7 @@ use crate::actors::users_actor;
 use crate::actors::users_actor::{AuthorizedAuthenticationSources, UsersActor};
 use crate::data::client::Client;
 use crate::data::provider::{Provider, ProviderID};
-use crate::data::remote_ip::RemoteIP;
+
 use crate::data::session_identity::SessionIdentity;
 use crate::data::user::{FactorID, GrantedClients, TwoFactor, User, UserID};
 

src/data/mod.rs

@@ -12,7 +12,6 @@ pub mod login_redirect;
 pub mod openid_primitive;
 pub mod provider;
 pub mod provider_configuration;
-pub mod remote_ip;
 pub mod session_identity;
 pub mod totp_key;
 pub mod user;

src/data/remote_ip.rs

@@ -1,30 +0,0 @@
-use std::net::IpAddr;
-
-use actix_web::dev::Payload;
-use actix_web::{Error, FromRequest, HttpRequest};
-use futures_util::future::{ready, Ready};
-
-use crate::data::app_config::AppConfig;
-use crate::utils::network_utils::get_remote_ip;
-
-#[derive(Copy, Clone, Debug, Eq, PartialEq)]
-pub struct RemoteIP(pub IpAddr);
-
-impl From<RemoteIP> for IpAddr {
-    fn from(i: RemoteIP) -> Self {
-        i.0
-    }
-}
-
-impl FromRequest for RemoteIP {
-    type Error = Error;
-    type Future = Ready<Result<Self, Error>>;
-
-    #[inline]
-    fn from_request(req: &HttpRequest, _: &mut Payload) -> Self::Future {
-        ready(Ok(RemoteIP(get_remote_ip(
-            req,
-            AppConfig::get().proxy_ip.as_deref(),
-        ))))
-    }
-}

src/main.rs

@@ -4,6 +4,7 @@ use std::sync::Arc;
 use actix::Actor;
 use actix_identity::config::LogoutBehaviour;
 use actix_identity::IdentityMiddleware;
+use actix_remote_ip::RemoteIPConfig;
 use actix_session::storage::CookieSessionStore;
 use actix_session::SessionMiddleware;
 use actix_web::cookie::{Key, SameSite};
@@ -113,6 +114,9 @@ async fn main() -> std::io::Result<()> {
             .app_data(web::Data::new(providers.clone()))
             .app_data(web::Data::new(jwt_signer.clone()))
             .app_data(web::Data::new(webauthn_manager.clone()))
+            .app_data(web::Data::new(RemoteIPConfig {
+                proxy: AppConfig::get().proxy_ip.clone(),
+            }))
             .wrap(
                 middleware::DefaultHeaders::new().add(("Permissions-Policy", "interest-cohort=()")),
             )

src/utils/mod.rs

@@ -1,5 +1,4 @@
 pub mod crypt_utils;
 pub mod err;
-pub mod network_utils;
 pub mod string_utils;
 pub mod time;

src/utils/network_utils.rs

@@ -1,178 +0,0 @@
-use std::net::{IpAddr, Ipv6Addr};
-use std::str::FromStr;
-
-use actix_web::HttpRequest;
-
-/// Check if two ips matches
-pub fn match_ip(pattern: &str, ip: &str) -> bool {
-    if pattern.eq(ip) {
-        return true;
-    }
-
-    if pattern.ends_with('*') && ip.starts_with(&pattern.replace('*', "")) {
-        return true;
-    }
-
-    false
-}
-
-/// Get the remote IP address
-pub fn get_remote_ip(req: &HttpRequest, proxy_ip: Option<&str>) -> IpAddr {
-    let mut ip = req.peer_addr().unwrap().ip();
-
-    // We check if the request comes from a trusted reverse proxy
-    if let Some(proxy) = proxy_ip.as_ref() {
-        if match_ip(proxy, &ip.to_string()) {
-            if let Some(header) = req.headers().get("X-Forwarded-For") {
-                let header = header.to_str().unwrap();
-
-                let remote_ip = if let Some((upstream_ip, _)) = header.split_once(',') {
-                    upstream_ip
-                } else {
-                    header
-                };
-
-                if let Some(upstream_ip) = parse_ip(remote_ip) {
-                    ip = upstream_ip;
-                }
-            }
-        }
-    }
-
-    ip
-}
-
-/// Parse an IP address
-pub fn parse_ip(ip: &str) -> Option<IpAddr> {
-    let mut ip = match IpAddr::from_str(ip) {
-        Ok(ip) => ip,
-        Err(e) => {
-            log::warn!("Failed to parse an IP address: {}", e);
-            return None;
-        }
-    };
-
-    if let IpAddr::V6(ipv6) = &mut ip {
-        let mut octets = ipv6.octets();
-        for o in octets.iter_mut().skip(8) {
-            *o = 0;
-        }
-        ip = IpAddr::V6(Ipv6Addr::from(octets));
-    }
-
-    Some(ip)
-}
-
-#[cfg(test)]
-mod test {
-    use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr};
-    use std::str::FromStr;
-
-    use actix_web::test::TestRequest;
-
-    use crate::utils::network_utils::{get_remote_ip, parse_ip};
-
-    #[test]
-    fn test_get_remote_ip() {
-        let req = TestRequest::default()
-            .peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap())
-            .to_http_request();
-        assert_eq!(
-            get_remote_ip(&req, None),
-            "192.168.1.1".parse::<IpAddr>().unwrap()
-        );
-    }
-
-    #[test]
-    fn test_get_remote_ip_from_proxy() {
-        let req = TestRequest::default()
-            .peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap())
-            .insert_header(("X-Forwarded-For", "1.1.1.1"))
-            .to_http_request();
-        assert_eq!(
-            get_remote_ip(&req, Some("192.168.1.1")),
-            "1.1.1.1".parse::<IpAddr>().unwrap()
-        );
-    }
-
-    #[test]
-    fn test_get_remote_ip_from_proxy_2() {
-        let req = TestRequest::default()
-            .peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap())
-            .insert_header(("X-Forwarded-For", "1.1.1.1, 1.2.2.2"))
-            .to_http_request();
-        assert_eq!(
-            get_remote_ip(&req, Some("192.168.1.1")),
-            "1.1.1.1".parse::<IpAddr>().unwrap()
-        );
-    }
-
-    #[test]
-    fn test_get_remote_ip_from_proxy_ipv6() {
-        let req = TestRequest::default()
-            .peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap())
-            .insert_header(("X-Forwarded-For", "10::1, 1.2.2.2"))
-            .to_http_request();
-        assert_eq!(
-            get_remote_ip(&req, Some("192.168.1.1")),
-            "10::".parse::<IpAddr>().unwrap()
-        );
-    }
-
-    #[test]
-    fn test_get_remote_ip_from_no_proxy() {
-        let req = TestRequest::default()
-            .peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap())
-            .insert_header(("X-Forwarded-For", "1.1.1.1, 1.2.2.2"))
-            .to_http_request();
-        assert_eq!(
-            get_remote_ip(&req, None),
-            "192.168.1.1".parse::<IpAddr>().unwrap()
-        );
-    }
-
-    #[test]
-    fn test_get_remote_ip_from_other_proxy() {
-        let req = TestRequest::default()
-            .peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap())
-            .insert_header(("X-Forwarded-For", "1.1.1.1, 1.2.2.2"))
-            .to_http_request();
-        assert_eq!(
-            get_remote_ip(&req, Some("192.168.1.2")),
-            "192.168.1.1".parse::<IpAddr>().unwrap()
-        );
-    }
-
-    #[test]
-    fn parse_bad_ip() {
-        let ip = parse_ip("badbad");
-        assert_eq!(None, ip);
-    }
-
-    #[test]
-    fn parse_ip_v4_address() {
-        let ip = parse_ip("192.168.1.1").unwrap();
-        assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(192, 168, 1, 1)));
-    }
-
-    #[test]
-    fn parse_ip_v6_address() {
-        let ip = parse_ip("2a00:1450:4007:813::200e").unwrap();
-        assert_eq!(
-            ip,
-            IpAddr::V6(Ipv6Addr::new(0x2a00, 0x1450, 0x4007, 0x813, 0, 0, 0, 0))
-        );
-    }
-
-    #[test]
-    fn parse_ip_v6_address_2() {
-        let ip = parse_ip("::1").unwrap();
-        assert_eq!(ip, IpAddr::V6(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 0)));
-    }
-
-    #[test]
-    fn parse_ip_v6_address_3() {
-        let ip = parse_ip("a::1").unwrap();
-        assert_eq!(ip, IpAddr::V6(Ipv6Addr::new(0xa, 0, 0, 0, 0, 0, 0, 0)));
-    }
-}

templates/settings/account_details.html

@@ -30,4 +30,6 @@
     </tbody>
 </table>
 
+<p>Your IP address: {{ remote_ip }}</p>
+
 {% endblock content %}