From 453279ec0e20a5f16cbf544a97e23db961785335 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simon=20K=C3=BCnzel?= <simonk@fsmpi.rwth-aachen.de>
Date: Sat, 3 May 2025 00:45:37 +0200
Subject: [PATCH] Make original IP header configurable

---
 api/config/api_example_config.py | 2 ++
 api/src/api/authentication.py    | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/api/config/api_example_config.py b/api/config/api_example_config.py
index cf43636..be9be82 100644
--- a/api/config/api_example_config.py
+++ b/api/config/api_example_config.py
@@ -161,6 +161,8 @@ LDAP_GROUPS = ["fachschaft"]
 
 #  RWTH_API_KEY = ""
 
+ORIGINAL_IP_HEADER_NAME = "X-Forwarded-For"
+
 RWTH_IP_RANGES = ["134.130.0.0/16", "137.226.0.0/16", "134.61.0.0/16", "192.35.229.0/24", "2a00:8a60::/32"]
 FSMPI_IP_RANGES = ["137.226.35.192/29", "137.226.75.0/27", "137.226.127.32/27", "137.226.231.192/26", "134.130.102.0/26", "127.0.0.1/32"]
 INTERNAL_IP_RANGES = ["127.0.0.0/8", "192.168.155.0/24", "fd78:4d90:6fe4::/48"]
diff --git a/api/src/api/authentication.py b/api/src/api/authentication.py
index 3fabeb8..93c16c5 100644
--- a/api/src/api/authentication.py
+++ b/api/src/api/authentication.py
@@ -18,6 +18,7 @@ from api.database import *
 import api
 
 _BASE_URL = api.config["API_BASE_URL"]
+_ORIGINAL_IP_HEADER_NAME = api.config["ORIGINAL_IP_HEADER_NAME"]
 
 
 def api_moderator_route(require_csrf_token: bool = False):
@@ -110,7 +111,7 @@ def are_view_permissions_fulfilled(perm: ViewPermissions):
     if isinstance(perm, ViewPermissionsAuthentication):
         if perm.rwth_authentication and (
                 api_session.is_rwth_authenticated
-                or ("X-Real-IP" in request.headers and is_rwth_ip(request.headers["X-Real-IP"]))
+                or (_ORIGINAL_IP_HEADER_NAME in request.headers and is_rwth_ip(request.headers[_ORIGINAL_IP_HEADER_NAME]))
         ):
             return True
         
-- 
GitLab