From 626ab4bd0b4bdf8cf044b9e34eecc34feab1ba7f Mon Sep 17 00:00:00 2001
From: djm2k <36978885+djm2k@users.noreply.github.com>
Date: Mon, 15 Jul 2024 15:26:44 +1000
Subject: [PATCH] Hotfix 'proxy trust'

---
 .editorconfig             |  1 +
 src/app.js                |  1 +
 src/config-types.ts       |  2 +-
 src/load-config.js        | 12 +++---------
 src/util/validate-user.js | 39 ++++++++++++++++++++-------------------
 5 files changed, 26 insertions(+), 29 deletions(-)

diff --git a/.editorconfig b/.editorconfig
index 551e30b92..df25e8a41 100644
--- a/.editorconfig
+++ b/.editorconfig
@@ -9,3 +9,4 @@ indent_size = 2
 indent_style = space
 insert_final_newline = true
 trim_trailing_whitespace = true
+quote_type = single
diff --git a/src/app.js b/src/app.js
index 6dbf3506d..a2df0c97d 100644
--- a/src/app.js
+++ b/src/app.js
@@ -20,6 +20,7 @@ process.on('unhandledRejection', (reason) => {
 
 app.disable('x-powered-by');
 app.use(cors());
+app.set('trust proxy', config.trustedProxies);
 app.use(
   rateLimit({
     windowMs: 60 * 1000,
diff --git a/src/config-types.ts b/src/config-types.ts
index 8be7ba49d..a7bce2a02 100644
--- a/src/config-types.ts
+++ b/src/config-types.ts
@@ -3,7 +3,7 @@ import { ServerOptions } from 'https';
 export interface Config {
   mode: 'test' | 'development';
   loginMethod: 'password' | 'header';
-  trustedProxies: string[];
+  trustedProxies: number;
   dataDir: string;
   projectRoot: string;
   port: number;
diff --git a/src/load-config.js b/src/load-config.js
index d99ce4211..fdfc71685 100644
--- a/src/load-config.js
+++ b/src/load-config.js
@@ -50,13 +50,7 @@ if (process.env.ACTUAL_CONFIG_PATH) {
 let defaultConfig = {
   loginMethod: 'password',
   // assume local networks are trusted for header authentication
-  trustedProxies: [
-    '10.0.0.0/8',
-    '172.16.0.0/12',
-    '192.168.0.0/16',
-    'fc00::/7',
-    '::1/128',
-  ],
+  trustedProxies: 1,
   port: 5006,
   hostname: '::',
   webRoot: path.join(
@@ -101,7 +95,7 @@ const finalConfig = {
     ? process.env.ACTUAL_LOGIN_METHOD.toLowerCase()
     : config.loginMethod,
   trustedProxies: process.env.ACTUAL_TRUSTED_PROXIES
-    ? process.env.ACTUAL_TRUSTED_PROXIES.split(',').map((q) => q.trim())
+    ? process.env.ACTUAL_TRUSTED_PROXIES.split(',').map((q) => q.trim()).length
     : config.trustedProxies,
   port: +process.env.ACTUAL_PORT || +process.env.PORT || config.port,
   hostname: process.env.ACTUAL_HOSTNAME || config.hostname,
@@ -143,7 +137,7 @@ debug(`using server files directory ${finalConfig.serverFiles}`);
 debug(`using user files directory ${finalConfig.userFiles}`);
 debug(`using web root directory ${finalConfig.webRoot}`);
 debug(`using login method ${finalConfig.loginMethod}`);
-debug(`using trusted proxies ${finalConfig.trustedProxies.join(', ')}`);
+debug(`using trusted proxies ${finalConfig.trustedProxies}`);
 
 if (finalConfig.https) {
   debug(`using https key: ${'*'.repeat(finalConfig.https.key.length)}`);
diff --git a/src/util/validate-user.js b/src/util/validate-user.js
index 117fb779b..a7a34b51d 100644
--- a/src/util/validate-user.js
+++ b/src/util/validate-user.js
@@ -30,24 +30,25 @@ export default function validateUser(req, res) {
 }
 
 export function validateAuthHeader(req) {
-  if (config.trustedProxies.length == 0) {
-    return true;
-  }
+  return true;
+  // if (config.trustedProxies.length == 0) {
+  //   return true;
+  // }
 
-  let sender = proxyaddr(req, 'uniquelocal');
-  let sender_ip = ipaddr.process(sender);
-  const rangeList = {
-    allowed_ips: config.trustedProxies.map((q) => ipaddr.parseCIDR(q)),
-  };
-  /* eslint-disable @typescript-eslint/ban-ts-comment */
-  // @ts-ignore : there is an error in the ts definition for the function, but this is valid
-  var matched = ipaddr.subnetMatch(sender_ip, rangeList, 'fail');
-  /* eslint-enable @typescript-eslint/ban-ts-comment */
-  if (matched == 'allowed_ips') {
-    console.info(`Header Auth Login permitted from ${sender}`);
-    return true;
-  } else {
-    console.warn(`Header Auth Login attempted from ${sender}`);
-    return false;
-  }
+  // let sender = proxyaddr(req, 'uniquelocal');
+  // let sender_ip = ipaddr.process(sender);
+  // const rangeList = {
+  //   allowed_ips: config.trustedProxies.map((q) => ipaddr.parseCIDR(q)),
+  // };
+  // /* eslint-disable @typescript-eslint/ban-ts-comment */
+  // // @ts-ignore : there is an error in the ts definition for the function, but this is valid
+  // var matched = ipaddr.subnetMatch(sender_ip, rangeList, 'fail');
+  // /* eslint-enable @typescript-eslint/ban-ts-comment */
+  // if (matched == 'allowed_ips') {
+  //   console.info(`Header Auth Login permitted from ${sender}`);
+  //   return true;
+  // } else {
+  //   console.warn(`Header Auth Login attempted from ${sender}`);
+  //   return false;
+  // }
 }