세션 IP 표시와 로그아웃 처리 보강

2026-04-06 13:25:36 +09:00
parent 6a3bb19e7d
commit 2ca26cafb2
11 changed files with 292 additions and 63 deletions
--- a/backend/internal/handler/auth_handler.go
+++ b/backend/internal/handler/auth_handler.go
@@ -17,7 +17,6 @@ import (
 	"io"
 	"log/slog"
 	"math/rand"
-	"net"
 	"net/http"
 	"net/url"
 	"os"
@@ -4043,18 +4042,7 @@ func extractClientIPFromHeaders(c *fiber.Ctx) string {
 	if c == nil {
 		return ""
 	}
-	if forwarded := c.Get("X-Forwarded-For"); forwarded != "" {
-		parts := strings.Split(forwarded, ",")
-		if len(parts) > 0 {
-			if ip := strings.TrimSpace(parts[0]); ip != "" {
-				return ip
-			}
-		}
-	}
-	if realIP := strings.TrimSpace(c.Get("X-Real-IP")); realIP != "" {
-		return realIP
-	}
-	return c.IP()
+	return utils.ResolveClientIP(c.Get("X-Forwarded-For"), c.Get("X-Real-IP"), c.IP())
 }

 type authTimelineItem struct {
@@ -7034,18 +7022,7 @@ func resolveRequestClientIP(c *fiber.Ctx) string {
 	if c == nil {
 		return ""
 	}
-	if forwarded := c.Get("X-Forwarded-For"); forwarded != "" {
-		parts := strings.Split(forwarded, ",")
-		if len(parts) > 0 {
-			if ip := strings.TrimSpace(parts[0]); ip != "" {
-				return ip
-			}
-		}
-	}
-	if realIP := strings.TrimSpace(c.Get("X-Real-IP")); realIP != "" {
-		return realIP
-	}
-	return c.IP()
+	return utils.ResolveClientIP(c.Get("X-Forwarded-For"), c.Get("X-Real-IP"), c.IP())
 }

 func (h *AuthHandler) loadSessionAuditHints(ctx context.Context, userID string) map[string]sessionAuditHint {
@@ -7146,26 +7123,7 @@ func shouldReplaceSessionIP(existing string, candidate string) bool {
 }

 func isPrivateIPAddress(raw string) bool {
-	ip := net.ParseIP(strings.TrimSpace(raw))
-	if ip == nil {
-		return false
-	}
-	if ip.IsLoopback() || ip.IsLinkLocalMulticast() || ip.IsLinkLocalUnicast() {
-		return true
-	}
-	for _, cidr := range []string{
-		"10.0.0.0/8",
-		"172.16.0.0/12",
-		"192.168.0.0/16",
-		"100.64.0.0/10",
-		"fc00::/7",
-	} {
-		_, network, err := net.ParseCIDR(cidr)
-		if err == nil && network.Contains(ip) {
-			return true
-		}
-	}
-	return false
+	return utils.IsPrivateOrReservedIP(raw)
 }

 func deriveSessionClientInfo(log domain.AuditLog) (string, string) {
--- a/backend/internal/handler/auth_handler_sessions_test.go
+++ b/backend/internal/handler/auth_handler_sessions_test.go
@@ -317,7 +317,7 @@ func TestListMySessions_CurrentSessionFallsBackToRequestMetadata(t *testing.T) {
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/user/sessions", nil)
 	req.Header.Set("Cookie", "ory_kratos_session=valid")
 	req.Header.Set("User-Agent", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/146.0.0.0 Safari/537.36")
-	req.Header.Set("X-Forwarded-For", "203.0.113.25")
+	req.Header.Set("X-Forwarded-For", "100.100.100.1, 203.0.113.25")

 	resp, err := app.Test(req, -1)
 	assert.NoError(t, err)
--- a/backend/internal/middleware/audit_middleware.go
+++ b/backend/internal/middleware/audit_middleware.go
@@ -7,7 +7,6 @@ import (
 	"fmt"
 	"log/slog"
 	"reflect"
-	"strings"
 	"sync"
 	"time"

@@ -217,16 +216,5 @@ func AuditMiddleware(config AuditConfig) fiber.Handler {
 }

 func extractClientIP(c *fiber.Ctx) string {
-	if forwarded := c.Get("X-Forwarded-For"); forwarded != "" {
-		parts := strings.Split(forwarded, ",")
-		if len(parts) > 0 {
-			if ip := strings.TrimSpace(parts[0]); ip != "" {
-				return ip
-			}
-		}
-	}
-	if realIP := strings.TrimSpace(c.Get("X-Real-IP")); realIP != "" {
-		return realIP
-	}
-	return c.IP()
+	return utils.ResolveClientIP(c.Get("X-Forwarded-For"), c.Get("X-Real-IP"), c.IP())
 }
--- a/backend/internal/middleware/audit_middleware_test.go
+++ b/backend/internal/middleware/audit_middleware_test.go
@@ -117,6 +117,30 @@ func TestAuditMiddleware(t *testing.T) {
 		mockRepo.AssertExpectations(t)
 	})

+	t.Run("POST request - Prefer public forwarded IP", func(t *testing.T) {
+		app := fiber.New()
+		mockRepo := new(MockAuditRepository)
+
+		app.Use(AuditMiddleware(AuditConfig{
+			Repo: mockRepo,
+		}))
+
+		app.Post("/test", func(c *fiber.Ctx) error {
+			return c.SendStatus(fiber.StatusOK)
+		})
+
+		mockRepo.On("Create", mock.MatchedBy(func(log *domain.AuditLog) bool {
+			return log.IPAddress == "203.0.113.25"
+		})).Return(nil)
+
+		req := httptest.NewRequest("POST", "/test", nil)
+		req.Header.Set("X-Forwarded-For", "100.100.100.1, 203.0.113.25")
+
+		resp, _ := app.Test(req)
+		assert.Equal(t, fiber.StatusOK, resp.StatusCode)
+		mockRepo.AssertExpectations(t)
+	})
+
 	t.Run("POST request - Sync Failure (Strict Mode)", func(t *testing.T) {
 		app := fiber.New()
 		mockRepo := new(MockAuditRepository)
--- a/backend/internal/utils/client_ip.go
+++ b/backend/internal/utils/client_ip.go
@@ -0,0 +1,87 @@
+package utils
+
+import (
+	"net"
+	"strings"
+)
+
+// ResolveClientIP selects the best client IP from proxy headers and the remote address.
+// It prefers a public IP from X-Forwarded-For, then X-Real-IP, and finally the remote IP.
+func ResolveClientIP(forwardedFor, realIP, remoteIP string) string {
+	forwardedCandidates := splitClientIPs(forwardedFor)
+	if ip := firstPublicIP(forwardedCandidates); ip != "" {
+		return ip
+	}
+	if ip := normalizeIP(realIP); ip != "" && !IsPrivateOrReservedIP(ip) {
+		return ip
+	}
+	if ip := normalizeIP(remoteIP); ip != "" && !IsPrivateOrReservedIP(ip) {
+		return ip
+	}
+	if len(forwardedCandidates) > 0 {
+		return forwardedCandidates[0]
+	}
+	if ip := normalizeIP(realIP); ip != "" {
+		return ip
+	}
+	return normalizeIP(remoteIP)
+}
+
+// IsPrivateOrReservedIP reports whether the IP is private or from a non-public network range.
+func IsPrivateOrReservedIP(raw string) bool {
+	ip := net.ParseIP(strings.TrimSpace(raw))
+	if ip == nil {
+		return false
+	}
+	if ip.IsPrivate() || ip.IsLoopback() || ip.IsLinkLocalMulticast() || ip.IsLinkLocalUnicast() {
+		return true
+	}
+	for _, cidr := range []string{
+		"100.64.0.0/10",
+		"fc00::/7",
+	} {
+		_, network, err := net.ParseCIDR(cidr)
+		if err == nil && network.Contains(ip) {
+			return true
+		}
+	}
+	return false
+}
+
+func splitClientIPs(forwardedFor string) []string {
+	if strings.TrimSpace(forwardedFor) == "" {
+		return nil
+	}
+	parts := strings.Split(forwardedFor, ",")
+	result := make([]string, 0, len(parts))
+	for _, part := range parts {
+		if ip := normalizeIP(part); ip != "" {
+			result = append(result, ip)
+		}
+	}
+	return result
+}
+
+func firstPublicIP(candidates []string) string {
+	for _, candidate := range candidates {
+		if !IsPrivateOrReservedIP(candidate) {
+			return candidate
+		}
+	}
+	return ""
+}
+
+func normalizeIP(raw string) string {
+	raw = strings.TrimSpace(raw)
+	if raw == "" {
+		return ""
+	}
+	if host, _, err := net.SplitHostPort(raw); err == nil {
+		raw = host
+	}
+	ip := net.ParseIP(raw)
+	if ip == nil {
+		return ""
+	}
+	return ip.String()
+}
--- a/backend/internal/utils/client_ip_test.go
+++ b/backend/internal/utils/client_ip_test.go
@@ -0,0 +1,24 @@
+package utils
+
+import "testing"
+
+func TestResolveClientIP_PrefersPublicForwardedIP(t *testing.T) {
+	got := ResolveClientIP("100.100.100.1, 203.0.113.25, 10.0.0.2", "", "172.18.0.5")
+	if got != "203.0.113.25" {
+		t.Fatalf("expected public forwarded IP, got %q", got)
+	}
+}
+
+func TestResolveClientIP_FallsBackToFirstForwardedWhenAllPrivate(t *testing.T) {
+	got := ResolveClientIP("100.100.100.1, 10.0.0.2", "192.168.0.10", "172.18.0.5")
+	if got != "100.100.100.1" {
+		t.Fatalf("expected first forwarded private IP, got %q", got)
+	}
+}
+
+func TestResolveClientIP_PrefersPublicRealIPOverPrivateForwarded(t *testing.T) {
+	got := ResolveClientIP("100.100.100.1, 10.0.0.2", "198.51.100.7", "172.18.0.5")
+	if got != "198.51.100.7" {
+		t.Fatalf("expected public real IP, got %q", got)
+	}
+}