세션 IP 표시와 로그아웃 처리 보강

2026-04-06 13:25:36 +09:00
parent 6a3bb19e7d
commit 2ca26cafb2
11 changed files with 292 additions and 63 deletions
--- a/backend/internal/handler/auth_handler.go
+++ b/backend/internal/handler/auth_handler.go
@@ -17,7 +17,6 @@ import (
 	"io"
 	"log/slog"
 	"math/rand"
-	"net"
 	"net/http"
 	"net/url"
 	"os"
@@ -4043,18 +4042,7 @@ func extractClientIPFromHeaders(c *fiber.Ctx) string {
 	if c == nil {
 		return ""
 	}
-	if forwarded := c.Get("X-Forwarded-For"); forwarded != "" {
-		parts := strings.Split(forwarded, ",")
-		if len(parts) > 0 {
-			if ip := strings.TrimSpace(parts[0]); ip != "" {
-				return ip
-			}
-		}
-	}
-	if realIP := strings.TrimSpace(c.Get("X-Real-IP")); realIP != "" {
-		return realIP
-	}
-	return c.IP()
+	return utils.ResolveClientIP(c.Get("X-Forwarded-For"), c.Get("X-Real-IP"), c.IP())
 }

 type authTimelineItem struct {
@@ -7034,18 +7022,7 @@ func resolveRequestClientIP(c *fiber.Ctx) string {
 	if c == nil {
 		return ""
 	}
-	if forwarded := c.Get("X-Forwarded-For"); forwarded != "" {
-		parts := strings.Split(forwarded, ",")
-		if len(parts) > 0 {
-			if ip := strings.TrimSpace(parts[0]); ip != "" {
-				return ip
-			}
-		}
-	}
-	if realIP := strings.TrimSpace(c.Get("X-Real-IP")); realIP != "" {
-		return realIP
-	}
-	return c.IP()
+	return utils.ResolveClientIP(c.Get("X-Forwarded-For"), c.Get("X-Real-IP"), c.IP())
 }

 func (h *AuthHandler) loadSessionAuditHints(ctx context.Context, userID string) map[string]sessionAuditHint {
@@ -7146,26 +7123,7 @@ func shouldReplaceSessionIP(existing string, candidate string) bool {
 }

 func isPrivateIPAddress(raw string) bool {
-	ip := net.ParseIP(strings.TrimSpace(raw))
-	if ip == nil {
-		return false
-	}
-	if ip.IsLoopback() || ip.IsLinkLocalMulticast() || ip.IsLinkLocalUnicast() {
-		return true
-	}
-	for _, cidr := range []string{
-		"10.0.0.0/8",
-		"172.16.0.0/12",
-		"192.168.0.0/16",
-		"100.64.0.0/10",
-		"fc00::/7",
-	} {
-		_, network, err := net.ParseCIDR(cidr)
-		if err == nil && network.Contains(ip) {
-			return true
-		}
-	}
-	return false
+	return utils.IsPrivateOrReservedIP(raw)
 }

 func deriveSessionClientInfo(log domain.AuditLog) (string, string) {
--- a/backend/internal/handler/auth_handler_sessions_test.go
+++ b/backend/internal/handler/auth_handler_sessions_test.go
@@ -317,7 +317,7 @@ func TestListMySessions_CurrentSessionFallsBackToRequestMetadata(t *testing.T) {
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/user/sessions", nil)
 	req.Header.Set("Cookie", "ory_kratos_session=valid")
 	req.Header.Set("User-Agent", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/146.0.0.0 Safari/537.36")
-	req.Header.Set("X-Forwarded-For", "203.0.113.25")
+	req.Header.Set("X-Forwarded-For", "100.100.100.1, 203.0.113.25")

 	resp, err := app.Test(req, -1)
 	assert.NoError(t, err)