Fixed IP-Hashing and Alt Detection behind Reverse Proxies

src/utils/sessionUtils.js

@@ -15,6 +15,7 @@ You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
 
 //Local Imports
+const config = require('../../config.json');
 const {userModel} = require('../schemas/user/userSchema');
 const userBanModel = require('../schemas/user/userBanSchema')
 const altchaUtils = require('../utils/altchaUtils');
@@ -32,8 +33,11 @@ module.exports.authenticateSession = async function(user, pass, req){
         //Grab previous attempts
         const attempt = failedAttempts.get(user);
 
+        //If we're proxied use passthrough IP
+        const ip = config.proxied ? req.headers['x-forwarded-for'] : req.ip;
+
         //Look for ban by IP
-        const ipBanDB = await userBanModel.checkBanByIP(req.ip);
+        const ipBanDB = await userBanModel.checkBanByIP(ip);
 
         //If this ip is randy bobandy
         if(ipBanDB != null){
@@ -89,7 +93,7 @@ module.exports.authenticateSession = async function(user, pass, req){
         }
 
         //Tattoo hashed IP address to user account for seven days
-        userDB.tattooIPRecord(req.ip);
+        userDB.tattooIPRecord(ip);
 
         //If we got to here then the log-in was successful. We should clear-out any failed attempts.
         failedAttempts.delete(user);