From 2f1e50bee2cea2ccc01d8d70a46adf3ca5efa344 Mon Sep 17 00:00:00 2001
From: Pooya Parsa <pooya@pi0.io>
Date: Mon, 15 Jan 2024 22:35:40 +0100
Subject: [PATCH 1/3] fix(getRequestIP): use first address of `x-forwarded-for`
 header

---
 src/utils/request.ts |  2 +-
 test/utils.test.ts   | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/utils/request.ts b/src/utils/request.ts
index f97c790b4..1511118cb 100644
--- a/src/utils/request.ts
+++ b/src/utils/request.ts
@@ -209,7 +209,7 @@ export function getRequestIP(
   if (opts.xForwardedFor) {
     const xForwardedFor = getRequestHeader(event, "x-forwarded-for")
       ?.split(",")
-      ?.pop();
+      .shift();
     if (xForwardedFor) {
       return xForwardedFor;
     }
diff --git a/test/utils.test.ts b/test/utils.test.ts
index 15289069b..a474352d8 100644
--- a/test/utils.test.ts
+++ b/test/utils.test.ts
@@ -186,6 +186,19 @@ describe("", () => {
       req.set("x-forwarded-for", "2001:0db8:85a3:0000:0000:8a2e:0370:7334");
       expect((await req).text).toBe("2001:0db8:85a3:0000:0000:8a2e:0370:7334");
     });
+    it("multiple ips", async () => {
+      app.use(
+        "/",
+        eventHandler((event) => {
+          return getRequestIP(event, {
+            xForwardedFor: true,
+          });
+        }),
+      );
+      const req = request.get("/");
+      req.set("x-forwarded-for", "client, proxy1, proxy2");
+      expect((await req).text).toBe("client");
+    });
   });
 
   describe("getRequestFingerprint", () => {

From f105cf2faba8c9a139f36329adac13d2e8817bc6 Mon Sep 17 00:00:00 2001
From: Pooya Parsa <pyapar@gmail.com>
Date: Tue, 16 Jan 2024 10:26:40 +0100
Subject: [PATCH 2/3] Update src/utils/request.ts

---
 src/utils/request.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/utils/request.ts b/src/utils/request.ts
index 1511118cb..25a4237b1 100644
--- a/src/utils/request.ts
+++ b/src/utils/request.ts
@@ -207,6 +207,7 @@ export function getRequestIP(
   }
 
   if (opts.xForwardedFor) {
+    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#syntax
     const xForwardedFor = getRequestHeader(event, "x-forwarded-for")
       ?.split(",")
       .shift();

From e7ebf94f30a5dbdcff6ee467376a0006e7fc0893 Mon Sep 17 00:00:00 2001
From: Pooya Parsa <pooya@pi0.io>
Date: Tue, 16 Jan 2024 11:18:14 +0100
Subject: [PATCH 3/3] also trim

---
 src/utils/request.ts | 3 ++-
 test/utils.test.ts   | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/utils/request.ts b/src/utils/request.ts
index 25a4237b1..6f033a51b 100644
--- a/src/utils/request.ts
+++ b/src/utils/request.ts
@@ -210,7 +210,8 @@ export function getRequestIP(
     // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#syntax
     const xForwardedFor = getRequestHeader(event, "x-forwarded-for")
       ?.split(",")
-      .shift();
+      .shift()
+      ?.trim();
     if (xForwardedFor) {
       return xForwardedFor;
     }
diff --git a/test/utils.test.ts b/test/utils.test.ts
index a474352d8..5eb614027 100644
--- a/test/utils.test.ts
+++ b/test/utils.test.ts
@@ -196,7 +196,7 @@ describe("", () => {
         }),
       );
       const req = request.get("/");
-      req.set("x-forwarded-for", "client, proxy1, proxy2");
+      req.set("x-forwarded-for", "client , proxy1, proxy2");
       expect((await req).text).toBe("client");
     });
   });