Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Figure out the correct way to configure trust proxy and HTTP_FORWARDED_COUNT #979

Open
make-github-pseudonymous-again opened this issue May 21, 2024 · 2 comments
Open

Figure out the correct way to configure trust proxy and HTTP_FORWARDED_COUNT #979

make-github-pseudonymous-again opened this issue May 21, 2024 · 2 comments
Labels
bug Something isn't working deploy This issue is about deployment security This issue is about the overall security of the application
Milestone
Public release

Comments

@make-github-pseudonymous-again
Copy link
Contributor

Maybe this has to be configured for Meteor's router, or maybe this is incorrectly applied twice.

This currently does not work in api/healthcheck and api/ics. The consequence is that all requests fall in the same rate-limiting bucket, which is a UX concern as soon as we have more than one user.

See:
@make-github-pseudonymous-again make-github-pseudonymous-again added bug Something isn't working security This issue is about the overall security of the application deploy This issue is about deployment labels May 21, 2024
@make-github-pseudonymous-again
Copy link
Contributor Author

Might help to add --full-app tests for token generation/revocation and/or api/ics route tests that check that the requestor IP address is correctly forwarded.

@make-github-pseudonymous-again
Copy link
Contributor Author

Shower thought: could it be that this does not work because HTTP_FORWARDED_COUNT is a string and not a number?!

patients/server/api/healthcheck/index.ts

Line 13 in 2227751

routes.set('trust proxy', process.env.HTTP_FORWARDED_COUNT);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working deploy This issue is about deployment security This issue is about the overall security of the application
Projects
Research sprint April 2024
Status: To do
Milestone
Public release
Development

No branches or pull requests
1 participant
@make-github-pseudonymous-again