Merge pull request #352 from fuhrysteve/develop

X-Forwarded-For can contain multiple IP addresses
2026-06-27 16:10:11 +08:00 · 2015-05-02 13:46:21 -04:00
parent 4d3c1c0bdc 923ad720a1
commit 2e08ec87a6
4 changed files with 29 additions and 4 deletions
@@ -34,3 +34,11 @@ env/

 *.db
 *cache*
+
+# vim
+[._]*.s[a-w][a-z]
+[._]s[a-w][a-z]
+*.un~
+Session.vim
+.netrwhist
+*~
@@ -163,7 +163,8 @@ Feature Flags
                          option. Defaults to ``False``.
 ``SECURITY_TRACKABLE``    Specifies if Flask-Security should track basic user
                          login statistics. If set to ``True``, ensure your
-                          models have the required fields/attribues. Defaults to
+                          models have the required fields/attribues. Be sure to
+                          use `ProxyFix <http://flask.pocoo.org/docs/0.10/deploying/wsgi-standalone/#proxy-setups>` if you are using a proxy. Defaults to
                          ``False``
 ``SECURITY_PASSWORDLESS`` Specifies if Flask-Security should enable the
                          passwordless login feature. If set to ``True``, users
@@ -62,10 +62,10 @@ def login_user(user, remember=None):
        return False

    if _security.trackable:
-        if 'X-Forwarded-For' not in request.headers:
-            remote_addr = request.remote_addr or 'untrackable'
+        if 'X-Forwarded-For' in request.headers:
+            remote_addr = request.headers.getlist("X-Forwarded-For")[0].rpartition(' ')[-1]
        else:
-            remote_addr = request.headers.getlist("X-Forwarded-For")[0]
+            remote_addr = request.remote_addr or 'untrackable'

        old_current_login, new_current_login = user.current_login_at, datetime.utcnow()
        old_current_ip, new_current_ip = user.current_login_ip, remote_addr
@@ -26,3 +26,19 @@ def test_trackable_flag(app, client):
        assert user.last_login_ip == 'untrackable'
        assert user.current_login_ip == '127.0.0.1'
        assert user.login_count == 2
+
+
+def test_trackable_with_multiple_ips_in_headers(app, client):
+    e = 'matt@lp.com'
+    authenticate(client, email=e)
+    logout(client)
+    authenticate(client, email=e, headers={
+        'X-Forwarded-For': '99.99.99.99, 88.88.88.88'})
+
+    with app.app_context():
+        user = app.security.datastore.find_user(email=e)
+        assert user.last_login_at is not None
+        assert user.current_login_at is not None
+        assert user.last_login_ip == 'untrackable'
+        assert user.current_login_ip == '88.88.88.88'
+        assert user.login_count == 2