apiserver: prevent long bouncer names when IP is changing (bouncer@ip1@ip2..) (#3911)

mmetc · web-flow · commit dbe9ff0518dd · 2025-09-25T16:09:20.000+02:00
* apiserver: prevent long bouncer names when IP is changing (bouncer@ip1@ip2..)

* lint
diff --git a/pkg/apiserver/middlewares/v1/api_key.go b/pkg/apiserver/middlewares/v1/api_key.go
@@ -6,6 +6,7 @@ import (
 	"encoding/base64"
 	"fmt"
 	"net/http"
+	"net/netip"
 	"strings"
 
 	"github.com/gin-gonic/gin"
@@ -29,6 +30,31 @@ type APIKey struct {
 	TlsAuth    *TLSAuth
 }
 
+// baseBouncerName removes any trailing "@<ip>" segments from a bouncer's name.
+//
+// When a bouncer changes its IP address, it is detected by LAPI as a new bouncer,
+// to allow for key sharing. LAPI then creates a new DB entry by appending "@<ip>"
+// to the existing name. If the existing name already ends with "@<ip>", this can lead to
+// chained names like "my-bouncer@1.2.3.4@5.6.7.8". To prevent runaway suffixes,
+// this helper repeatedly strips the final "@<ip>" token until no valid IPv4/IPv6
+// address remains, returning the "base" bouncer name.
+func baseBouncerName(name string) string {
+    for {
+        i := strings.LastIndexByte(name, '@')
+        if i < 0 {
+            return name
+        }
+
+        tail := name[i+1:]
+        if _, err := netip.ParseAddr(tail); err == nil {
+            name = name[:i]
+            continue
+        }
+
+        return name
+    }
+}
+
 func GenerateAPIKey(n int) (string, error) {
 	bytes := make([]byte, n)
 	if _, err := rand.Read(bytes); err != nil {
@@ -128,10 +154,12 @@ func (a *APIKey) authPlain(c *gin.Context, logger *log.Entry) *ent.Bouncer {
 			logger.Errorf("while fetching bouncer info: %s", err)
 			return nil
 		}
+
 		if len(bouncer) == 0 {
 			logger.Debugf("no bouncer found with this key")
 			return nil
 		}
+
 		return bouncer[0]
 	}
 
@@ -148,6 +176,7 @@ func (a *APIKey) authPlain(c *gin.Context, logger *log.Entry) *ent.Bouncer {
 			logger.Errorf("bouncer isn't allowed to auth by API key")
 			return nil
 		}
+
 		return bouncer
 	}
 
@@ -173,7 +202,8 @@ func (a *APIKey) authPlain(c *gin.Context, logger *log.Entry) *ent.Bouncer {
 
 	// Bouncers are ordered by ID, first one *should* be the manually created one
 	// Can probably get a bit weird if the user deletes the manually created one
-	bouncerName := fmt.Sprintf("%s@%s", bouncers[0].Name, clientIP)
+	base := baseBouncerName(bouncers[0].Name)
+	bouncerName := fmt.Sprintf("%s@%s", base, clientIP)
 
 	logger.Infof("Creating bouncer %s", bouncerName)
 
@@ -224,6 +254,7 @@ func (a *APIKey) MiddlewareFunc() gin.HandlerFunc {
 				logger.Errorf("Failed to update ip address for '%s': %s\n", bouncer.Name, err)
 				c.JSON(http.StatusForbidden, gin.H{"message": "access forbidden"})
 				c.Abort()
+
 				return
 			}
 		}
