chore: extract get user IP address as standalone function

dcshzj · dcshzj · commit 9f90a781d70c · 2025-12-04T13:41:35.000+08:00
diff --git a/src/routes/v2/auth.js b/src/routes/v2/auth.js
@@ -9,7 +9,7 @@ const logger = require("@logger/logger").default
 const { attachReadRouteHandlerWrapper } = require("@middleware/routeHandler")
 
 const FRONTEND_URL = config.get("app.frontendUrl")
-const { isSecure } = require("@utils/auth-utils")
+const { isSecure, getUserIPAddress } = require("@utils/auth-utils")
 
 const {
   EmailSchema,
@@ -106,7 +106,7 @@ class AuthRouter {
         message: `Invalid request format: ${error.message}`,
       })
     const email = rawEmail.toLowerCase()
-    const userIp = isSecure ? req.get("cf-connecting-ip") : req.ip
+    const userIp = getUserIPAddress(req)
     const userInfo = (
       await this.authService.verifyOtp({ email, otp, clientIp: userIp })
     ).value
diff --git a/src/routes/v2/authenticated/users.ts b/src/routes/v2/authenticated/users.ts
@@ -14,7 +14,7 @@ import UserSessionData from "@classes/UserSessionData"
 import DatabaseError from "@root/errors/DatabaseError"
 import { isError, RequestHandler } from "@root/types"
 import { nameAnonymousMethods } from "@root/utils/apm-utils"
-import { isSecure } from "@root/utils/auth-utils"
+import { getUserIPAddress } from "@root/utils/auth-utils"
 import {
   VerifyEmailOtpSchema,
   VerifyMobileNumberOtpSchema,
@@ -84,7 +84,7 @@ export class UsersRouter {
     const userId = userSessionData.isomerUserId
     const parsedEmail = email.toLowerCase()
 
-    const userIp = isSecure ? req.get("cf-connecting-ip") : req.ip
+    const userIp = getUserIPAddress(req)
     return this.usersService
       .verifyEmailOtp(parsedEmail, otp, userIp)
       .andThen(() =>
@@ -144,7 +144,7 @@ export class UsersRouter {
     const { userSessionData } = res.locals
     const userId = userSessionData.isomerUserId
 
-    const userIp = isSecure ? req.get("cf-connecting-ip") : req.ip
+    const userIp = getUserIPAddress(req)
     return this.usersService
       .verifyMobileOtp(mobile, otp, userIp)
       .andThen(() =>
diff --git a/src/services/utilServices/RateLimiter.ts b/src/services/utilServices/RateLimiter.ts
@@ -1,7 +1,7 @@
 import rateLimit from "express-rate-limit"
 
 import { BaseIsomerError } from "@root/errors/BaseError"
-import { isSecure } from "@root/utils/auth-utils"
+import { getUserIPAddress } from "@root/utils/auth-utils"
 
 const DEFAULT_AUTH_TOKEN_EXPIRY_MILLISECONDS = 900000
 
@@ -21,7 +21,7 @@ export const rateLimiter = rateLimit({
   // We know that this key exists in a secure env (Cloudflare)
   // See https://developers.cloudflare.com/fundamentals/reference/http-request-headers/#cf-connecting-ip
   keyGenerator: (req) => {
-    const userIp = isSecure ? req.get("cf-connecting-ip") : req.ip
+    const userIp = getUserIPAddress(req)
     if (!userIp) {
       // This should never happen, but if it does, we should know about it
       throw new BaseIsomerError({
diff --git a/src/utils/auth-utils.js b/src/utils/auth-utils.js
@@ -4,6 +4,14 @@ const NODE_ENV = config.get("env")
 
 const isSecure = NODE_ENV !== "dev" && NODE_ENV !== "test"
 
+// FIXME: This makes a strong assumption that the app is always behind
+// Cloudflare, but may not necessarily be the case when Cloudflare is disabled.
+// Fix this to fallback to other headers or req.ip if Cloudflare headers are not
+// present.
+const getUserIPAddress = (req) =>
+  isSecure ? req.get("cf-connecting-ip") : req.ip
+
 module.exports = {
   isSecure,
+  getUserIPAddress,
 }
