fix(aws): ensure explicit support for AWS context

Author: metcoder95

index.js

@@ -7,8 +7,15 @@ const plugin = fp(fastifyIp, {
   name: 'fastify-ip'
 })
 
-function fastifyIp (instance, options, done) {
-  const { order: inputOrder, strict } = options
+function fastifyIp (
+  instance,
+  { order: inputOrder, strict, isAWS } = {
+    order: null,
+    strict: false,
+    isAWS: false
+  },
+  done
+) {
   /*! Based on request-ip#https://github.com/pbojinov/request-ip/blob/9501cdf6e73059cc70fc6890adb086348d7cca46/src/index.js.
   MIT License. 2022 Petar Bojinov - [email protected] */
   // Default headers
@@ -27,19 +34,26 @@ function fastifyIp (instance, options, done) {
     'forwarded',
     'x-appengine-user-ip' // GCP App Engine
   ]
+  let error
 
-  if (inputOrder != null) {
+  if (strict && inputOrder == null && !isAWS) {
+    error = new Error('If strict provided, order or isAWS are mandatory')
+  } else if (inputOrder != null) {
     if (Array.isArray(inputOrder) && inputOrder.length > 0) {
       headersOrder = strict
         ? [].concat(inputOrder)
         : [...new Set([].concat(inputOrder, headersOrder))]
     } else if (typeof inputOrder === 'string' && inputOrder.length > 0) {
-      headersOrder = strict ? [inputOrder] : (headersOrder.unshift(inputOrder), headersOrder)
+      headersOrder = strict
+        ? [inputOrder]
+        : (headersOrder.unshift(inputOrder), headersOrder)
     } else {
-      done(new Error('invalid order option'))
+      error = new Error('invalid order option')
     }
   }
 
+  if (error != null) return done(error)
+
   // Utility methods
   instance.decorateRequest('isIP', isIP)
   instance.decorateRequest('isIPv4', isIPv4)
@@ -50,29 +64,41 @@ function fastifyIp (instance, options, done) {
   // Core method
   instance.decorateRequest('ip', {
     getter: function () {
-      if (this._fastifyip !== '') return this._fastifyip
+      let ip = this._fastifyip
+      if (ip !== '') return ip
 
-      // AWS Api Gateway + Lambda
-      if (this.raw.requestContext != null) {
-        const pseudoIP = this.raw.requestContext.identity?.sourceIp
-        if (pseudoIP != null && this.isIP(pseudoIP)) {
-          this._fastifyip = pseudoIP
-        }
-      } else {
+      // If is AWS context or the rules are not strict
+      // infer first from AWS monkey-patching
+      if (isAWS || !strict) {
+        this._fastifyip = inferFromAWSContext.apply(this)
+        ip = this._fastifyip
+      }
+
+      // If is an AWS context, the rules are soft
+      // or is not AWS context and the ip has not been
+      // inferred yet, try using the request headers
+      if (((isAWS && !strict) || !isAWS) && ip === '') {
         for (const headerKey of headersOrder) {
           const value = this.headers[headerKey]
           if (value != null && this.isIP(value)) {
             this._fastifyip = value
+            ip = this._fastifyip
             break
           }
         }
       }
 
-      return this._fastifyip
+      return ip
     }
   })
 
   done()
+
+  // AWS Api Gateway + Lambda
+  function inferFromAWSContext () {
+    const pseudoIP = this.raw.requestContext?.identity?.sourceIp
+    return pseudoIP != null && this.isIP(pseudoIP) ? pseudoIP : ''
+  }
 }
 
 module.exports = plugin

test/index.test.js

@@ -112,7 +112,7 @@ tap.test('Plugin#Decoration', scope => {
 })
 
 tap.test('Plugin#Request IP', scope => {
-  scope.plan(6)
+  scope.plan(8)
 
   scope.test('Should infer the header based on default priority', async t => {
     const app = fastify()
@@ -139,6 +139,131 @@ tap.test('Plugin#Request IP', scope => {
     })
   })
 
+  scope.test('Fallback behavior on AWS Context', async t => {
+    const app = fastify()
+    const expectedIP = faker.internet.ip()
+    const secondaryIP = faker.internet.ip()
+    const childscope1 = (instance, _, done) => {
+      instance.register(plugin, { isAWS: true, order: ['x-custom-remote-ip'] })
+
+      instance.get('/first', (req, reply) => {
+        t.equal(req.ip, expectedIP)
+        t.equal(req._fastifyip, expectedIP)
+
+        reply.send('')
+      })
+
+      instance.get('/second', (req, reply) => {
+        t.equal(req.ip, secondaryIP)
+        t.equal(req._fastifyip, secondaryIP)
+
+        reply.send('')
+      })
+
+      done()
+    }
+    const childscope2 = (instance, _, done) => {
+      instance.register(plugin, { isAWS: true, strict: true })
+
+      instance.get('/', (req, reply) => {
+        t.equal(req.ip, '')
+        t.equal(req._fastifyip, '')
+
+        reply.send('')
+      })
+
+      done()
+    }
+    const childscope3 = (instance, _, done) => {
+      instance.register(plugin, { isAWS: true })
+
+      instance.get('/', (req, reply) => {
+        t.equal(req.ip, expectedIP)
+        t.equal(req._fastifyip, expectedIP)
+
+        reply.send('')
+      })
+
+      done()
+    }
+
+    t.plan(8)
+
+    app.register(childscope1, { prefix: '/fallback' })
+    app.register(childscope2, { prefix: '/no-fallback' })
+    app.register(childscope3, { prefix: '/soft' })
+
+    await app.inject({
+      path: '/fallback/first',
+      headers: {
+        'x-custom-remote-ip': expectedIP,
+        'x-forwarded-for': secondaryIP
+      }
+    })
+
+    await app.inject({
+      path: '/fallback/second',
+      headers: {
+        'x-forwarded-for': secondaryIP
+      }
+    })
+
+    await app.inject({
+      path: '/no-fallback',
+      headers: {
+        'x-custom-remote-ip': expectedIP,
+        'x-forwarded-for': secondaryIP
+      }
+    })
+
+    await app.inject({
+      path: '/soft',
+      headers: {
+        'x-appengine-user-ip': secondaryIP,
+        'x-real-ip': expectedIP
+      }
+    })
+  })
+
+  scope.test('Should infer the header based on if is AWS context', async t => {
+    const app = fastify()
+    const expectedIP = faker.internet.ip()
+    const fallbackIP = faker.internet.ipv6()
+
+    app.register(plugin, { isAWS: true })
+
+    app.get(
+      '/',
+      {
+        preHandler: function (req, reply, done) {
+          req.raw.requestContext = {
+            identity: {
+              sourceIp: expectedIP
+            }
+          }
+          done()
+        }
+      },
+      (req, reply) => {
+        t.equal(req.ip, expectedIP)
+        t.equal(req._fastifyip, expectedIP)
+
+        reply.send('')
+      }
+    )
+
+    t.plan(2)
+
+    await app.inject({
+      path: '/',
+      headers: {
+        'cf-connecting-ip': fallbackIP,
+        'x-client-ip': faker.internet.ipv6(),
+        'x-custom-remote-ip': expectedIP
+      }
+    })
+  })
+
   scope.test(
     'Should infer the header based on custom priority <Array>',
     async t => {