Use HTTP_X_FORWARDED_FOR to handle proxied ips

KipSigei · KipSigei · commit c6a251c0f2eb · 2023-09-27T00:16:49.000+03:00
Signed-off-by: Kipchirchir Sigei &lt;arapgodsmack@gmail.com&gt;
diff --git a/onadata/apps/api/tests/viewsets/test_connect_viewset.py b/onadata/apps/api/tests/viewsets/test_connect_viewset.py
@@ -478,7 +478,7 @@ def test_login_attempts(self, send_account_lockout_email, mock_logger, rpt_mock)
         self.assertEqual(cache.get(safe_key(f"login_attempts-{request_ip}-bob")), 2)
 
         request = self._get_request_session_with_auth(
-            view, auth, extra={"HTTP_X_REAL_IP": "5.6.7.8"}
+            view, auth, extra={"HTTP_X_FORWARDED_FOR": "5.6.7.8"}
         )
         # login attempts are tracked separately for other IPs
         response = view(request)
diff --git a/onadata/libs/authentication.py b/onadata/libs/authentication.py
@@ -259,9 +259,10 @@ def retrieve_user_identification(request) -> Tuple[Optional[str], Optional[str]]
     Retrieve user information from a HTTP request.
     """
     ip_address = None
+    x_forwarded_for = request.META.get('HTTP_X_FORWARDED_FOR')
 
-    if request.headers.get("X-Real-Ip"):
-        ip_address = request.headers["X-Real-Ip"].split(",")[0]
+    if x_forwarded_for:
+        ip_address = x_forwarded_for.split(",")[0]
     else:
         ip_address = request.META.get("REMOTE_ADDR")
 

Original file line number	Diff line number	Diff line change
`@@ -478,7 +478,7 @@ def test_login_attempts(self, send_account_lockout_email, mock_logger, rpt_mock)`
`478`	`478`	`self.assertEqual(cache.get(safe_key(f"login_attempts-{request_ip}-bob")), 2)`
`479`	`479`
`480`	`480`	`request = self._get_request_session_with_auth(`
`481`		`- view, auth, extra={"HTTP_X_REAL_IP": "5.6.7.8"}`
	`481`	`+ view, auth, extra={"HTTP_X_FORWARDED_FOR": "5.6.7.8"}`
`482`	`482`	`)`
`483`	`483`	`# login attempts are tracked separately for other IPs`
`484`	`484`	`response = view(request)`