django-rest-passwordreset [BUG] X-Forwarded-For containing multiple IPs does not respect inet data type

[BUG] X-Forwarded-For containing multiple IPs does not respect inet data type

Open robertalexa opened this issue 1 year ago • 1 comments

Describe the bug When using DJANGO_REST_PASSWORDRESET_IP_ADDRESS_HEADER behind a proxy server, the actual value may contain multiple IPs, separated by a comma, with the first value being the client IP and the last being the last proxy server hit.

In such a scenario, inserting into the DB fails with an error because the data tried to be inserted is not of inet data type. Looking at the code, there is not split attempting to just use the client IP (first value). Alternatively, the model should be changed to not be inet

How to reproduce Test behind a proxy server

Internal Server Error: /auth/password-reset/
REDACTED  | Traceback (most recent call last):
REDACTED  |   File "/usr/local/lib/python3.10/site-packages/django/db/backends/utils.py", line 89, in _execute
REDACTED  |     return self.cursor.execute(sql, params)
REDACTED  | psycopg2.errors.InvalidTextRepresentation: invalid input syntax for type inet: "82.xx.xx.xx, 192.168.32.1"

May 26 '23 11:05 robertalexa

By the way, this is also wrong in the docs:

The variable should be DJANGO_REST_PASSWORDRESET_HTTP_USER_AGENT_HEADER

May 26 '23 12:05 robertalexa

django-rest-passwordreset django-rest-passwordreset copied to clipboard

[BUG] X-Forwarded-For containing multiple IPs does not respect inet data type

django-rest-passwordreset
django-rest-passwordreset copied to clipboard