Workaround for IP resolution from x-Forwarded-For with multiple proxies

module/Core/src/Middleware/ReverseForwardedAddressesMiddlewareDecorator.php

@@ -0,0 +1,49 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Shlinkio\Shlink\Core\Middleware;
+
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+
+use function array_reverse;
+use function explode;
+use function implode;
+
+/**
+ * Decorates a middleware to make sure it gets called with a list of reversed addresses in `X-Forwarded-For`.
+ *
+ * This is a workaround for a change in behavior introduced in akrabat/ip-address-middleware 2.5, which now
+ * takes the first non-trusted-proxy address in that header, starting from the right, instead of the first
+ * address starting from the left.
+ * That change breaks Shlink's visitor IP resolution when more than one proxy is used, and trusted proxies
+ * are not explicitly set for akrabat/ip-address-middleware (which Shlink does not do).
+ *
+ * A proper solution would require allowing trusted proxies to be configurable, and apply this logic conditionally, only
+ * if trusted proxies are not set.
+ *
+ * @see https://github.com/akrabat/ip-address-middleware/pull/51
+ */
+readonly class ReverseForwardedAddressesMiddlewareDecorator implements MiddlewareInterface
+{
+    public const string FORWARDED_FOR_HEADER = 'X-Forwarded-For';
+
+    public function __construct(private MiddlewareInterface $wrappedMiddleware)
+    {
+    }
+
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
+    {
+        if ($request->hasHeader(self::FORWARDED_FOR_HEADER)) {
+            $request = $request->withHeader(
+                self::FORWARDED_FOR_HEADER,
+                implode(',', array_reverse(explode(',', $request->getHeaderLine(self::FORWARDED_FOR_HEADER)))),
+            );
+        }
+
+        return $this->wrappedMiddleware->process($request, $handler);
+    }
+}

module/Core/test-api/Action/RedirectTest.php

@@ -90,7 +90,8 @@ class RedirectTest extends ApiTestCase
         ];
 
         $ipAddressConfig = require __DIR__ . '/../../../../config/autoload/ip-address.global.php';
-        foreach ($ipAddressConfig['rka']['ip_address']['headers_to_inspect'] as $header) {
+        $headers = $ipAddressConfig['rka']['ip_address']['headers_to_inspect'];
+        foreach ($headers as $header) {
             yield sprintf('rule: IP address in "%s" header', $header) => [
                 [
                     RequestOptions::HEADERS => [$header => $header !== 'Forwarded' ? '1.2.3.4' : 'for=1.2.3.4'],
@@ -98,6 +99,15 @@ class RedirectTest extends ApiTestCase
                 'https://example.com/static-ip-address',
             ];
         }
+
+        yield 'rule: IP address in "X-Forwarded-For" together with proxy addresses' => [
+            [
+                RequestOptions::HEADERS => [
+                    'X-Forwarded-For' => '1.2.3.4, 192.168.1.1, 192.168.1.2',
+                ],
+            ],
+            'https://example.com/static-ip-address',
+        ];
     }
 
     /**

module/Core/test/Middleware/ReverseForwardedAddressesMiddlewareDecoratorTest.php

@@ -0,0 +1,59 @@
+<?php
+
+declare(strict_types=1);
+
+namespace ShlinkioTest\Shlink\Core\Middleware;
+
+use Laminas\Diactoros\Response;
+use Laminas\Diactoros\ServerRequestFactory;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\MockObject\MockObject;
+use PHPUnit\Framework\TestCase;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use Shlinkio\Shlink\Core\Middleware\ReverseForwardedAddressesMiddlewareDecorator;
+
+class ReverseForwardedAddressesMiddlewareDecoratorTest extends TestCase
+{
+    private ReverseForwardedAddressesMiddlewareDecorator $middleware;
+    private MockObject & MiddlewareInterface $decoratedMiddleware;
+    private MockObject & RequestHandlerInterface $requestHandler;
+
+    protected function setUp(): void
+    {
+        $this->decoratedMiddleware = $this->createMock(MiddlewareInterface::class);
+        $this->requestHandler = $this->createMock(RequestHandlerInterface::class);
+        $this->middleware = new ReverseForwardedAddressesMiddlewareDecorator($this->decoratedMiddleware);
+    }
+
+    #[Test]
+    public function processesRequestAsIsWhenHeadersIsNotFound(): void
+    {
+        $request = ServerRequestFactory::fromGlobals();
+        $this->decoratedMiddleware->expects($this->once())->method('process')->with(
+            $request,
+            $this->requestHandler,
+        )->willReturn(new Response());
+
+        $this->middleware->process($request, $this->requestHandler);
+    }
+
+    #[Test]
+    public function revertsListOfAddressesWhenHeaderIsFound(): void
+    {
+        $request = ServerRequestFactory::fromGlobals()->withHeader(
+            ReverseForwardedAddressesMiddlewareDecorator::FORWARDED_FOR_HEADER,
+            '1.2.3.4,5.6.7.8,9.10.11.12',
+        );
+
+        $this->decoratedMiddleware->expects($this->once())->method('process')->with(
+            $this->callback(fn (ServerRequestInterface $req): bool => $req->getHeaderLine(
+                ReverseForwardedAddressesMiddlewareDecorator::FORWARDED_FOR_HEADER,
+            ) === '9.10.11.12,5.6.7.8,1.2.3.4'),
+            $this->requestHandler,
+        )->willReturn(new Response());
+
+        $this->middleware->process($request, $this->requestHandler);
+    }
+}