syncthing

mirror of https://github.com/syncthing/syncthing.git synced 2026-01-19 11:18:13 -05:00

Files

bt90 c667ada63a chore(api): log X-Forwarded-For (#10035 )

### Purpose

Fix https://github.com/syncthing/syncthing/issues/9336

The `emitLoginAttempt` function now checks for the presence of an
`X-Forwarded-For` header. The IP from this header is only used if the
connecting host is either on loopback or on the same LAN.

In the case of a host pretending to be a proxy, we'd still have both IPs
in the logs, which should make this much less critical from a security
standpoint.

### Testing

1. directly via localhost
2. via proxy an localhost

#### Logs

```
[3JPXJ] 2025/04/11 15:00:40 INFO: Wrong credentials supplied during API authorization from 127.0.0.1
[3JPXJ] 2025/04/11 15:03:04 INFO: Wrong credentials supplied during API authorization from 192.168.178.5 proxied by 127.0.0.1
```

#### Event API

```
  {
    "id": 23,
    "globalID": 23,
    "time": "2025-04-11T15:00:40.578577402+02:00",
    "type": "LoginAttempt",
    "data": {
      "remoteAddress": "127.0.0.1",
      "success": false,
      "username": "sdfsd"
    }
  },
  {
    "id": 24,
    "globalID": 24,
    "time": "2025-04-11T15:03:04.423403976+02:00",
    "type": "LoginAttempt",
    "data": {
      "proxy": "127.0.0.1",
      "remoteAddress": "192.168.178.5",
      "success": false,
      "username": "sdfsd"
    }
  }
```

### Documentation

https://github.com/syncthing/docs/pull/907

---------

Co-authored-by: Jakob Borg <jakob@kastelo.net>

2025-04-23 06:01:13 +00:00

atomic_test.go

style: gofumpt all the things (#9829 )

2024-11-19 11:32:56 +01:00

atomic_unix_test.go

style: gofumpt all the things (#9829 )

2024-11-19 11:32:56 +01:00

atomic.go

style: gofumpt all the things (#9829 )

2024-11-19 11:32:56 +01:00

filenames_darwin.go

all: Update license url to https (ref #3976 )