Merge 0d9e3d19aff81c1fc40fbaea901c99b08ff48ad7 into 9914178584e42458ff7d23891463a880f58c9d86

fix(context): ClientIP handling for multiple X-Forwarded-For header values (#4472 )
* Fix ClientIP calculation by concatenating all RemoteIPHeaders values * test: used http.MethodGet instead constants and fix lints * lint error fixed * Refactor ClientIP X-Forwarded-For tests --------- Co-authored-by: Bo-Yi Wu <appleboy.tw@gmail.com>
2026-01-11 09:06:56 +08:00 · 2026-01-03 10:34:49 +08:00 · 2026-01-02 10:15:27 +08:00 · 2022-09-19 12:06:54 +00:00 · 2022-09-19 12:00:08 +00:00
2 changed files with 45 additions and 1 deletions
--- a/context.go
+++ b/context.go
@ -291,6 +291,18 @@ func (c *Context) Get(key any) (value any, exists bool) {
 	return
 }

+// GetAs returns the value for the given key, ie: (value, true).
+// If the value does not exist it returns (nil, false)
+func (c *Context) GetAs[T any](key string) (result T, exists bool) {
+	value, exists := c.Get(key)
+	if !exists {
+	   return	
+	}	
+	
+	result, exists = value.(T)
+	return
+}
+
 // MustGet returns the value for the given key if it exists, otherwise it panics.
 func (c *Context) MustGet(key any) any {
 	if value, exists := c.Get(key); exists {
@ -989,7 +1001,8 @@ func (c *Context) ClientIP() string {

 	if trusted && c.engine.ForwardedByClientIP && c.engine.RemoteIPHeaders != nil {
 		for _, headerName := range c.engine.RemoteIPHeaders {
-			ip, valid := c.engine.validateHeader(c.requestHeader(headerName))
+			headerValue := strings.Join(c.Request.Header.Values(headerName), ",")
+			ip, valid := c.engine.validateHeader(headerValue)
 			if valid {
 				return ip
 			}
--- a/context_test.go
+++ b/context_test.go
@ -1143,6 +1143,37 @@ func TestContextRenderNoContentIndentedJSON(t *testing.T) {
 	assert.Equal(t, "application/json; charset=utf-8", w.Header().Get("Content-Type"))
 }

+func TestContextClientIPWithMultipleHeaders(t *testing.T) {
+	c, _ := CreateTestContext(httptest.NewRecorder())
+	c.Request, _ = http.NewRequest(http.MethodGet, "/test", nil)
+
+	// Multiple X-Forwarded-For headers
+	c.Request.Header.Add("X-Forwarded-For", "1.2.3.4, "+localhostIP)
+	c.Request.Header.Add("X-Forwarded-For", "5.6.7.8")
+	c.Request.RemoteAddr = localhostIP + ":1234"
+
+	c.engine.ForwardedByClientIP = true
+	c.engine.RemoteIPHeaders = []string{"X-Forwarded-For"}
+	_ = c.engine.SetTrustedProxies([]string{localhostIP})
+
+	// Should return 5.6.7.8 (last non-trusted IP)
+	assert.Equal(t, "5.6.7.8", c.ClientIP())
+}
+
+func TestContextClientIPWithSingleHeader(t *testing.T) {
+	c, _ := CreateTestContext(httptest.NewRecorder())
+	c.Request, _ = http.NewRequest(http.MethodGet, "/test", nil)
+	c.Request.Header.Set("X-Forwarded-For", "1.2.3.4, "+localhostIP)
+	c.Request.RemoteAddr = localhostIP + ":1234"
+
+	c.engine.ForwardedByClientIP = true
+	c.engine.RemoteIPHeaders = []string{"X-Forwarded-For"}
+	_ = c.engine.SetTrustedProxies([]string{localhostIP})
+
+	// Should return 1.2.3.4
+	assert.Equal(t, "1.2.3.4", c.ClientIP())
+}
+
 // Tests that the response is serialized as Secure JSON
 // and Content-Type is set to application/json
 func TestContextRenderSecureJSON(t *testing.T) {
Author	SHA1	Message	Date
Cheikh Seck	e4dacc3b61	Merge 0d9e3d19aff81c1fc40fbaea901c99b08ff48ad7 into 9914178584e42458ff7d23891463a880f58c9d86	2026-01-03 10:34:49 +08:00
Nurysso	9914178584	fix(context): ClientIP handling for multiple X-Forwarded-For header values (#4472 ) * Fix ClientIP calculation by concatenating all RemoteIPHeaders values * test: used http.MethodGet instead constants and fix lints * lint error fixed * Refactor ClientIP X-Forwarded-For tests --------- Co-authored-by: Bo-Yi Wu <appleboy.tw@gmail.com>	2026-01-02 10:15:27 +08:00
Cheikh Seck	0d9e3d19af	Update context.go use method Get to get existing data.	2022-09-19 12:06:54 +00:00
Cheikh Seck	84bae816a0	Update context to have a generic method. Add a generic method `GetAs` to get request data.	2022-09-19 12:00:08 +00:00