From 59d88bcccdb77c38fd45ca18e1c3f738ffbbc037 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9ophile=20Diot?= <tdiot@bunkerity.com>
Date: Tue, 3 Dec 2024 15:35:27 +0100
Subject: [PATCH] fix: remove unnecessary logger initialization in
 ReverseProxied and enhance IP address validation in session checks

---
 src/ui/app/models/reverse_proxied.py | 7 -------
 src/ui/main.py                       | 3 ++-
 2 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/src/ui/app/models/reverse_proxied.py b/src/ui/app/models/reverse_proxied.py
index 50e315017..29dbc1606 100644
--- a/src/ui/app/models/reverse_proxied.py
+++ b/src/ui/app/models/reverse_proxied.py
@@ -1,14 +1,9 @@
 #!/usr/bin/env python3
 
-from logging import getLogger
 from werkzeug.middleware.proxy_fix import ProxyFix
 
 
 class ReverseProxied(ProxyFix):
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.__logger = getLogger("UI.ReverseProxied")
-
     def __call__(self, environ, start_response):
         """Modify the WSGI environ based on the various ``Forwarded``
         headers before calling the wrapped application. Store the
@@ -64,6 +59,4 @@ class ReverseProxied(ProxyFix):
         environ["ABSOLUTE_URI"] = f"{environ['wsgi.url_scheme']}://{environ['HTTP_HOST']}{environ['SCRIPT_NAME']}/"
         environ["SESSION_COOKIE_DOMAIN"] = environ["HTTP_HOST"]
 
-        self.__logger.debug(f"Reverse Proxy environ: {environ}")
-
         return self.app(environ, start_response)
diff --git a/src/ui/main.py b/src/ui/main.py
index cb91a1af4..fb8051599 100644
--- a/src/ui/main.py
+++ b/src/ui/main.py
@@ -1,6 +1,7 @@
 #!/usr/bin/env python3
 from contextlib import suppress
 from datetime import datetime, timedelta
+from ipaddress import ip_address
 from json import dumps, loads
 from os import getenv, sep
 from os.path import join
@@ -338,7 +339,7 @@ def before_request():
                 if not request.path.endswith("/login"):
                     return redirect(url_for("totp.totp_page", next=request.form.get("next")))
                 passed = False
-            elif session["ip"] != request.remote_addr:
+            elif not ip_address(request.remote_addr).is_private and session["ip"] != request.remote_addr:
                 LOGGER.warning(f"User {current_user.get_id()} tried to access his session with a different IP address.")
                 passed = False
             elif session["user_agent"] != request.headers.get("User-Agent"):