Move TrackTrueClientIp middleware into saas engine

flavorjones · flavorjones · commit ab5d1d4b8282 · 2026-03-09T15:08:24.000-04:00
The True-Client-IP header is set by Cloudflare and is only trustworthy when behind a Cloudflare proxy. In non-Cloudflare deployments, this header is attacker-controlled and can be used to spoof IP addresses. Moving the middleware into the saas engine ensures it only loads for our Cloudflare-fronted production deployment, not for self-hosted OSS instances. GHSA-cpch-9qg2-x8fq
diff --git a/saas/lib/fizzy/saas/engine.rb b/saas/lib/fizzy/saas/engine.rb
@@ -1,4 +1,5 @@
 require_relative "transaction_pinning"
+require_relative "true_client_ip"
 require_relative "signup"
 require_relative "authorization"
 require_relative "gvl_instrumentation"
@@ -61,6 +62,10 @@ class Engine < ::Rails::Engine
         app.config.middleware.insert_after(ActiveRecord::Middleware::DatabaseSelector, TransactionPinning::Middleware)
       end
 
+      initializer "fizzy_saas.true_client_ip" do |app|
+        app.config.middleware.insert_before ActionDispatch::RemoteIp, TrackTrueClientIp
+      end
+
       initializer "fizzy_saas.gvl_instrumentation" do |app|
         app.config.middleware.insert_before(Rack::Runtime, GvlInstrumentation)
       end
diff --git a/saas/lib/fizzy/saas/true_client_ip.rb b/saas/lib/fizzy/saas/true_client_ip.rb
@@ -20,5 +20,3 @@ def call(env)
     @app.call(env)
   end
 end
-
-Rails.application.config.middleware.insert_before ActionDispatch::RemoteIp, TrackTrueClientIp
diff --git a/saas/test/lib/true_client_ip_test.rb b/saas/test/lib/true_client_ip_test.rb
