sveltejs · Rich-Harris · Mar 16, 2022 · Mar 15, 2022 · Mar 15, 2022 · Mar 15, 2022
diff --git a/.changeset/sweet-parents-sell.md b/.changeset/sweet-parents-sell.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/adapter-node': patch
+---
+
+[breaking] rename `xForwardedForIndex` to `XFF_DEPTH` and make it an environment variable
diff --git a/packages/adapter-node/README.md b/packages/adapter-node/README.md
@@ -94,23 +94,17 @@ MY_ORIGINURL=https://my.site \
 node build
 ```
 
-### xForwardedForIndex
+### `XFF_DEPTH`
 
-If the `ADDRESS_HEADER` is `X-Forwarded-For`, the header value will contain a comma-separated list of IP addresses. For example, if there are three proxies between your server and the client, proxy 3 will forward the addresses of the client and the first two proxies:
+If the `ADDRESS_HEADER` is `X-Forwarded-For`, the header value will contain a comma-separated list of IP addresses. The `XFF_DEPTH` environment variable should specify how many trusted proxies sit between your server and the client. E.g. if there are three trusted proxies, proxy 3 will forward the addresses of the client and the first two proxies:
 
 ```
 <client address>, <proxy 1 address>, <proxy 2 address>
 ```
 
-To get the client address we could use `xForwardedFor: 0` or `xForwardedFor: -3`, which counts back from the number of addresses.
+To get the client address we could use `XFF_DEPTH=3`.
 
-**X-Forwarded-For is [trivial to spoof](https://adam-p.ca/blog/2022/03/x-forwarded-for/), howevever**:
-
-```
-<spoofed address>, <client address>, <proxy 1 address>, <proxy 2 address>
-```
-
-For that reason you should always use a negative number (depending on the number of proxies) if you need to trust `event.clientAddress`. In the above example, `0` would yield the spoofed address while `-3` would continue to work.
+This is [the most secure way](https://adam-p.ca/blog/2022/03/x-forwarded-for/) to read from the `X-Forwarded-For` header. It assumes a constant number of proxies between the client and server. If you are not using this value for a security-sensitive application, you may find it more reliable in some instances to avoid this assumption and read the first entry from the `X-Forwarded-For` header yourself (e.g. some users may be connecting through a corporate proxy while others are not breaking the assumption of a constant number of proxies).
 
 ## Custom server
 

diff --git a/packages/adapter-node/index.d.ts b/packages/adapter-node/index.d.ts
@@ -20,7 +20,6 @@ interface AdapterOptions {
 			host?: string;
 		};
 	};
-	xForwardedForIndex?: number;
 }
 
 declare function plugin(options?: AdapterOptions): Adapter;

diff --git a/packages/adapter-node/index.js b/packages/adapter-node/index.js
@@ -23,8 +23,7 @@ export default function ({
 			protocol: protocol_header_env = 'PROTOCOL_HEADER',
 			host: host_header_env = 'HOST_HEADER'
 		} = {}
-	} = {},
-	xForwardedForIndex = -1
+	} = {}
 } = {}) {
 	return {
 		name: '@sveltejs/adapter-node',
@@ -55,8 +54,7 @@ export default function ({
 					ORIGIN: origin_env ? `process.env[${JSON.stringify(origin_env)}]` : 'undefined',
 					PROTOCOL_HEADER: JSON.stringify(protocol_header_env),
 					HOST_HEADER: JSON.stringify(host_header_env),
-					ADDRESS_HEADER: JSON.stringify(address_header_env),
-					X_FORWARDED_FOR_INDEX: JSON.stringify(xForwardedForIndex)
+					ADDRESS_HEADER: JSON.stringify(address_header_env)
 				}
 			});
 

diff --git a/packages/adapter-node/src/handler.d.ts b/packages/adapter-node/src/handler.d.ts
@@ -5,7 +5,7 @@ declare global {
 	const ADDRESS_HEADER: string;
 	const HOST_HEADER: string;
 	const PROTOCOL_HEADER: string;
-	const X_FORWARDED_FOR_INDEX: number;
+	const X_FORWARDED_FOR_PROXIES: number;
 }
 
 export const handler: Handle;
diff --git a/packages/adapter-node/src/handler.js b/packages/adapter-node/src/handler.js
@@ -7,17 +7,32 @@ import { getRequest, setResponse } from '@sveltejs/kit/node';
 import { Server } from 'SERVER';
 import { manifest } from 'MANIFEST';
 
-/* global ORIGIN, ADDRESS_HEADER, PROTOCOL_HEADER, HOST_HEADER, X_FORWARDED_FOR_INDEX */
+/* global ORIGIN, ADDRESS_HEADER, PROTOCOL_HEADER, HOST_HEADER */
 
 const server = new Server(manifest);
 const origin = ORIGIN;
 
+const xff_depth = get_xff_depth();
 const address_header = ADDRESS_HEADER && (process.env[ADDRESS_HEADER] || '').toLowerCase();
 const protocol_header = PROTOCOL_HEADER && process.env[PROTOCOL_HEADER];
 const host_header = (HOST_HEADER && process.env[HOST_HEADER]) || 'host';
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 
+function get_xff_depth() {
+	const value = process.env['XFF_DEPTH'];
+	let xff_depth;
+	try {
+		xff_depth = value ? parseInt(value) : 1;
+	} catch (err) {
+		throw new Error('Expected XFF_DEPTH to be an integer. Received ${value}');
+	}
+	if (xff_depth < 1) {
+		throw new Error('XFF_DEPTH cannot be less than 1');
+	}
+	return xff_depth;
+}
+
 /**
  * @param {string} path
  * @param {number} max_age
@@ -62,7 +77,12 @@ const ssr = async (req, res) => {
 
 					if (address_header === 'x-forwarded-for') {
 						const addresses = value.split(',');
-						return addresses[(addresses.length + X_FORWARDED_FOR_INDEX) % addresses.length].trim();
+						if (xff_depth > addresses.length) {
+							throw new Error(
+								`XFF_DEPTH specified as ${xff_depth}, but only found ${addresses.length} addresses`
+							);
+						}
+						return addresses[addresses.length - xff_depth].trim();
 					}
 
 					return value;