diff --git a/server/apiServer.ts b/server/apiServer.ts index 824a860d..ace27e9b 100644 --- a/server/apiServer.ts +++ b/server/apiServer.ts @@ -20,8 +20,9 @@ const externalPort = config.getRawConfig().server.external_port; export function createApiServer() { const apiServer = express(); - if (config.getRawConfig().server.trust_proxy) { - apiServer.set("trust proxy", 1); + const trustProxy = config.getRawConfig().server.trust_proxy; + if (trustProxy) { + apiServer.set("trust proxy", trustProxy); } const corsConfig = config.getRawConfig().server.cors; diff --git a/server/lib/readConfigFile.ts b/server/lib/readConfigFile.ts index 13efce5d..7a142739 100644 --- a/server/lib/readConfigFile.ts +++ b/server/lib/readConfigFile.ts @@ -112,7 +112,7 @@ export const configSchema = z.object({ credentials: z.boolean().optional() }) .optional(), - trust_proxy: z.boolean().optional().default(true), + trust_proxy: z.number().int().gte(0).optional().default(1), secret: z .string() .optional() diff --git a/src/lib/api/cookies.ts b/src/lib/api/cookies.ts index 6694c178..fac1810b 100644 --- a/src/lib/api/cookies.ts +++ b/src/lib/api/cookies.ts @@ -1,4 +1,4 @@ -import { cookies } from "next/headers"; +import { cookies, headers } from "next/headers"; import { pullEnv } from "../pullEnv"; export async function authCookieHeader() { @@ -7,9 +7,16 @@ export async function authCookieHeader() { const allCookies = await cookies(); const cookieName = env.server.sessionCookieName; const sessionId = allCookies.get(cookieName)?.value ?? null; + + // all other headers + // this is needed to pass through x-forwarded-for, x-forwarded-proto, etc. + const otherHeaders = await headers(); + const otherHeadersObject = Object.fromEntries(otherHeaders.entries()); + return { headers: { Cookie: `${cookieName}=${sessionId}`, + ...otherHeadersObject }, }; }