Security with header X-Forwarded-For and API_TOKEN

[thib3113]

Please add some security points to this project .

First this part

kener/src/lib/server/webhook.js

Lines 47 to 50 in 3264e86

	if (request.headers.get("x-forwarded-for") !== null) {
	ip = request.headers.get("x-forwarded-for").split(",")[0];
	} else if (request.headers.get("x-real-ip") !== null) {
	ip = request.headers.get("x-real-ip");

allow a user to fake ip .

Creating the query on curl, you can add your custom X-Forwarded-For, and so fake the sender ip .

You need to trust headers x-forwarded-for or x-real-ip only if remoteAddress is a trusted reverse proxy . So you need to add an env to set the list of trusted reverse proxies, and check .

---

Second, please doesn't use API_TOKEN in clear . It's really better to set a hash on the env variable, and in your script you can check if the hash match the sent Bearer .

you can easly use bcrypt . and you can easily find a bcrypt generator online to get an hash

this is not the best solution, but better than setting the password in clear in env ... also, you can use docker files environment var, it allow to use a secret - example on mongodb image