From cbd8eba2c46e6fcc7985874207357e5879c1904c Mon Sep 17 00:00:00 2001
From: Paul Melnikow <github@paulmelnikow.com>
Date: Thu, 15 Oct 2020 19:27:07 -0400
Subject: [PATCH] Fix REQUIRE_CLOUDFLARE for Heroku (#5712)

Ref #3027
---
 core/server/server.js | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/core/server/server.js b/core/server/server.js
index fe99ea0d85..1438275c23 100644
--- a/core/server/server.js
+++ b/core/server/server.js
@@ -280,12 +280,18 @@ class Server {
     })
   }
 
+  // See https://www.viget.com/articles/heroku-cloudflare-the-right-way/
   requireCloudflare() {
-    // See https://www.viget.com/articles/heroku-cloudflare-the-right-way/
     // Set `req.ip`, which is expected by `cloudflareMiddleware()`. This is set
     // by Express but not Scoutcamp.
     addHandlerAtIndex(this.camp, 0, function (req, res, next) {
-      req.ip = req.socket.remoteAddress
+      // On Heroku, `req.socket.remoteAddress` is the Heroku router. However,
+      // the router ensures that the last item in the `X-Forwarded-For` header
+      // is the real origin.
+      // https://stackoverflow.com/a/18517550/893113
+      req.ip = process.env.DYNO
+        ? req.headers['x-forwarded-for'].split(', ').pop()
+        : req.socket.remoteAddress
       next()
     })
     addHandlerAtIndex(this.camp, 1, cloudflareMiddleware())