github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-26 00:46:44 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

fix: respect IP headers in dev/test environments (#6854)

Browse Source
This commit is contained in:
Taesu
2025-12-18 21:25:10 +09:00
committed by GitHub
parent 3897be5603
commit d3ebfacd91
2 changed files with 12 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docs/content/docs/reference/security.mdx
View File

@@ -100,7 +100,12 @@ You can configure the IP address header in your Better Auth configuration:
This ensures that Better Auth only accepts IP addresses from your trusted proxy's header, making it more difficult for attackers to bypass rate limiting or other IP-based security measures by spoofing headers.
> **Important**: When setting a custom IP address header, ensure that your proxy or load balancer is properly configured to set this header, and that it cannot be set by end users directly.
<Callout type="info">
**Important**
- When setting a custom IP address header, ensure that your proxy or load balancer is properly configured to set this header, and that it cannot be set by end users directly.
- In dev/test environments, if the IP cannot be retrieved from headers, 127.0.0.1 is used as a fallback.
</Callout>
## Trusted Origins

10
packages/better-auth/src/utils/get-request-ip.ts
View File

@@ -13,10 +13,6 @@ export function getIp(
return null;
}
if (isTest() || isDevelopment()) {
return LOCALHOST_IP;
}
const headers = "headers" in req ? req.headers : req;
const defaultHeaders = ["x-forwarded-for"];
@@ -33,6 +29,12 @@ export function getIp(
}
}
}
// Fallback to localhost IP in development/test environments when no IP found in headers
if (isTest() || isDevelopment()) {
return LOCALHOST_IP;
}
return null;
}