http/proxy.ts

Create a Hono middleware that resolves the client IP from trusted proxies.

Sets client_ip on the Hono context for downstream use by get_client_ip. All client IPs are normalized (lowercase, IPv4-mapped IPv6 stripped).

Resolution logic: 1. No X-Forwarded-For → use connection IP directly. 2. X-Forwarded-For present but connection is untrusted → ignore header (spoofed by a direct attacker), use connection IP. 3. X-Forwarded-For present and connection is trusted → walk header right-to-left, strip trusted entries, use first untrusted entry.

Create a middleware spec for trusted proxy resolution.

Apply before auth middleware so client_ip is available for rate limiting.

Read the resolved client IP from the Hono context.

Returns 'unknown' if the proxy middleware has not run or no IP is available. Set by create_proxy_middleware.

Check whether ip matches any entry in the trusted proxy list.

Normalizes ip before matching (lowercase, IPv4-mapped IPv6 stripped).

Normalize an IP address for consistent matching and storage.

- Strips ::ffff: prefix from IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1 → 127.0.0.1) - Lowercases for case-insensitive IPv6 comparison - Idempotent: calling twice produces the same result - Safe on non-IP strings: normalize_ip('unknown') returns 'unknown'

Parse a trusted proxy entry string into a structured form.

Accepts plain IPs ('127.0.0.1', '::1') and CIDR notation ('10.0.0.0/8', 'fe80::/10'). Plain IPs are normalized (lowercase, IPv4-mapped IPv6 stripped) and validated. CIDR prefixes are validated against address family bounds.

A parsed proxy entry — either an exact IP or a CIDR range.

Configuration for trusted proxy resolution.

Resolve the real client IP from an X-Forwarded-For header value.

Walks right-to-left, skipping trusted proxy entries. The first non-trusted entry is the client IP. If all entries are trusted, returns the leftmost entry. All entries are normalized before matching and in the returned value.