Merge pull request #729 from Tusharmahajan12/new_asp_apr24

Get IP address IN Keycloak

Author: Tusharmahajan12

src/auth/auth.controller.ts

@@ -30,7 +30,7 @@ import { AuthService } from "./auth.service";
 import { JwtAuthGuard } from "src/common/guards/keycloak.guard";
 import { APIID } from "src/common/utils/api-id.config";
 import { AllExceptionsFilter } from "src/common/filters/exception.filter";
-import { Response } from "express";
+import { Request, Response } from "express";
 
 @ApiTags("Auth")
 @Controller("auth")
@@ -43,8 +43,12 @@ export class AuthController {
   @UsePipes(ValidationPipe)
   @HttpCode(HttpStatus.OK)
   @ApiForbiddenResponse({ description: "Forbidden" })
-  public async login(@Body() authDto: AuthDto, @Res() response: Response) {
-     return this.authService.login(authDto, response);
+  public async login(
+    @Req() request: Request,
+    @Body() authDto: AuthDto,
+    @Res() response: Response,
+  ) {
+     return this.authService.login(request, authDto, response);
   }
 
   @UseFilters(new AllExceptionsFilter(APIID.USER_AUTH))
@@ -67,22 +71,27 @@ export class AuthController {
   @ApiBody({ type: RefreshTokenRequestBody })
   @UsePipes(ValidationPipe)
   refreshToken(
+    @Req() request: Request,
     @Body() body: RefreshTokenRequestBody,
     @Res() response: Response
   ) {
     const { refresh_token: refreshToken } = body;
 
-    return this.authService.refreshToken(refreshToken, response);
+    return this.authService.refreshToken(request, refreshToken, response);
   }
 
   @UseFilters(new AllExceptionsFilter(APIID.LOGOUT))
   @Post("/logout")
   @UsePipes(ValidationPipe)
   @HttpCode(HttpStatus.OK)
   @ApiBody({ type: LogoutRequestBody })
-  async logout(@Body() body: LogoutRequestBody, @Res() response: Response) {
+  async logout(
+    @Req() request: Request,
+    @Body() body: LogoutRequestBody,
+    @Res() response: Response,
+  ) {
     const { refresh_token: refreshToken } = body;
 
-    await this.authService.logout(refreshToken, response);
+    await this.authService.logout(request, refreshToken, response);
   }
 }

src/auth/auth.service.ts

@@ -10,7 +10,8 @@ import jwt_decode from 'jwt-decode';
 import APIResponse from 'src/common/responses/response';
 import { KeycloakService } from 'src/common/utils/keycloak.service';
 import { APIID } from 'src/common/utils/api-id.config';
-import { Response } from 'express';
+import { Request, Response } from 'express';
+import { normalizeIpForForwarding } from 'src/common/utils/client-ip.util';
 
 type LoginResponse = {
   access_token: string;
@@ -25,9 +26,38 @@ export class AuthService {
     private readonly keycloakService: KeycloakService
   ) {}
 
-  async login(authDto, response: Response) {
+  private getClientIpForKeycloak(request: Request): string | undefined {
+    const ipFromExpress = normalizeIpForForwarding(request?.ip);
+    if (ipFromExpress) return ipFromExpress;
+
+    // Fallback: only trust X-Forwarded-For if the direct connection is internal (proxy hop).
+    const remoteAddress = normalizeIpForForwarding(request?.socket?.remoteAddress);
+    const isInternal =
+      !!remoteAddress &&
+      (remoteAddress === '127.0.0.1' ||
+        remoteAddress === '::1' ||
+        remoteAddress.startsWith('10.') ||
+        remoteAddress.startsWith('192.168.') ||
+        (remoteAddress.startsWith('172.') &&
+          (() => {
+            const second = parseInt(remoteAddress.slice(4, 7), 10);
+            return second >= 16 && second <= 31;
+          })()));
+
+    if (!isInternal) return undefined;
+
+    const xff = request?.headers?.['x-forwarded-for'];
+    const raw =
+      typeof xff === 'string' ? xff : Array.isArray(xff) ? xff.join(',') : undefined;
+    if (!raw) return undefined;
+    const first = raw.split(',')[0]?.trim();
+    return normalizeIpForForwarding(first);
+  }
+
+  async login(request: Request, authDto, response: Response) {
     const apiId = APIID.LOGIN;
     const { username, password } = authDto;
+    const clientIp = this.getClientIpForKeycloak(request);
 
     try {
       // Optimized: Only check user status (no tenant/role data needed for login)
@@ -57,7 +87,7 @@ export class AuthService {
         refresh_token,
         refresh_expires_in,
         token_type,
-      } = await this.keycloakService.login(username, password);
+      } = await this.keycloakService.login(username, password, clientIp);
 
       const res = {
         access_token,
@@ -119,12 +149,14 @@ export class AuthService {
   }
 
   async refreshToken(
+    request: Request,
     refreshToken: string,
     response: Response
   ): Promise<LoginResponse> {
     const apiId = APIID.REFRESH;
+    const clientIp = this.getClientIpForKeycloak(request);
     const { access_token, expires_in, refresh_token, refresh_expires_in } =
-      await this.keycloakService.refreshToken(refreshToken).catch(() => {
+      await this.keycloakService.refreshToken(refreshToken, clientIp).catch(() => {
         throw new UnauthorizedException();
       });
 
@@ -143,10 +175,11 @@ export class AuthService {
     );
   }
 
-  async logout(refreshToken: string, response: Response) {
+  async logout(request: Request, refreshToken: string, response: Response) {
     const apiId = APIID.LOGOUT;
+    const clientIp = this.getClientIpForKeycloak(request);
     try {
-      const logout = await this.keycloakService.logout(refreshToken);
+      const logout = await this.keycloakService.logout(refreshToken, clientIp);
       return APIResponse.success(
         response,
         apiId,

src/common/utils/keycloak.service.ts

@@ -37,7 +37,7 @@ export class KeycloakService {
     this.axios = axios.create();
   }
 
- async login(username: string, password: string): Promise<LoginResponse> {
+ async login(username: string, password: string, clientIp?: string): Promise<LoginResponse> {
     const data = qs.stringify({
       client_id: this.clientId,
       client_secret: this.clientSecret,
@@ -51,6 +51,7 @@ export class KeycloakService {
       url: `${this.baseURL}realms/${this.realm}/protocol/openid-connect/token`,
       headers: {
         "Content-Type": "application/x-www-form-urlencoded",
+        ...(clientIp ? { "X-Forwarded-For": clientIp } : {}),
       },
       data: data,
       timeout: 15000, // 15 second timeout to prevent hanging
@@ -136,7 +137,7 @@ export class KeycloakService {
     return res.data;
   }
 
-  async refreshToken(refreshToken: string): Promise<LoginResponse> {
+  async refreshToken(refreshToken: string, clientIp?: string): Promise<LoginResponse> {
     const data = qs.stringify({
       client_id: this.clientId,
       client_secret: this.clientSecret,
@@ -149,6 +150,7 @@ export class KeycloakService {
       url: `${this.baseURL}realms/${this.realm}/protocol/openid-connect/token`,
       headers: {
         "Content-Type": "application/x-www-form-urlencoded",
+        ...(clientIp ? { "X-Forwarded-For": clientIp } : {}),
       },
       data: data,
       timeout: 15000, // 15 second timeout
@@ -159,7 +161,7 @@ export class KeycloakService {
     return res.data;
   }
 
-  async logout(refreshToken: string) {
+  async logout(refreshToken: string, clientIp?: string) {
     const data = qs.stringify({
       client_id: this.clientId,
       client_secret: this.clientSecret,
@@ -171,6 +173,7 @@ export class KeycloakService {
       url: `${this.baseURL}realms/${this.realm}/protocol/openid-connect/logout`,
       headers: {
         "Content-Type": "application/x-www-form-urlencoded",
+        ...(clientIp ? { "X-Forwarded-For": clientIp } : {}),
       },
       data: data,
       timeout: 10000, // 10 second timeout

src/main.ts

@@ -39,6 +39,8 @@ import { AllExceptionsFilter } from './common/filters/exception.filter';
 
 async function bootstrap() {
   const app = await NestFactory.create(AppModule);
+  // Ensure Express reads X-Forwarded-* behind ALB/Ingress
+  (app.getHttpAdapter().getInstance() as any).set('trust proxy', 1);
 
   // Configure raw body for webhook routes
   app.use(