@arcjet/ip

@arcjet/ip

Arcjet utilities for finding the originating IP of a request.

Installation

npm install -S @arcjet/ip

Example

import ip from "@arcjet/ip";

// Some Request-like object, such as node's `http.IncomingMessage` or next.js'
// `NextRequest`
const request = new NextRequest();
// A `Headers` object, which is passed separately for cases where it needs to be
// constructed or sanitized
const headers = new Headers();

// Returns the first non-private IP address detected
const globalIp = ip(request, headers);
console.log(globalIp);

Considerations

The IP should not be trusted as it can be spoofed in most cases, especially when loaded via the Headers object.

In non-production environments (NODE_ENV !== "production"), we allow private/internal addresses so that the SDKs work correctly locally.

Implementation

The implementation of this library is based on the Parser, global ipv4 comparisons, and global ipv6 comparisons in the Rust stdlib and the header lookups in the request-ip package. Both licensed MIT with licenses included in our source code.

We've chosen the approach of porting Rust's IP Parser because capturing RegExps can be the source of ReDoS attacks, which we need to avoid. We also wanted to keep our implementation as close to Rust as possible because we will be relying on the Rust stdlib implementation in the future, with a fallback to this implementation. As such, we'll need to track changes in Rust's implementation, even though it seems to change infrequently.

License

Licensed under the Apache License, Version 2.0.

Changelog

1.0.0-alpha.8 (2024-02-09)

⚠ BREAKING CHANGES

• Handle TTL as seconds instead of milliseconds (#211)
• Add fixedWindow, tokenBucket, and slidingWindow primitives (#184)
• Remove timeout property on ArcjetRateLimitRule (#182)
• Remove count property on ArcjetRateLimitReason (#181)
• Required of props should always be required (#180)
• Build extra field from unknown request properties (#179)
• protocol: Introduce Shield name (#158)
• Limit ARCJET_BASE_URL to small set of allowed URLs (#83)

🚀 New Features

• Add fixedWindow, tokenBucket, and slidingWindow primitives (#184) (6701b02)
• Allow user-defined characteristics on rate limit options (#203) (dc5b001)
• Build extra field from unknown request properties (#179) (2576341)
• Limit ARCJET_BASE_URL to small set of allowed URLs (#83) (d9184ea)
• Support cookies and query via the protocol (#214) (ca0cd64)
• Support duration strings or integers on rate limit configuration (#192) (b173d83)

🪲 Bug Fixes

• Handle TTL as seconds instead of milliseconds (#211) (c2d3dd0)
• Required of props should always be required (#180) (1f92885)

📦 Dependencies

• bump @bufbuild/protobuf from 1.6.0 to 1.7.2 (#167) (c7dbdba)
• bump @connectrpc/connect from 1.2.1 to 1.3.0 (#126) (40db7f3)
• bump @rollup/plugin-typescript from 11.1.5 to 11.1.6 (#127) (8f9e34a)
• Bump @connectrpc/connect-web from 1.2.0 to 1.2.1 (#101) (28f4a50)
• Bump @connectrpc/connect-web from 1.2.1 to 1.3.0 (#120) (289446d)
• Bump @connectrpc/connect from 1.2.0 to 1.2.1 (#100) (74013ef)
• Bump ai from 2.2.30 to 2.2.31 in /examples/nextjs-14-openai (#99) (be8c23b)
• Bump eslint-config-turbo from 1.11.2 to 1.11.3 (#107) (b01f418)
• Bump openai from 4.24.1 to 4.24.2 in /examples/nextjs-14-openai (#121) (705f871)
• bump eslint-config-next from 14.0.4 to 14.1.0 (#147) (a44b3f6)
• bump eslint-config-turbo from 1.11.3 to 1.12.3 (#198) (4bd458c)
• bump next from 14.0.4 to 14.1.0 (#148) (6753117)
• bump typeid-js from 0.3.0 to 0.5.0 (#176) (fadf89f)
• dev: bump @edge-runtime/jest-environment from 2.3.7 to 2.3.8 (#154) (9c4ed39)
• dev: bump @edge-runtime/jest-environment from 2.3.8 to 2.3.9 (#196) (8bc0a8f)
• dev: bump @rollup/wasm-node from 4.9.1 to 4.9.2 (#97) (eff4226)
• dev: bump @rollup/wasm-node from 4.9.2 to 4.9.4 (#119) (ec50b96)
• dev: bump @rollup/wasm-node from 4.9.4 to 4.9.5 (#131) (9fff856)
• dev: bump @rollup/wasm-node from 4.9.5 to 4.9.6 (#152) (3e54cff)
• dev: Bump @types/react from 18.2.45 to 18.2.46 (#96) (fe666c6)
• dev: Bump @types/react from 18.2.45 to 18.2.46 in /examples/nextjs-13-pages-wrap (#94) (c21a5e6)
• dev: Bump @types/react from 18.2.45 to 18.2.46 in /examples/nextjs-14-app-dir-validate-email (#93) (90e1965)
• dev: Bump @types/react from 18.2.45 to 18.2.46 in /examples/nextjs-14-openai (#98) (8c63a63)
• dev: Bump @types/react from 18.2.45 to 18.2.46 in /examples/nextjs-14-pages-wrap (#95) (3ffec0d)
• dev: Bump @types/react from 18.2.46 to 18.2.47 in /examples/nextjs-13-pages-wrap (#116) (1341acc)
• dev: Bump @types/react from 18.2.46 to 18.2.47 in /examples/nextjs-14-app-dir-rl (#113) (7e8ae3c)
• dev: Bump @types/react from 18.2.46 to 18.2.47 in /examples/nextjs-14-app-dir-validate-email (#111) (e160ce1)
• dev: Bump @types/react from 18.2.46 to 18.2.47 in /examples/nextjs-14-openai (#110) (410d396)
• dev: Bump @types/react from 18.2.46 to 18.2.47 in /examples/nextjs-14-pages-wrap (#118) (ab05d24)
• dev: Bump postcss from 8.4.32 to 8.4.33 in /examples/nextjs-13-pages-wrap (#103) (a3cd7f0)
• dev: Bump postcss from 8.4.32 to 8.4.33 in /examples/nextjs-14-app-dir-rl (#105) (e90fc74)
• dev: Bump postcss from 8.4.32 to 8.4.33 in /examples/nextjs-14-app-dir-validate-email (#102) (b0df5a2)
• dev: Bump postcss from 8.4.32 to 8.4.33 in /examples/nextjs-14-openai (#104) (2192e3e)
• dev: Bump postcss from 8.4.32 to 8.4.33 in /examples/nextjs-14-pages-wrap (#108) (916402d)
• dev: Bump tailwindcss from 3.4.0 to 3.4.1 in /examples/nextjs-13-pages-wrap (#115) (a9472c0)
• dev: Bump tailwindcss from 3.4.0 to 3.4.1 in /examples/nextjs-14-app-dir-rl (#114) (5066c6d)
• dev: Bump tailwindcss from 3.4.0 to 3.4.1 in /examples/nextjs-14-app-dir-validate-email (#112) (d8173b3)
• dev: Bump tailwindcss from 3.4.0 to 3.4.1 in /examples/nextjs-14-openai (#109) (e44f829)
• dev: Bump tailwindcss from 3.4.0 to 3.4.1 in /examples/nextjs-14-pages-wrap (#117) (6b65676)
• dev: bump postcss from 8.4.31 to 8.4.32 in /examples/nextjs-13-pages-wrap (#87) (01ac608)
• dev: bump postcss from 8.4.31 to 8.4.32 in /examples/nextjs-14-app-dir-rl (#86) (583f646)
• example: bump the dependencies group in /examples/nextjs-13-pages-wrap with 1 update (#135) (cd67eaf)
• example: bump the dependencies group in /examples/nextjs-13-pages-wrap with 1 update (#194) (a945b2c)
• example: bump the dependencies group in /examples/nextjs-13-pages-wrap with 2 updates (#185) (dc7bc47)
• example: Bump the dependencies group in /examples/nextjs-13-pages-wrap with 2 updates (#210) (402c2ad)
• example: bump the dependencies group in /examples/nextjs-13-pages-wrap with 3 updates (#169) (f19680b)
• example: bump the dependencies group in /examples/nextjs-14-app-dir-rl with 1 update (#137) (ab43b86)
• example: bump the dependencies group in /examples/nextjs-14-app-dir-rl with 1 update (#197) (28a680c)
• example: bump the dependencies group in /examples/nextjs-14-app-dir-rl with 2 updates (#189) (ab11b6d)
• example: Bump the dependencies group in /examples/nextjs-14-app-dir-rl with 2 updates (#207) (1489fd7)
• example: bump the dependencies group in /examples/nextjs-14-app-dir-rl with 3 updates (#166) (b7f4b07)
• example: bump the dependencies group in /examples/nextjs-14-app-dir-validate-email with 1 update (#134) (9b6015a)
• example: bump the dependencies group in /examples/nextjs-14-app-dir-validate-email with 1 update (#200) (59caff4)
• example: bump the dependencies group in /examples/nextjs-14-app-dir-validate-email with 2 updates (#188) (9d42276)
• example: Bump the dependencies group in /examples/nextjs-14-app-dir-validate-email with 2 updates (#208) (467b385)
• example: bump the dependencies group in /examples/nextjs-14-app-dir-validate-email with 3 updates (#168) (8779e2f)
• example: Bump the dependencies group in /examples/nextjs-14-openai with 1 update (#219) (07952d5)
• example: bump the dependencies group in /examples/nextjs-14-openai with 2 updates (#136) (e99635b)
• example: Bump the dependencies group in /examples/nextjs-14-openai with 4 updates (#209) (7720a81)
• example: bump the dependencies group in /examples/nextjs-14-openai with 5 updates (#170) (b57e8df)
• example: Bump the dependencies group in /examples/nextjs-14-pages-wrap with 1 update (#133) (51adb16)
• example: bump the dependencies group in /examples/nextjs-14-pages-wrap with 1 update (#199) (de36130)
• example: bump the dependencies group in /examples/nextjs-14-pages-wrap with 2 updates (#187) (2feef80)
• example: Bump the dependencies group in /examples/nextjs-14-pages-wrap with 2 updates (#206) (abc72da)
• example: bump the dependencies group in /examples/nextjs-14-pages-wrap with 3 updates (#165) (82f6be5)

📝 Documentation

• Add minimum required fields for request details example (#220) (83a3a8c)
• Rename AJ_KEY to ARCJET_KEY & switch to next.js app dir example (#201) (9c4da7b)
• Update Arcjet description (#122) (c011bc2)

🧹 Miscellaneous Chores

• Add codeowners to project (#91) (a54f487)
• Add devcontainer setup (#124) (29b1a2e)
• analyze: Regenerate WebAssembly and bindings (#92) (b10ce31)
• Change ttl argument to expiresAt in cache implementation (#218) (0414e10)
• examples: Added Next.js 14 OpenAI rate limit example (#88) (482a472)
• examples: Encourage use of environment variables for keys (#139) (290a1b2)
• protocol: Introduce Shield name (#158) (311713b)
• Regenerate the protobuf bindings (#183) (807e8de)
• Remove count property on ArcjetRateLimitReason (#181) (ff3e310)
• Remove timeout property on ArcjetRateLimitRule (#182) (255a4a7)
• rollup: Externalize all imports that end with .wasm?module (#217) (ee6f387)
• Separate examples from SDK install and builds (#85) (c4c57c8)
• trunk: Avoid linting the release-please-manifest (#138) (ac69f70)
• Update trunk versions and configuration (#125) (2625ed4)

✅ Continuous Integration

• Add dependabot groups for our example apps (#123) (6f28934)
• Add merge queue workflow (#128) (4f5fa08)
• Remove dependabot groups (#84) (b2d75c2)