@arcjet/ip
Advanced tools
@arcjet/ip
Arcjet utilities for finding the originating IP of a request.
This is an internal utility to help us deal with IP addresses.
It includes code from the Rust standard library code to parse
IPv4 and IPv6 and also contains some code from
pbojinov/request-ip.
We turned the Rust IP parser into TypeScript so that we have the exact same
functionality in both languages.
Similar functionality in alternative JavaScript libraries often uses regular
expressions but those can cause ReDoS attacks.
We sidestep that problem because the Rust IP parser algorithm does not use
regular expressions.
We chose to copy code from request-ip so that we only keep the functionality
that we use and keep our dependency tree as light as possible.
Our code is different: if we know we are running on Cloudflare for example then
we do not trust headers typically set by fly.io.
You should not use this but use one of the alternatives instead. This package matches our current needs which are likely different from yours.
This package is ESM only. Install with npm in Node.js:
npm install @arcjet/ip
import { findIp } from "@arcjet/ip";
const ip = findIp({ headers: { "x-real-ip": "1.1.1.1" } });
console.log(ip); // => "1.1.1.1"
This package exports the identifiers
findIp and parseProxy.
The default export is findIp.
This package exports the TypeScript types
Cidr,
Options,
Platform, and
RequestLike.
CidrThis type represents a parsed CIDR range that you can use as a trusted proxy.
type Cidr = Ipv4Cidr | Ipv6Cidr;
// Where each is an instance roughly equivalent to
// `{bits: number, partSize: 8 | 16, parts: Array<number>, type: "v4" | "v6"}`,
// with a `contains` function that can be passed an array of octets.
OptionsYou can pass these options to configure how findIp looks up the client IP.
platform (Platform, optional)
— the platform your code is running on; we use this to only trust
headers that are known to be set by that platformproxies (Array<Cidr | string>, optional)
— a list of trusted proxies to skip when resolving the client IPPlatformThis type represents the platform names that findIp recognizes.
type Platform = "cloudflare" | "firebase" | "fly-io" | "render" | "vercel";
RequestLikeThis type represents a request-like object that findIp can extract an IP
address from. It supports several shapes because different platforms expose
request information differently.
headers (Headers | Record<string, Array<string> | string | undefined>)
— the request headersinfo ({remoteAddress?: string}, optional)
— some platforms pass connection info hereip (unknown, optional)
— some platforms provide the IP directly on the request objectrequestContext ({identity?: {sourceIp?: string}}, optional)
— some platforms pass a request context with identity infosocket ({remoteAddress?: string}, optional)
— some platforms pass a socket with the remote addressfindIp(request[, options])Finds the client IP address from a request-like object. If you pass a
platform in the options, we only trust headers that are known to be set
by that platform.
request (RequestLike)
— the request to extract an IP fromoptions (Options, optional)
— configuration for platform and trusted proxiesThe found IP address (string), or an empty string if no IP could be
determined.
parseProxy(value)Parses a CIDR address string into a Cidr object, or returns
the value as-is if it is a plain IP address. You can use this to build a
list of trusted proxies.
value (string)
— an IP address or CIDR range to parseA parsed Cidr if the value is a range, or the given value
string if it is a plain IP.
The IP should not be trusted as it can be spoofed in most cases, especially when
loaded via the Headers object. We apply additional platform guards if a
platform is supplied in the options argument.
If a private/internal address is encountered, it will be skipped. If only those are detected, an empty string is returned.
Apache License, Version 2.0 © Arcjet Labs, Inc.
Derivative work based on Parser in std::net,
is_global on Ipv4Addr, and
is_global on Ipv6Addr
from rust-lang/rust,
dual licensed under MIT and
Apache-2.0 © contributors.
Our work ports to TypeScript so that we have the same functionality in both
languages.
Derivative work based on getClientIp from request-ip
licensed under MIT © Petar Bojinov.
Our work cherry picks only what we need.
FAQs
Arcjet utilities for finding the originating IP of a request
We found that @arcjet/ip demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Product
Socket Firewall blocks malicious VS Code and Open VSX extensions before install, protecting developers from compromised editor marketplaces.
Research
More than 140 Mastra npm packages were compromised in a supply chain attack that used a typosquatted dependency to deliver a cross-platform infostealer during installation.
Research
/Security News
A new npm package tests AI malware scanners with prompt injection, safety-triggering comments, context flooding, and obfuscated JavaScript.