share: use forwarded IP for geoIP prefix allow list comparison

CL 556157 used the http.Request.RemoteAddr for comparing with the allow
list of miscategorized IP prefixes. This is incorrect as it is generally
127.0.0.1 for App Engine traffic.

Use X-Forwarded-For instead:
https://cloud.google.com/appengine/docs/standard/reference/request-headers

For golang/go#65081

Change-Id: Ia0861bdf76dd401c8fa1cd0871c09ae901f5a089
Reviewed-on: https://go-review.googlesource.com/c/playground/+/556195
TryBot-Result: Gopher Robot <[email protected]>
Commit-Queue: Robert Findley <[email protected]>
Reviewed-by: Hyang-Ah Hana Kim <[email protected]>
Run-TryBot: Robert Findley <[email protected]>
Auto-Submit: Robert Findley <[email protected]>

Author: findleyr

share.go

@@ -107,9 +107,11 @@ func allowShare(r *http.Request) bool {
 	if r.Header.Get("X-AppEngine-Country") != "CN" {
 		return true
 	}
-	for _, prefix := range temporaryAllowListIPPrefixes {
-		if strings.HasPrefix(r.RemoteAddr, prefix) {
-			return true
+	for _, forward := range strings.Split(r.Header.Get("X-Forwarded-For"), ",") {
+		for _, prefix := range temporaryAllowListIPPrefixes {
+			if strings.HasPrefix(strings.TrimSpace(forward), prefix) {
+				return true
+			}
 		}
 	}
 	return false