Handle X-Forwarded-For for IPv6 correctly

[ajscholl]

When determining the IP of the user for a request, we currently don't support IPv6 properly. The reason for this is, that we (or gin) have all IPv4 IPs configured as trusted and not a single IPv6 IP. Thus, we stop the search for the correct IP as soon as we see the first IPv6 IP, causing the following behavior:

Currently working:

• X-Forwarded-For: IPv4-a, Request: IPv4-b, Result: IPv4-a, Expected: IPv4-a
• X-Forwarded-For: IPv6-a, Request: IPv4-a, Result: IPv6-a, Expected: IPv6-a
• X-Forwarded-For: IPv4-a, IPv4-b, Request: IPv4-c, Result: IPv4-a, Expected: IPv4-a
• X-Forwarded-For: IPv6-a, IPv4-a, Request: IPv4-b, Result: IPv6-a, Expected: IPv6-a

Currently broken:

• X-Forwarded-For: IPv4-a, IPv6-a, Request: IPv4-b, Result: IPv6-a, Expected: IPv4-a
• X-Forwarded-For: IPv6-a, IPv6-b, Request: IPv4-a, Result: IPv6-b, Expected: IPv6-a
• X-Forwarded-For: IPv4-a, Request: IPv6-a, Result: IPv6-a, Expected: IPv4-a
• X-Forwarded-For: IPv6-a, Request: IPv6-b, Result: IPv6-b, Expected: IPv6-a
• X-Forwarded-For: IPv4-a, IPv4-b, Request: IPv6-a, Result: IPv6-a, Expected: IPv4-a
• X-Forwarded-For: IPv6-a, IPv4-a, Request: IPv6-b, Result: IPv6-b, Expected: IPv6-a

The consequence is that you can not run an API server behind a proxy or load balancer which speaks via IPv6 to your server as you will get the IP of the proxy or load balancer instead of the user passed to your code.

TODO:

• Figure out how to properly configure the trustedCIDRs and trustedProxies fields of the gin engine. The former seems to get the single value 0.0.0.0/0 from go/pkg/mod/github.com/gin-gonic/[email protected]/gin.go:31. We could try to add ::0/0 there to support IPv6, too.
• Ideally, we would only trust our load balancers etc. and properly set their IPs as trusted. However, we need to do so in a way that doesn't require too much maintenance and doesn't break at the most unexpected time.
• Add some tests to ensure this stays fixed.