add cloudflare-rails and fix ip logging (#513)

Gemfile

@@ -133,6 +133,11 @@ group :test do
   gem "selenium-webdriver"
 end
 
+group :production do
+  # fix request.remote_ip in prod [https://github.com/modosc/cloudflare-rails?tab=readme-ov-file]
+  gem "cloudflare-rails"
+end
+
 gem "htmlcompressor", "~> 0.4.0"
 
 gem "doorkeeper", "~> 5.8"

Gemfile.lock

@@ -126,6 +126,11 @@ GEM
     childprocess (5.1.0)
       logger (~> 1.5)
     chunky_png (1.4.0)
+    cloudflare-rails (6.2.0)
+      actionpack (>= 7.1.0, < 8.1.0)
+      activesupport (>= 7.1.0, < 8.1.0)
+      railties (>= 7.1.0, < 8.1.0)
+      zeitwerk (>= 2.5.0)
     concurrent-ruby (1.3.5)
     connection_pool (2.5.4)
     countries (8.0.4)
@@ -561,6 +566,7 @@ DEPENDENCIES
   brakeman
   bullet
   capybara
+  cloudflare-rails
   countries
   debug
   doorkeeper (~> 5.8)

app/controllers/api/hackatime/v1/hackatime_controller.rb

@@ -247,7 +247,7 @@ class Api::Hackatime::V1::HackatimeController < ApplicationController
       attrs = heartbeat.merge({
         user_id: @user.id,
         source_type: source_type,
-        ip_address: request.headers["CF-Connecting-IP"] || request.remote_ip,
+        ip_address: request.remote_ip,
         editor: parsed_ua[:editor],
         operating_system: parsed_ua[:os],
         machine: request.headers["X-Machine-Name"]

app/controllers/application_controller.rb

@@ -23,7 +23,7 @@ class ApplicationController < ActionController::Base
     Honeybadger.context(
       user_id: current_user.id,
       user_agent: request.user_agent,
-      ip_address: request.headers["CF-Connecting-IP"] || request.remote_ip,
+      ip_address: request.remote_ip,
     )
   end
 

config/initializers/rack_attack.rb

@@ -31,6 +31,10 @@ class Rack::Attack
     false
   end
 
+  Rack::Attack.blocklist("block non-cloudflare") do |req|
+    !req.cloudflare?
+  end
+
   Rack::Attack.safelist("admin abooze") do |req|
     req.path.start_with?("/api/admin/")
   end