From 1e1c85c202eea4fdbbdc0be6238cdc1c6a26ce14 Mon Sep 17 00:00:00 2001
From: Fox Ellson-Taylor <foxmoss@mediaology.com>
Date: Sun, 7 Sep 2025 12:35:24 -0500
Subject: [PATCH] add cloudflare-rails and fix ip logging (#513)

---
 Gemfile                                                  | 5 +++++
 Gemfile.lock                                             | 6 ++++++
 app/controllers/api/hackatime/v1/hackatime_controller.rb | 2 +-
 app/controllers/application_controller.rb                | 2 +-
 config/initializers/rack_attack.rb                       | 4 ++++
 5 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/Gemfile b/Gemfile
index 70267bf..67f0ba1 100644
--- a/Gemfile
+++ b/Gemfile
@@ -133,6 +133,11 @@ group :test do
   gem "selenium-webdriver"
 end
 
+group :production do
+  # fix request.remote_ip in prod [https://github.com/modosc/cloudflare-rails?tab=readme-ov-file]
+  gem "cloudflare-rails"
+end
+
 gem "htmlcompressor", "~> 0.4.0"
 
 gem "doorkeeper", "~> 5.8"
diff --git a/Gemfile.lock b/Gemfile.lock
index ad6b86e..695b3be 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -126,6 +126,11 @@ GEM
     childprocess (5.1.0)
       logger (~> 1.5)
     chunky_png (1.4.0)
+    cloudflare-rails (6.2.0)
+      actionpack (>= 7.1.0, < 8.1.0)
+      activesupport (>= 7.1.0, < 8.1.0)
+      railties (>= 7.1.0, < 8.1.0)
+      zeitwerk (>= 2.5.0)
     concurrent-ruby (1.3.5)
     connection_pool (2.5.4)
     countries (8.0.4)
@@ -561,6 +566,7 @@ DEPENDENCIES
   brakeman
   bullet
   capybara
+  cloudflare-rails
   countries
   debug
   doorkeeper (~> 5.8)
diff --git a/app/controllers/api/hackatime/v1/hackatime_controller.rb b/app/controllers/api/hackatime/v1/hackatime_controller.rb
index 91e20a1..db4b401 100644
--- a/app/controllers/api/hackatime/v1/hackatime_controller.rb
+++ b/app/controllers/api/hackatime/v1/hackatime_controller.rb
@@ -247,7 +247,7 @@ class Api::Hackatime::V1::HackatimeController < ApplicationController
       attrs = heartbeat.merge({
         user_id: @user.id,
         source_type: source_type,
-        ip_address: request.headers["CF-Connecting-IP"] || request.remote_ip,
+        ip_address: request.remote_ip,
         editor: parsed_ua[:editor],
         operating_system: parsed_ua[:os],
         machine: request.headers["X-Machine-Name"]
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 7b0036e..c43f4e0 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -23,7 +23,7 @@ class ApplicationController < ActionController::Base
     Honeybadger.context(
       user_id: current_user.id,
       user_agent: request.user_agent,
-      ip_address: request.headers["CF-Connecting-IP"] || request.remote_ip,
+      ip_address: request.remote_ip,
     )
   end
 
diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
index 1ce06d0..d7f7381 100644
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -31,6 +31,10 @@ class Rack::Attack
     false
   end
 
+  Rack::Attack.blocklist("block non-cloudflare") do |req|
+    !req.cloudflare?
+  end
+
   Rack::Attack.safelist("admin abooze") do |req|
     req.path.start_with?("/api/admin/")
   end