Add reverse proxy support for IP address detection

[LifeIsHex]

Feature Request for CodeIgniter Shield

Description:

Currently, CodeIgniter Shield uses $this->request->getIPAddress() throughout its codebase, which doesn't correctly detect the real client IP when the application is behind reverse proxies (Nginx, Cloudflare, load balancers, CDNs, etc.).

Proposed Solution:

Replace all instances of $this->request->getIPAddress() with a helper function that:

1. Checks trusted proxy headers in order of preference (X-Forwarded-For, X-Real-IP, CF-Connecting-IP, etc.)
2. Validates IPs and filters out private/reserved addresses for security
3. Falls back to REMOTE_ADDR when no proxy headers are present
4. Optionally allows configuration of which headers to trust

This would make Shield production-ready for modern deployment architectures where applications commonly sit behind proxies.

Example Implementation:

if (!function_exists('shield_get_real_ip')) {
    /**
     * Get real client IP address with reverse proxy support.
     * Checks trusted proxy headers in order of preference.
     *
     * @return string
     */
    function shield_get_real_ip(): string
    {
        $request = service('request');

        // Ordered by trustworthiness
        $proxyHeaders = [
            'HTTP_CF_CONNECTING_IP',    // Cloudflare
            'HTTP_TRUE_CLIENT_IP',      // Akamai, Cloudflare Enterprise
            'HTTP_X_REAL_IP',           // Nginx proxy
            'HTTP_X_FORWARDED_FOR',     // Standard proxy header
            'HTTP_X_FORWARDED',
            'HTTP_FORWARDED_FOR',
            'HTTP_FORWARDED',           // RFC 7239
            'HTTP_CLIENT_IP',
            'REMOTE_ADDR',              // Direct connection fallback
        ];

        foreach ($proxyHeaders as $header) {
            $value = $request->getServer($header);
            if (empty($value)) {
                continue;
            }

            // X-Forwarded-For may contain comma-separated IPs (client, proxy1, proxy2)
            // Take the rightmost public IP
            $ips = array_reverse(array_map('trim', explode(',', (string)$value)));
            
            foreach ($ips as $ip) {
                // Validate and ensure it's public
                if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
                    return $ip;
                }
            }
        }

        return $request->getIPAddress() ?? '0.0.0.0';
    }
}

Files to Update (examples):

• Controllers/MagicLinkController.php
• Controllers/LoginController.php
• Models/LoginModel.php
• Any other file using $this->request->getIPAddress()

Benefits:

• Accurate IP logging for rate limiting, security audits, and analytics
• Works correctly with Cloudflare, AWS ELB, Nginx, Apache proxies
• Prevents IP spoofing via private/reserved address filtering
• Maintains backward compatibility (falls back to REMOTE_ADDR)

---

Sample

replace:

$this->request->getIPAddress(),

with:

shield_get_real_ip(),

Or inline until Shield adopts it:

private function recordLoginAttempt(
    string $identifier,
    bool $success,
    $userId = null,
): void {
    /** @var LoginModel $loginModel */
    $loginModel = model(LoginModel::class);

    $loginModel->recordLoginAttempt(
        Session::ID_TYPE_MAGIC_LINK,
        $identifier,
        $success,
        $this->getRealClientIP(), // Changed here
        (string) $this->request->getUserAgent(),
        $userId,
    );
}

/**
 * Get real client IP with proxy support.
 */
private function getRealClientIP(): string
{
    return shield_get_real_ip(),;
}