From 8bb0c87ec9c1ba934a85cff2934dc476b04183d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Carl-Gerhard=20Lindesva=CC=88rd?= <lindesvard@gmail.com>
Date: Sat, 15 Nov 2025 20:07:57 +0100
Subject: [PATCH] fix: ignore private ips

---
 packages/common/server/get-client-ip.ts | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/packages/common/server/get-client-ip.ts b/packages/common/server/get-client-ip.ts
index 67fa23b3..037939c1 100644
--- a/packages/common/server/get-client-ip.ts
+++ b/packages/common/server/get-client-ip.ts
@@ -20,6 +20,14 @@ export const DEFAULT_HEADER_ORDER = [
   'forwarded',
 ];
 
+function isPublicIp(ip: string): boolean {
+  return (
+    !ip.startsWith('10.') &&
+    !ip.startsWith('172.16.') &&
+    !ip.startsWith('192.168.')
+  );
+}
+
 function getHeaderOrder(): string[] {
   if (typeof process !== 'undefined' && process.env?.IP_HEADER_ORDER) {
     return process.env.IP_HEADER_ORDER.split(',').map((h) => h.trim());
@@ -31,7 +39,7 @@ function isValidIp(ip: string): boolean {
   // Basic IP validation
   const ipv4 = /^(\d{1,3}\.){3}\d{1,3}$/;
   const ipv6 = /^([0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}$/;
-  return ipv4.test(ip) || ipv6.test(ip);
+  return isPublicIp(ip) && (ipv4.test(ip) || ipv6.test(ip));
 }
 
 export function getClientIpFromHeaders(