add missing x-original-forwarded-for headers

packages/nextjs/src/api/utils.ts

@@ -104,6 +104,12 @@ export function buildRequestHeaders(headers: Record<string, any>): Record<string
   if (headers['frontegg-requested-application-id']) {
     preparedHeaders['frontegg-requested-application-id'] = headers['frontegg-requested-application-id'];
   }
+
+  const clientIp = headers['cf-connecting-ip'] || headers['x-original-forwarded-for'] || headers['x-forwarded-for'];
+  if (clientIp) {
+    preparedHeaders['x-original-forwarded-for'] = clientIp;
+  }
+
   if (headers[CUSTOM_LOGIN_HEADER]) {
     preparedHeaders[CUSTOM_LOGIN_HEADER] = headers[CUSTOM_LOGIN_HEADER];
   }

packages/nextjs/src/edge/getSessionOnEdge.ts

@@ -9,6 +9,7 @@ import config from '../config';
 import JwtManager from '../utils/jwt';
 import encryptionUtils from '../utils/encryption-edge';
 import Cookies from '../utils/cookies';
+import { buildRequestHeaders } from '../api/utils';
 
 async function createSessionFromAccessTokenEdge(data: any): Promise<[string, any, string] | []> {
   const accessToken = data.accessToken ?? data.access_token;
@@ -36,10 +37,30 @@ export const handleHostedLoginCallback = async (
   }
 
   const code = searchParams.get('code') ?? '';
+
+  let headers: Record<string, string> = {};
+  let clientIp: string | undefined = undefined;
+  if (typeof req.headers?.get === 'function') {
+    clientIp =
+      req.headers.get('cf-connecting-ip') ||
+      req.headers.get('x-original-forwarded-for') ||
+      req.headers.get('x-forwarded-for') ||
+      (req as any).socket?.remoteAddress;
+  } else if (typeof req.headers === 'object') {
+    let requestHeaders: any = { ...req.headers };
+    clientIp =
+      requestHeaders['cf-connecting-ip'] ||
+      requestHeaders['x-original-forwarded-for'] ||
+      requestHeaders['x-forwarded-for'] ||
+      (req as any).socket?.remoteAddress;
+  }
+
+  if (clientIp) {
+    headers['x-original-forwarded-for'] = clientIp;
+  }
+
   const response = await api.exchangeHostedLoginToken(
-    {
-      'Content-Type': 'application/json',
-    },
+    buildRequestHeaders(headers),
     code,
     config.clientId,
     config.clientSecret!

packages/nextjs/src/middleware/ProxyRequestCallback.ts

@@ -49,18 +49,11 @@ const ProxyRequestCallback: ProxyReqCallback<ClientRequest, NextApiRequest> = (p
     proxyReq.setHeader('x-frontegg-sdk', req.headers['x-frontegg-sdk'] ?? `@frontegg/nextjs@${sdkVersion.version}`);
     proxyReq.setHeader('x-frontegg-middleware', 'true');
 
-    const xForwardedFor = req.headers['x-forwarded-for'];
-    const xOriginalForwardedFor = req.headers['x-original-forwarded-for'];
-    const cfConnectionIp = req.headers['cf-connecting-ip'];
+    const clientIp =
+      req.headers['cf-connecting-ip'] || req.headers['x-original-forwarded-for'] || req.headers['x-forwarded-for'];
 
-    if (xForwardedFor) {
-      proxyReq.setHeader('x-forwarded-for', xForwardedFor);
-    }
-    if (xOriginalForwardedFor) {
-      proxyReq.setHeader('x-original-forwarded-for', xOriginalForwardedFor);
-    }
-    if (cfConnectionIp) {
-      proxyReq.setHeader('cf-connecting-ip', cfConnectionIp);
+    if (clientIp) {
+      proxyReq.setHeader('x-original-forwarded-for', clientIp);
     }
 
     if (isRefreshTokenRequest(req.url!)) {

packages/nextjs/src/utils/refreshAccessTokenIfNeeded/index.ts

@@ -55,6 +55,11 @@ export default async function refreshAccessTokenIfNeeded(ctx: NextPageContext):
       return null;
     }
 
+    nextJsRequest.headers['x-original-forwarded-for'] =
+      nextJsRequest.headers['cf-connecting-ip'] ||
+      nextJsRequest.headers['x-forwarded-for'] ||
+      nextJsRequest.socket.remoteAddress;
+
     let response: Response | null;
     if (config.isHostedLogin) {
       response = await refreshAccessTokenHostedLogin(nextJsRequest);