From c966446f803aacfc03fbc0c152e11dbe34e9d64e Mon Sep 17 00:00:00 2001
From: Livio Spring <livio.a@gmail.com>
Date: Wed, 8 Jan 2025 10:30:12 +0100
Subject: [PATCH] fix: correctly get x-forwarded-for for browser info in events
 (#9149)

# Which Problems Are Solved

Events like "password check succeeded" store some information about the
caller including their IP.
The `X-Forwarded-For` was not correctly logged, but instead the
RemoteAddress.

# How the Problems Are Solved

- Correctly get the `X-Forwarded-For` in canonical form.

# Additional Changes

None

# Additional Context

closes [#9106](https://github.com/zitadel/zitadel/issues/9106)
---
 internal/api/http/header.go | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/internal/api/http/header.go b/internal/api/http/header.go
index 16ae7cf48c..982684c77c 100644
--- a/internal/api/http/header.go
+++ b/internal/api/http/header.go
@@ -108,14 +108,8 @@ func GetOrgID(r *http.Request) string {
 }
 
 func GetForwardedFor(headers http.Header) (string, bool) {
-	forwarded, ok := headers[ForwardedFor]
-	if ok {
-		ip := strings.TrimSpace(strings.Split(forwarded[0], ",")[0])
-		if ip != "" {
-			return ip, true
-		}
-	}
-	return "", false
+	forwarded := strings.Split(headers.Get(ForwardedFor), ",")[0]
+	return forwarded, forwarded != ""
 }
 
 func RemoteAddrFromCtx(ctx context.Context) string {