supabase
diff --git a/‎README.md‎
Lines changed: 0 additions & 6 deletions b/‎README.md‎
Lines changed: 0 additions & 6 deletions
diff --git a/‎internal/api/api.go‎
Lines changed: 1 addition & 11 deletions b/‎internal/api/api.go‎
Lines changed: 1 addition & 11 deletions
diff --git a/‎internal/api/middleware.go‎
Lines changed: 1 addition & 14 deletions b/‎internal/api/middleware.go‎
Lines changed: 1 addition & 14 deletions
diff --git a/‎internal/api/middleware_test.go‎
Lines changed: 1 addition & 161 deletions b/‎internal/api/middleware_test.go‎
Lines changed: 1 addition & 161 deletions
diff --git a/‎internal/conf/configuration.go‎
Lines changed: 0 additions & 1 deletion b/‎internal/conf/configuration.go‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎internal/sbff/sbff.go‎
Lines changed: 0 additions & 94 deletions b/‎internal/sbff/sbff.go‎
Lines changed: 0 additions & 94 deletions
@@ -888,12 +888,6 @@ Enforce reauthentication on password update.
 
 Use this to enable/disable anonymous sign-ins.
 
-### IP address forwarding
-
-`GOTRUE_SECURITY_SB_FORWARDED_FOR_ENABLED` - `bool`
-
-Enable IP address forwarding using the `Sb-Forwarded-For` HTTP request header. When enabled, Auth will parse the first value of this header as an IP address and use it for IP address tracking and rate limiting. Make sure this header is fully trusted before enabling this feature by only passing it from trustworthy clients or proxies.
-
 ## Endpoints
 
 Auth exposes the following endpoints:
 
@@ -19,7 +19,6 @@ import (
 	"github.com/supabase/auth/internal/mailer/templatemailer"
 	"github.com/supabase/auth/internal/models"
 	"github.com/supabase/auth/internal/observability"
-	"github.com/supabase/auth/internal/sbff"
 	"github.com/supabase/auth/internal/storage"
 	"github.com/supabase/auth/internal/tokens"
 	"github.com/supabase/auth/internal/utilities"
@@ -153,17 +152,8 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 	r := newRouter()
 	r.UseBypass(observability.AddRequestID(globalConfig))
 	r.UseBypass(logger)
-	r.UseBypass(recoverer)
-	r.UseBypass(
-		sbff.Middleware(
-			&globalConfig.Security,
-			func(r *http.Request, err error) {
-				log := observability.GetLogEntry(r).Entry
-				log.WithField("error", err.Error()).Warn("error processing Sb-Forwarded-For")
-			},
-		),
-	)
 	r.UseBypass(xffmw.Handler)
+	r.UseBypass(recoverer)
 
 	if globalConfig.API.MaxRequestDuration > 0 {
 		r.UseBypass(timeoutMiddleware(globalConfig.API.MaxRequestDuration))
 
@@ -20,7 +20,6 @@ import (
 	"github.com/supabase/auth/internal/api/shared"
 	"github.com/supabase/auth/internal/models"
 	"github.com/supabase/auth/internal/observability"
-	"github.com/supabase/auth/internal/sbff"
 	"github.com/supabase/auth/internal/security"
 	"github.com/supabase/auth/internal/utilities"
 
@@ -62,7 +61,7 @@ func (f *FunctionHooks) UnmarshalJSON(b []byte) error {
 
 var emailRateLimitCounter = observability.ObtainMetricCounter("gotrue_email_rate_limit_counter", "Number of times an email rate limit has been triggered")
 
-func (a *API) performRateLimitingWithHeader(lmt *limiter.Limiter, req *http.Request) error {
+func (a *API) performRateLimiting(lmt *limiter.Limiter, req *http.Request) error {
 	limitHeader := a.config.RateLimitHeader
 
 	// If no rate limit header was set, ignore rate limiting
@@ -113,18 +112,6 @@ func (a *API) performRateLimitingWithHeader(lmt *limiter.Limiter, req *http.Requ
 	return nil
 }
 
-func (a *API) performRateLimiting(lmt *limiter.Limiter, req *http.Request) error {
-	if sbffAddr, ok := sbff.GetIPAddress(req); ok {
-		if err := tollbooth.LimitByKeys(lmt, []string{sbffAddr}); err != nil {
-			return apierrors.NewTooManyRequestsError(apierrors.ErrorCodeOverRequestRateLimit, "Request rate limit reached")
-		}
-
-		return nil
-	}
-
-	return a.performRateLimitingWithHeader(lmt, req)
-}
-
 func (a *API) limitHandler(lmt *limiter.Limiter) middlewareHandler {
 	return func(w http.ResponseWriter, req *http.Request) (context.Context, error) {
 		return req.Context(), a.performRateLimiting(lmt, req)
 
@@ -19,7 +19,6 @@ import (
 	"github.com/stretchr/testify/suite"
 	"github.com/supabase/auth/internal/api/apierrors"
 	"github.com/supabase/auth/internal/conf"
-	"github.com/supabase/auth/internal/sbff"
 	"github.com/supabase/auth/internal/storage"
 )
 
@@ -416,166 +415,7 @@ func TestTimeoutResponseWriter(t *testing.T) {
 	require.Equal(t, w1.Result(), w2.Result())
 }
 
-func (ts *MiddlewareTestSuite) TestPerformRateLimitingWithSBFF() {
-	origRateLimitHeader := ts.Config.RateLimitHeader
-	origSBFFEnabled := ts.Config.Security.SbForwardedForEnabled
-
-	defer func() {
-		ts.Config.RateLimitHeader = origRateLimitHeader
-		ts.Config.Security.SbForwardedForEnabled = origSBFFEnabled
-	}()
-
-	ts.Config.RateLimitHeader = "X-Test-Perform-Rate-Limiting"
-	ts.Config.Security.SbForwardedForEnabled = true
-
-	type headerSet struct {
-		rateLimiting   string
-		sbForwardedFor string
-	}
-
-	testCases := []struct {
-		name         string
-		headerValues []headerSet
-		expErr       error
-	}{
-		{
-			name: "multiple SBFF values, single rate limiting value",
-			headerValues: []headerSet{
-				{
-					sbForwardedFor: "192.168.1.100",
-					rateLimiting:   "60.60.60.60",
-				},
-				{
-					sbForwardedFor: "192.168.1.200",
-					rateLimiting:   "60.60.60.60",
-				},
-			},
-			expErr: nil,
-		},
-		{
-			name: "single SBFF value, multiple rate limiting values",
-			headerValues: []headerSet{
-				{
-					sbForwardedFor: "192.168.1.100",
-					rateLimiting:   "60.60.60.60",
-				},
-				{
-					sbForwardedFor: "192.168.1.100",
-					rateLimiting:   "70.70.70.70",
-				},
-			},
-			expErr: apierrors.NewTooManyRequestsError(
-				apierrors.ErrorCodeOverRequestRateLimit,
-				"Request rate limit reached",
-			),
-		},
-		{
-			name: "no SBFF value, multiple rate limiting values",
-			headerValues: []headerSet{
-				{
-					sbForwardedFor: "",
-					rateLimiting:   "60.60.60.60",
-				},
-				{
-					sbForwardedFor: "",
-					rateLimiting:   "70.70.70.70",
-				},
-			},
-			expErr: nil,
-		},
-		{
-			name: "no SBFF value, single rate limiting value",
-			headerValues: []headerSet{
-				{
-					sbForwardedFor: "",
-					rateLimiting:   "60.60.60.60",
-				},
-				{
-					sbForwardedFor: "",
-					rateLimiting:   "60.60.60.60",
-				},
-			},
-			expErr: apierrors.NewTooManyRequestsError(
-				apierrors.ErrorCodeOverRequestRateLimit,
-				"Request rate limit reached",
-			),
-		},
-		{
-			name: "invalid SBFF value, multiple rate limiting values",
-			headerValues: []headerSet{
-				{
-					sbForwardedFor: "invalid",
-					rateLimiting:   "60.60.60.60",
-				},
-				{
-					sbForwardedFor: "invalid",
-					rateLimiting:   "70.70.70.70",
-				},
-			},
-			expErr: nil,
-		},
-		{
-			name: "invalid SBFF value, single rate limiting value",
-			headerValues: []headerSet{
-				{
-					sbForwardedFor: "invalid",
-					rateLimiting:   "60.60.60.60",
-				},
-				{
-					sbForwardedFor: "invalid",
-					rateLimiting:   "60.60.60.60",
-				},
-			},
-			expErr: apierrors.NewTooManyRequestsError(
-				apierrors.ErrorCodeOverRequestRateLimit,
-				"Request rate limit reached",
-			),
-		},
-	}
-
-	// This test uses the SBFF middleware to inject the Sb-Forwarded-For IP address value, then
-	// wraps a handler that calls performRateLimiting and stores the error value.
-	for _, tc := range testCases {
-		lmt := tollbooth.NewLimiter(
-			1,
-			&limiter.ExpirableOptions{
-				DefaultExpirationTTL: time.Hour,
-			},
-		)
-
-		var obsErr error
-
-		var handler http.HandlerFunc = func(rw http.ResponseWriter, r *http.Request) {
-			obsErr = ts.API.performRateLimiting(lmt, r)
-		}
-
-		errCallback := func(r *http.Request, err error) {
-		}
-
-		middleware := sbff.Middleware(&ts.Config.Security, errCallback)
-
-		wrappedHandler := middleware(handler)
-
-		for _, h := range tc.headerValues {
-			r := httptest.NewRequest(http.MethodGet, "http://localhost/", nil)
-
-			if h.rateLimiting != "" {
-				r.Header.Set(ts.Config.RateLimitHeader, h.rateLimiting)
-			}
-
-			if h.sbForwardedFor != "" {
-				r.Header.Set(sbff.HeaderName, h.sbForwardedFor)
-			}
-
-			wrappedHandler.ServeHTTP(nil, r)
-		}
-
-		require.ErrorIs(ts.T(), obsErr, tc.expErr)
-	}
-
-}
-
-func (ts *MiddlewareTestSuite) TestPerformRateLimitingWithHeader() {
+func (ts *MiddlewareTestSuite) TestPerformRateLimiting() {
 	ts.Config.RateLimitHeader = "X-Test-Perform-Rate-Limiting"
 
 	tests := []struct {
 
@@ -731,7 +731,6 @@ type SecurityConfiguration struct {
 	RefreshTokenAllowReuse                bool                 `json:"refresh_token_allow_reuse" split_words:"true"`
 	UpdatePasswordRequireReauthentication bool                 `json:"update_password_require_reauthentication" split_words:"true"`
 	ManualLinkingEnabled                  bool                 `json:"manual_linking_enabled" split_words:"true" default:"false"`
-	SbForwardedForEnabled                 bool                 `json:"sb_forwarded_for_enabled" split_words:"true" default:"false"`
 
 	DBEncryption DatabaseEncryptionConfiguration `json:"database_encryption" split_words:"true"`
 }
Original file line number	Diff line number	Diff line change
`@@ -731,7 +731,6 @@ type SecurityConfiguration struct {`
`731`	`731`	RefreshTokenAllowReuse bool `json:"refresh_token_allow_reuse" split_words:"true"`
`732`	`732`	UpdatePasswordRequireReauthentication bool `json:"update_password_require_reauthentication" split_words:"true"`
`733`	`733`	ManualLinkingEnabled bool `json:"manual_linking_enabled" split_words:"true" default:"false"`
`734`		- SbForwardedForEnabled bool `json:"sb_forwarded_for_enabled" split_words:"true" default:"false"`
`735`	`734`
`736`	`735`	DBEncryption DatabaseEncryptionConfiguration `json:"database_encryption" split_words:"true"`
`737`	`736`	`}`