set trust proxy = true if set in env var

packages/api/src/server.ts

@@ -57,7 +57,9 @@ export const createApp = (): {
   app.use(cookieParser())
   app.use(json({ limit: '100mb' }))
   app.use(urlencoded({ limit: '100mb', extended: true }))
-  app.set('trust proxy', true)
+
+  // set to true if behind a reverse proxy/load balancer
+  app.set('trust proxy', env.server.trustProxy)
 
   const apiLimiter = rateLimit({
     windowMs: 60 * 1000, // 1 minute
@@ -73,8 +75,6 @@ export const createApp = (): {
       }
     },
     keyGenerator: (req) => {
-      console.log('x-forwarded-for header:', req.header('x-forwarded-for'))
-      console.log('ip:', req.ip)
       return getTokenByRequest(req) || req.ip
     },
     // skip preflight requests and test requests

packages/api/src/util.ts

@@ -21,6 +21,7 @@ interface BackendEnv {
     gateway_url: string
     apiEnv: string
     instanceId: string
+    trustProxy: boolean
   }
   client: {
     url: string
@@ -159,6 +160,7 @@ const nullableEnvVars = [
   'RSS_FEED_TASK_HANDLER_URL',
   'SENDGRID_VERIFICATION_TEMPLATE_ID',
   'REMINDER_TASK_HANDLER_URL',
+  'TRUST_PROXY',
 ] // Allow some vars to be null/empty
 
 /* If not in GAE and Prod/QA/Demo env (f.e. on localhost/dev env), allow following env vars to be null */
@@ -207,6 +209,7 @@ export function getEnv(): BackendEnv {
     apiEnv: parse('API_ENV'),
     instanceId:
       parse('GAE_INSTANCE') || `x${os.userInfo().username}_${os.hostname()}`,
+    trustProxy: parse('TRUST_PROXY') === 'true',
   }
   const client = {
     url: parse('CLIENT_URL'),