platform/tenant-registry
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(audit): strip IPv6 brackets before INET insert #9

Merged
sharang merged 1 commits from fix/audit-ipv6 into main 2026-05-19 15:09:01 +00:00
Conversation 0 Commits 1 Files Changed 1
+13 -11
sharang commented 2026-05-19 15:05:41 +00:00
Owner
Copy Link
Copy Source

Live-stack smoke caught this: every state-changing endpoint emitted an audit event, the INSERT rolled back with invalid input syntax for type inet: \"[::1]\", and the user-facing operation kept working — so audit_log stayed silently empty.

Fixes:

  • Use net.SplitHostPort which returns IPv6 hosts without brackets.
  • Add stripBrackets() as belt-and-braces for X-Forwarded-For headers that wrap the IP themselves.

Refs: M4.2

Live-stack smoke caught this: every state-changing endpoint emitted an audit event, the INSERT rolled back with `invalid input syntax for type inet: \"[::1]\"`, and the user-facing operation kept working — so audit_log stayed silently empty. Fixes: - Use `net.SplitHostPort` which returns IPv6 hosts without brackets. - Add `stripBrackets()` as belt-and-braces for X-Forwarded-For headers that wrap the IP themselves. Refs: M4.2
sharang added 1 commit 2026-05-19 15:05:42 +00:00
fix(audit): strip IPv6 brackets before INET insert
ci / image (pull_request) Has been skipped
Details
ci / shared (pull_request) Successful in 8s
Details
ci / test (pull_request) Successful in 2m7s
Details
a83088e7e6 
When a client connects over IPv6 loopback, net/http's RemoteAddr is
'[::1]:port'. The previous clientIP() returned '[::1]' (brackets and
all) which Postgres's INET type rejects with
'invalid input syntax for type inet: "[::1]" (SQLSTATE 22P02)'.

Live local-smoke caught this — every state-changing endpoint emitted
the audit event, the INSERT rolled back, and a warning landed in the
log. The user-facing operation succeeded so the caller never noticed,
but audit_log stayed empty.

Fix:
  - Use net.SplitHostPort which returns IPv6 hosts without brackets.
  - Add stripBrackets() as a belt-and-braces for X-Forwarded-For
    headers that wrap the IP themselves (some proxies do).

Refs: M4.2
sharang merged commit a37ae1d121 into main 2026-05-19 15:09:01 +00:00
sharang deleted branch fix/audit-ipv6 2026-05-19 15:09:01 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Benjamin_Boenisch sharang (Sharang Parnerkar)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: platform/tenant-registry#9
Delete Branch "fix/audit-ipv6"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?