fix(gateway): harden canvas auth with session capabilities

src/gateway/net.test.ts

@@ -5,6 +5,7 @@ import {
   isSecureWebSocketUrl,
   isTrustedProxyAddress,
   pickPrimaryLanIPv4,
+  resolveGatewayClientIp,
   resolveGatewayListenHosts,
   resolveHostName,
 } from "./net.js";
@@ -131,6 +132,43 @@ describe("isTrustedProxyAddress", () => {
   });
 });
 
+describe("resolveGatewayClientIp", () => {
+  it("returns remote IP when the remote is not a trusted proxy", () => {
+    const ip = resolveGatewayClientIp({
+      remoteAddr: "203.0.113.10",
+      forwardedFor: "10.0.0.2",
+      trustedProxies: ["127.0.0.1"],
+    });
+    expect(ip).toBe("203.0.113.10");
+  });
+
+  it("returns forwarded client IP when the remote is a trusted proxy", () => {
+    const ip = resolveGatewayClientIp({
+      remoteAddr: "127.0.0.1",
+      forwardedFor: "10.0.0.2, 127.0.0.1",
+      trustedProxies: ["127.0.0.1"],
+    });
+    expect(ip).toBe("10.0.0.2");
+  });
+
+  it("fails closed when trusted proxy headers are missing", () => {
+    const ip = resolveGatewayClientIp({
+      remoteAddr: "127.0.0.1",
+      trustedProxies: ["127.0.0.1"],
+    });
+    expect(ip).toBeUndefined();
+  });
+
+  it("supports IPv6 client IP forwarded by a trusted proxy", () => {
+    const ip = resolveGatewayClientIp({
+      remoteAddr: "127.0.0.1",
+      realIp: "[2001:db8::5]",
+      trustedProxies: ["127.0.0.1"],
+    });
+    expect(ip).toBe("2001:db8::5");
+  });
+});
+
 describe("resolveGatewayListenHosts", () => {
   it("returns the input host when not loopback", async () => {
     const hosts = await resolveGatewayListenHosts("0.0.0.0", {