From 0b03c7c55ca8b0b8723f6a7ca88bf072ad7ec0ca Mon Sep 17 00:00:00 2001
From: Matteo Mekhail <67237370+matteoiscrying@users.noreply.github.com>
Date: Mon, 23 Feb 2026 12:29:57 +1100
Subject: [PATCH] Anti-spoofing system, fixes the counter viewer

---
 server.ts | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/server.ts b/server.ts
index c207c86..8718080 100644
--- a/server.ts
+++ b/server.ts
@@ -102,8 +102,19 @@ function parsePositiveInt(value: string | undefined, fallback: number): number {
 }
 
 function getClientIp(req: Request, server: Bun.Server<WsData>): string {
+  // Railway's edge proxy strips client-provided X-Real-IP and sets the actual
+  // client IP. All traffic goes through the edge proxy — it cannot be bypassed.
+  // As a fallback, use the rightmost X-Forwarded-For value (the one Railway
+  // appends), then Bun's requestIP (which sees the proxy IP on Railway).
   const realIp = req.headers.get("x-real-ip")?.trim();
   if (realIp) return realIp;
+
+  const xff = req.headers.get("x-forwarded-for");
+  if (xff) {
+    const rightmost = xff.split(",").at(-1)?.trim();
+    if (rightmost) return rightmost;
+  }
+
   return server.requestIP(req)?.address ?? "unknown";
 }