From 70e27acd4539721ccaa479ae482036fbc6d4179a Mon Sep 17 00:00:00 2001
From: Thomas Jespersen <tje@platformplatform.net>
Date: Sun, 11 Jan 2026 23:22:56 +0100
Subject: [PATCH] Revert YARP X-Forwarded handling and parse client IP directly
 from header

---
 application/AppGateway/Program.cs                   |  8 +-------
 .../ExecutionContext/HttpExecutionContext.cs        | 13 ++++++++++++-
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/application/AppGateway/Program.cs b/application/AppGateway/Program.cs
index a8dd97b90..af3dda601 100644
--- a/application/AppGateway/Program.cs
+++ b/application/AppGateway/Program.cs
@@ -5,7 +5,6 @@
 using PlatformPlatform.AppGateway.Transformations;
 using PlatformPlatform.SharedKernel.Configuration;
 using Scalar.AspNetCore;
-using Yarp.ReverseProxy.Transforms;
 
 var builder = WebApplication.CreateBuilder(args);
 
@@ -14,12 +13,7 @@
     .LoadFromConfig(builder.Configuration.GetSection("ReverseProxy"))
     .AddConfigFilter<ClusterDestinationConfigFilter>()
     .AddConfigFilter<ApiExplorerRouteFilter>()
-    .AddTransforms(context =>
-        {
-            context.AddXForwarded();
-            context.RequestTransforms.Add(context.Services.GetRequiredService<BlockInternalApiTransform>());
-        }
-    );
+    .AddTransforms(context => context.RequestTransforms.Add(context.Services.GetRequiredService<BlockInternalApiTransform>()));
 
 if (SharedInfrastructureConfiguration.IsRunningInAzure)
 {
diff --git a/application/shared-kernel/SharedKernel/ExecutionContext/HttpExecutionContext.cs b/application/shared-kernel/SharedKernel/ExecutionContext/HttpExecutionContext.cs
index 8af2d7e3b..2913388a4 100644
--- a/application/shared-kernel/SharedKernel/ExecutionContext/HttpExecutionContext.cs
+++ b/application/shared-kernel/SharedKernel/ExecutionContext/HttpExecutionContext.cs
@@ -39,7 +39,18 @@ public IPAddress ClientIpAddress
                 return field = IPAddress.None;
             }
 
-            // UseForwardedHeaders() middleware already processes X-Forwarded-For and sets RemoteIpAddress
+            // Read X-Forwarded-For header directly to get client IP (first IP in the chain is the original client)
+            var forwardedFor = httpContextAccessor.HttpContext.Request.Headers["X-Forwarded-For"].ToString();
+            if (!string.IsNullOrEmpty(forwardedFor))
+            {
+                var clientIp = forwardedFor.Split(',').FirstOrDefault()?.Trim();
+                if (IPAddress.TryParse(clientIp, out var parsedIpAddress))
+                {
+                    return field = NormalizeLoopbackAddress(parsedIpAddress);
+                }
+            }
+
+            // Fall back to RemoteIpAddress for local development without proxies
             var remoteIpAddress = httpContextAccessor.HttpContext.Connection.RemoteIpAddress ?? IPAddress.None;
             return field = NormalizeLoopbackAddress(remoteIpAddress);
         }