1 files changed, 26 insertions, 3 deletions

diff --git a/apps/web/server/api/client.ts b/apps/web/server/api/client.ts
index 6a0a8909..fb2d84bc 100644
--- a/apps/web/server/api/client.ts
+++ b/apps/web/server/api/client.ts
@@ -1,4 +1,6 @@
+import { headers } from "next/headers";
 import { getServerAuthSession } from "@/server/auth";
+import requestIp from "request-ip";
 
 import { db } from "@hoarder/db";
 import { Context, createCallerFactory } from "@hoarder/trpc";
@@ -8,25 +10,46 @@ import { appRouter } from "@hoarder/trpc/routers/_app";
 export async function createContextFromRequest(req: Request) {
   // TODO: This is a hack until we offer a proper REST API instead of the trpc based one.
   // Check if the request has an Authorization token, if it does, assume that API key authentication is requested.
+  const ip = requestIp.getClientIp({
+    headers: Object.fromEntries(req.headers.entries()),
+  });
   const authorizationHeader = req.headers.get("Authorization");
   if (authorizationHeader && authorizationHeader.startsWith("Bearer ")) {
     const token = authorizationHeader.split(" ")[1];
     try {
       const user = await authenticateApiKey(token);
-      return { user, db };
+      return {
+        user,
+        db,
+        req: {
+          ip,
+        },
+      };
     } catch (e) {
       // Fallthrough to cookie-based auth
     }
   }
 
-  return createContext();
+  return createContext(db, ip);
 }
 
-export const createContext = async (database?: typeof db): Promise<Context> => {
+export const createContext = async (
+  database?: typeof db,
+  ip?: string | null,
+): Promise<Context> => {
   const session = await getServerAuthSession();
+  if (ip === undefined) {
+    const hdrs = headers();
+    ip = requestIp.getClientIp({
+      headers: Object.fromEntries(hdrs.entries()),
+    });
+  }
   return {
     user: session?.user ?? null,
     db: database ?? db,
+    req: {
+      ip,
+    },
   };
 };