[EXP-3458] Append User Agent and XFF header to proxied requests (#44)

mosslilley · render-oss-copybara-sync[bot] · commit 72500bb8d1b1 · 2026-02-13T19:23:12.000Z
* Add http context for X-Forwarded-For and UserAgent * Add agent headers and XFF from context * Add http context to server * Integration test GitOrigin-RevId: 75ffabc
diff --git a/cmd/server.go b/cmd/server.go
@@ -9,6 +9,7 @@ import (
 	"github.com/render-oss/render-mcp-server/pkg/cfg"
 	"github.com/render-oss/render-mcp-server/pkg/client"
 	"github.com/render-oss/render-mcp-server/pkg/deploy"
+	"github.com/render-oss/render-mcp-server/pkg/httpcontext"
 	"github.com/render-oss/render-mcp-server/pkg/keyvalue"
 	"github.com/render-oss/render-mcp-server/pkg/logs"
 	"github.com/render-oss/render-mcp-server/pkg/metrics"
@@ -56,6 +57,7 @@ func Serve(transport string) *server.MCPServer {
 			NewStreamableHTTPServer(s, server.WithHTTPContextFunc(multicontext.MultiHTTPContextFunc(
 				session.ContextWithHTTPSession(sessionStore),
 				authn.ContextWithAPITokenFromHeader,
+				httpcontext.ContextWithHTTPRequest,
 			))).
 			Start(":10000")
 		if err != nil {
diff --git a/pkg/cfg/cfg.go b/pkg/cfg/cfg.go
@@ -21,8 +21,12 @@ func GetAPIKey() string {
 	return os.Getenv("RENDER_API_KEY")
 }
 
-func AddUserAgent(header http.Header) http.Header {
-	header.Add("user-agent", fmt.Sprintf("render-mcp-server/%s (%s)", Version, getOSInfoOnce()))
+func AddUserAgent(header http.Header, clientUserAgent string) http.Header {
+	ua := fmt.Sprintf("render-mcp-server/%s (%s)", Version, getOSInfoOnce())
+	if clientUserAgent != "" {
+		ua = ua + " " + clientUserAgent
+	}
+	header.Add("user-agent", ua)
 	return header
 }
 
diff --git a/pkg/client/client.go b/pkg/client/client.go
@@ -11,6 +11,7 @@ import (
 	"github.com/render-oss/render-mcp-server/pkg/authn"
 	"github.com/render-oss/render-mcp-server/pkg/cfg"
 	"github.com/render-oss/render-mcp-server/pkg/config"
+	"github.com/render-oss/render-mcp-server/pkg/httpcontext"
 )
 
 var ErrUnauthorized = errors.New("unauthorized")
@@ -24,9 +25,13 @@ func NewDefaultClient() (*ClientWithResponses, error) {
 	return clientWithAuth(&http.Client{}, apiCfg)
 }
 
-func AddHeaders(header http.Header, token string) http.Header {
-	header = cfg.AddUserAgent(header)
+func AddHeaders(ctx context.Context, header http.Header, token string) http.Header {
+	hc := httpcontext.FromContext(ctx)
+	header = cfg.AddUserAgent(header, hc.UserAgent)
 	header.Add("authorization", fmt.Sprintf("Bearer %s", token))
+	if hc.ForwardedFor != "" {
+		header.Add("X-Forwarded-For", hc.ForwardedFor)
+	}
 	return header
 }
 
@@ -93,7 +98,7 @@ func firstNonNilErrorField(response any) *ErrorWithCode {
 
 func clientWithAuth(httpClient *http.Client, apiCfg config.APIConfig) (*ClientWithResponses, error) {
 	insertAuth := func(ctx context.Context, req *http.Request) error {
-		req.Header = AddHeaders(req.Header, authn.APITokenFromContext(ctx))
+		req.Header = AddHeaders(ctx, req.Header, authn.APITokenFromContext(ctx))
 		return nil
 	}
 
diff --git a/pkg/httpcontext/httpcontext.go b/pkg/httpcontext/httpcontext.go
@@ -0,0 +1,86 @@
+package httpcontext
+
+import (
+	"context"
+	"log"
+	"net"
+	"net/http"
+	"strings"
+)
+
+// HTTPContext stores HTTP metadata extracted from incoming requests.
+type HTTPContext struct {
+	UserAgent    string // Client's User-Agent header
+	ForwardedFor string // X-Forwarded-For chain
+}
+
+type ctxKey struct{}
+
+// FromContext retrieves HTTPContext from context. Returns empty HTTPContext if not present.
+func FromContext(ctx context.Context) HTTPContext {
+	if hc, ok := ctx.Value(ctxKey{}).(HTTPContext); ok {
+		return hc
+	}
+	return HTTPContext{}
+}
+
+// ContextWithHTTPContext stores HTTPContext in the context.
+func ContextWithHTTPContext(ctx context.Context, hc HTTPContext) context.Context {
+	return context.WithValue(ctx, ctxKey{}, hc)
+}
+
+// ContextWithHTTPRequest extracts HTTP metadata from a request and stores it in context.
+func ContextWithHTTPRequest(ctx context.Context, req *http.Request) context.Context {
+	hc := HTTPContext{
+		UserAgent:    req.Header.Get("User-Agent"),
+		ForwardedFor: buildXFF(req.Header.Get("X-Forwarded-For"), req.RemoteAddr),
+	}
+	return ContextWithHTTPContext(ctx, hc)
+}
+
+// buildXFF constructs the X-Forwarded-For chain.
+// It appends the client IP from RemoteAddr to the existing XFF header,
+// avoiding consecutive duplicates at the end.
+func buildXFF(existingXFF, remoteAddr string) string {
+	clientIP := getClientIP(remoteAddr)
+	if clientIP == "" {
+		return existingXFF
+	}
+
+	if existingXFF == "" {
+		return clientIP
+	}
+
+	// Check if clientIP is already the last entry to avoid consecutive duplicates
+	lastEntry := lastXFFEntry(existingXFF)
+	if lastEntry == clientIP {
+		return existingXFF
+	}
+
+	return existingXFF + ", " + clientIP
+}
+
+// getClientIP extracts the IP address from RemoteAddr, stripping the port if present.
+func getClientIP(remoteAddr string) string {
+	if remoteAddr == "" {
+		return ""
+	}
+
+	// net.SplitHostPort handles both IPv4 and IPv6 addresses
+	host, _, err := net.SplitHostPort(remoteAddr)
+	if err != nil {
+		// RemoteAddr doesn't have standard host:port format.
+		// This can happen with non-TCP transports or unusual proxy configurations.
+		// Log for debugging but use the raw value.
+		log.Printf("httpcontext: could not parse RemoteAddr %q: %v", remoteAddr, err)
+		return remoteAddr
+	}
+	return host
+}
+
+// lastXFFEntry returns the last IP in the X-Forwarded-For chain.
+func lastXFFEntry(xff string) string {
+	parts := strings.Split(xff, ",")
+	// strings.Split always returns at least one element, even for empty string
+	return strings.TrimSpace(parts[len(parts)-1])
+}
diff --git a/pkg/httpcontext/httpcontext_test.go b/pkg/httpcontext/httpcontext_test.go
@@ -0,0 +1,218 @@
+package httpcontext
+
+import (
+	"context"
+	"net/http"
+	"testing"
+)
+
+func TestFromContext_EmptyContext(t *testing.T) {
+	ctx := context.Background()
+	hc := FromContext(ctx)
+
+	if hc.UserAgent != "" {
+		t.Errorf("expected empty UserAgent, got %q", hc.UserAgent)
+	}
+	if hc.ForwardedFor != "" {
+		t.Errorf("expected empty ForwardedFor, got %q", hc.ForwardedFor)
+	}
+}
+
+func TestContextWithHTTPContext_RoundTrip(t *testing.T) {
+	ctx := context.Background()
+	expected := HTTPContext{
+		UserAgent:    "TestAgent/1.0",
+		ForwardedFor: "10.0.0.1, 192.168.1.1",
+	}
+
+	ctx = ContextWithHTTPContext(ctx, expected)
+	actual := FromContext(ctx)
+
+	if actual.UserAgent != expected.UserAgent {
+		t.Errorf("expected UserAgent %q, got %q", expected.UserAgent, actual.UserAgent)
+	}
+	if actual.ForwardedFor != expected.ForwardedFor {
+		t.Errorf("expected ForwardedFor %q, got %q", expected.ForwardedFor, actual.ForwardedFor)
+	}
+}
+
+func TestContextWithHTTPRequest_UserAgent(t *testing.T) {
+	ctx := context.Background()
+	req, _ := http.NewRequest("GET", "/", nil)
+	req.Header.Set("User-Agent", "Claude-Desktop/1.2.3")
+	req.RemoteAddr = "192.168.1.100:54321"
+
+	ctx = ContextWithHTTPRequest(ctx, req)
+	hc := FromContext(ctx)
+
+	if hc.UserAgent != "Claude-Desktop/1.2.3" {
+		t.Errorf("expected UserAgent %q, got %q", "Claude-Desktop/1.2.3", hc.UserAgent)
+	}
+}
+
+func TestContextWithHTTPRequest_XFFChainBuilding(t *testing.T) {
+	tests := []struct {
+		name       string
+		existingXFF string
+		remoteAddr string
+		expectedXFF string
+	}{
+		{
+			name:        "no existing XFF",
+			existingXFF: "",
+			remoteAddr:  "192.168.1.100:54321",
+			expectedXFF: "192.168.1.100",
+		},
+		{
+			name:        "with existing XFF",
+			existingXFF: "10.0.0.1",
+			remoteAddr:  "192.168.1.100:54321",
+			expectedXFF: "10.0.0.1, 192.168.1.100",
+		},
+		{
+			name:        "multiple entries in existing XFF",
+			existingXFF: "10.0.0.1, 172.16.0.1",
+			remoteAddr:  "192.168.1.100:54321",
+			expectedXFF: "10.0.0.1, 172.16.0.1, 192.168.1.100",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctx := context.Background()
+			req, _ := http.NewRequest("GET", "/", nil)
+			if tt.existingXFF != "" {
+				req.Header.Set("X-Forwarded-For", tt.existingXFF)
+			}
+			req.RemoteAddr = tt.remoteAddr
+
+			ctx = ContextWithHTTPRequest(ctx, req)
+			hc := FromContext(ctx)
+
+			if hc.ForwardedFor != tt.expectedXFF {
+				t.Errorf("expected ForwardedFor %q, got %q", tt.expectedXFF, hc.ForwardedFor)
+			}
+		})
+	}
+}
+
+func TestContextWithHTTPRequest_LastEntryDeduplication(t *testing.T) {
+	ctx := context.Background()
+	req, _ := http.NewRequest("GET", "/", nil)
+	req.Header.Set("X-Forwarded-For", "10.0.0.1, 192.168.1.100")
+	req.RemoteAddr = "192.168.1.100:54321" // Same as last entry in XFF
+
+	ctx = ContextWithHTTPRequest(ctx, req)
+	hc := FromContext(ctx)
+
+	// Should not add duplicate
+	expected := "10.0.0.1, 192.168.1.100"
+	if hc.ForwardedFor != expected {
+		t.Errorf("expected ForwardedFor %q (no duplicate), got %q", expected, hc.ForwardedFor)
+	}
+}
+
+func TestContextWithHTTPRequest_EarlierDuplicatePreserved(t *testing.T) {
+	ctx := context.Background()
+	req, _ := http.NewRequest("GET", "/", nil)
+	// IP appears earlier in chain but not as last entry
+	req.Header.Set("X-Forwarded-For", "192.168.1.100, 10.0.0.1")
+	req.RemoteAddr = "192.168.1.100:54321"
+
+	ctx = ContextWithHTTPRequest(ctx, req)
+	hc := FromContext(ctx)
+
+	// Should add it since it's not the last entry
+	expected := "192.168.1.100, 10.0.0.1, 192.168.1.100"
+	if hc.ForwardedFor != expected {
+		t.Errorf("expected ForwardedFor %q (earlier duplicate preserved), got %q", expected, hc.ForwardedFor)
+	}
+}
+
+func TestGetClientIP_PortStripping(t *testing.T) {
+	tests := []struct {
+		name       string
+		remoteAddr string
+		expected   string
+	}{
+		{
+			name:       "IPv4 with port",
+			remoteAddr: "192.168.1.100:54321",
+			expected:   "192.168.1.100",
+		},
+		{
+			name:       "IPv6 with port",
+			remoteAddr: "[::1]:54321",
+			expected:   "::1",
+		},
+		{
+			name:       "IPv4 without port",
+			remoteAddr: "192.168.1.100",
+			expected:   "192.168.1.100",
+		},
+		{
+			name:       "empty string",
+			remoteAddr: "",
+			expected:   "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := getClientIP(tt.remoteAddr)
+			if result != tt.expected {
+				t.Errorf("expected %q, got %q", tt.expected, result)
+			}
+		})
+	}
+}
+
+func TestBuildXFF(t *testing.T) {
+	tests := []struct {
+		name        string
+		existingXFF string
+		remoteAddr  string
+		expected    string
+	}{
+		{
+			name:        "empty XFF, valid remoteAddr",
+			existingXFF: "",
+			remoteAddr:  "192.168.1.100:54321",
+			expected:    "192.168.1.100",
+		},
+		{
+			name:        "existing XFF, valid remoteAddr",
+			existingXFF: "10.0.0.1",
+			remoteAddr:  "192.168.1.100:54321",
+			expected:    "10.0.0.1, 192.168.1.100",
+		},
+		{
+			name:        "empty remoteAddr",
+			existingXFF: "10.0.0.1",
+			remoteAddr:  "",
+			expected:    "10.0.0.1",
+		},
+		{
+			name:        "both empty",
+			existingXFF: "",
+			remoteAddr:  "",
+			expected:    "",
+		},
+		{
+			name:        "XFF with spaces",
+			existingXFF: "10.0.0.1,  172.16.0.1",
+			remoteAddr:  "192.168.1.100:54321",
+			expected:    "10.0.0.1,  172.16.0.1, 192.168.1.100",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := buildXFF(tt.existingXFF, tt.remoteAddr)
+			if result != tt.expected {
+				t.Errorf("expected %q, got %q", tt.expected, result)
+			}
+		})
+	}
+}
+
diff --git a/pkg/httpcontext/integration_test.go b/pkg/httpcontext/integration_test.go

Original file line number	Diff line number	Diff line change
`@@ -21,8 +21,12 @@ func GetAPIKey() string {`
`21`	`21`	`return os.Getenv("RENDER_API_KEY")`
`22`	`22`	`}`
`23`	`23`
`24`		`-func AddUserAgent(header http.Header) http.Header {`
`25`		`- header.Add("user-agent", fmt.Sprintf("render-mcp-server/%s (%s)", Version, getOSInfoOnce()))`
	`24`	`+func AddUserAgent(header http.Header, clientUserAgent string) http.Header {`
	`25`	`+ ua := fmt.Sprintf("render-mcp-server/%s (%s)", Version, getOSInfoOnce())`
	`26`	`+ if clientUserAgent != "" {`
	`27`	`+ ua = ua + " " + clientUserAgent`
	`28`	`+ }`
	`29`	`+ header.Add("user-agent", ua)`
`26`	`30`	`return header`
`27`	`31`	`}`
`28`	`32`