fix: use getClientIp in webhook endpoint to prevent IP spoofing (#6014)

[atul-upadhyay-7]

Summary

This PR fixes a security vulnerability where the webhook endpoint reads the client IP directly from x-forwarded-for instead of using the secure getClientIp() helper, making rate limiting trivially bypassable.

Changes

1. Added getClientIp import ():

   • Imported getClientIp from @/utils/getClientIp

2. Replaced direct header reading with getClientIp() ():

   • Changed from: const ip = req.headers.get('x-forwarded-for') || 'unknown_ip'
   • Changed to: const ip = getClientIp(req)

3. Updated tests ():

   • Mocked getClientIp to return unique IPs per test
   • All 8 tests pass

Security Benefits

• Prevents IP spoofing via x-forwarded-for header manipulation
• Uses the same secure IP resolution as all other endpoints (middleware.ts, streak route, etc.)
• Proper proxy chain analysis and spoofing detection
• Rate limiting now works correctly based on the actual client IP

Issue

Fixes #6014

Testing

• All 8 webhook tests pass
• Linting passes with no new errors

[vercel]

@atul-upadhyay-7 is attempting to deploy a commit to the jhasourav07's projects Team on Vercel.

A member of the Team first needs to authorize it.

[Aamod-Dev]

This is a solid security fix — swapping the raw
eq.headers.get('x-forwarded-for')\ in \�pp/api/webhook/route.ts:38\ for the proper \getClientIp(req)\ helper, with comprehensive test mocks in
oute.test.ts\ for unique IPs per test case. Unfortunately this PR has \status:blocked\ (failing CI), so I can't approve it yet. Get those CI checks green and I'll be happy to approve!

[Aamod-Dev]

Review

This PR cannot be approved in its current state due to blocking issues (status:blocked label, merge conflicts, needs-rebase label, and/or failing CI checks). Please resolve the blocking issues and re-request review.

Once unblocked, I'm happy to re-review! 💚

[github-actions]

📦 Next.js Bundle Size Report (Gzipped Sizes)

✨ No significant bundle size changes detected.

📊 Summary of Totals

Category	PR Size	Base Size	Difference
Total JS	3697.00 KB	3697.00 KB	0 B
Total CSS	296.58 KB	296.58 KB	0 B

[Aamod-Dev]

Using getClientIp() instead of directly reading the x-forwarded-for header in app/api/webhook/route.ts is crucial for preventing IP spoofing and rate limit bypasses. Refactoring app/api/webhook/route.test.ts to use a mocked getClientIp properly isolates the tests. Approved!

[github-actions]

🎉 Congratulations @atul-upadhyay-7! Your PR has been successfully merged. 🚀

Thank you for contributing to CommitPulse. Your work helps us build a better tool for the community.

⚠️ Important for GSSoC Contributors:
You are strictly advised to join our Discord Server as it is mandatory for all GSSoC participants. All important announcements, point claims, and community discussions happen there.

Keep building! 💻✨