// Extract the originating client IP from a Fastify/Express request. The Nuxt
// proxies in front of platform-api set x-forwarded-for to the real user's IP
// (see apps/operator/server/utils/platform-api.ts). Without this helper we'd
// only ever see the proxy container's address in the audit log.
//
// We take the leftmost entry of x-forwarded-for. That's the address closest
// to the real user; everything to the right is intermediate proxies. If the
// header is missing (direct request, no proxy), fall back to the socket
// address.

export function clientIp(req: { headers: Record<string, unknown>; ip?: string; socket?: { remoteAddress?: string } }): string | undefined {
  const raw = req.headers['x-forwarded-for']
  const header = Array.isArray(raw) ? raw[0] : (raw as string | undefined)
  if (header) {
    const first = header.split(',')[0]?.trim()
    if (first) return first
  }
  return req.ip ?? req.socket?.remoteAddress
}