Ipv6 rate limit key error

[kentcdodds]

Fixes ERR_ERL_KEY_GEN_IPV6 by using ipKeyGenerator to correctly normalize client IP addresses for express-rate-limit. This ensures proper handling of IPv6 addresses and prevents validation errors in production logs. Also updates documentation examples for consistency.

Test Plan

1. Verify express-rate-limit initialization:

   node -e "import rateLimit, { ipKeyGenerator } from 'express-rate-limit'; import express from 'express'; const app = express(); const rateLimitDefault = { windowMs: 60 * 1000, max: 500, standardHeaders: true, legacyHeaders: false, validate: { trustProxy: false }, keyGenerator: (req) => { const clientIp = req.get('fly-client-ip') ?? req.ip ?? req.socket.remoteAddress ?? '0.0.0.0'; return ipKeyGenerator(clientIp); }, }; app.use(rateLimit(rateLimitDefault)); console.log('rate limit initialized');"

   Ensure this command runs without throwing the ERR_ERL_KEY_GEN_IPV6 error.
2. Linting check:

   npm run lint -- server/index.ts

   Ensure no linting errors are introduced in the modified server file.

Checklist

• Tests updated (N/A - runtime check performed)
• Docs updated

Screenshots

N/A

---

 

---

Note

Low Risk
Small, localized change to rate-limit key generation and documentation; primary risk is unintended rate-limit bucketing changes for some clients/proxies.

Overview
Fixes express-rate-limit key generation to correctly handle IPv6 by importing and using ipKeyGenerator, and by providing a more robust client IP fallback chain (fly-client-ip → req.ip → socket.remoteAddress).

Updates epic-security documentation examples to use the same ipKeyGenerator approach (and to prefer API keys when present) so guidance matches runtime behavior.

^{Written by Cursor Bugbot for commit b785721. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
_{Learn more about Cursor Agents}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is ON. A Cloud Agent has been kicked off to fix the reported issue.}

[cursor]

Potential incorrect argument type passed to ipKeyGenerator

High Severity

The ipKeyGenerator function from express-rate-limit is a KeyGenerator type that typically expects a Request object as its parameter, not a string. The code calls ipKeyGenerator(clientIp) where clientIp is a string. If this function expects Request, it would attempt to access clientIp.ip (undefined on a string), potentially causing runtime errors or the same ERR_ERL_KEY_GEN_IPV6 error the PR aims to fix. The test plan only initializes the rate limiter without making actual requests, so this wouldn't be caught during testing.

Additional Locations (1)

• docs/skills/epic-security/SKILL.md#L208-L209

 

[cursor]

⚠️ Bugbot Autofix determined this is a false positive.

In express-rate-limit v8.2.1, ipKeyGenerator is defined as ipKeyGenerator(ip: string, ipv6Subnet?: number | false), so passing the clientIp string is the correct usage.