refactor: improve Cloudflare IP fetching with Redis caching and in-memory testing setup

jakejarvis · jakejarvis · commit b80b8648bf70 · 2025-11-06T10:11:30.000-05:00
diff --git a/lib/cloudflare.test.ts b/lib/cloudflare.test.ts
@@ -1,14 +1,24 @@
 /* @vitest-environment node */
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { isCloudflareIp } from "./cloudflare";
+import { afterEach, beforeAll, describe, expect, it, vi } from "vitest";
 
-// Mock cacheLife before importing the module
-vi.mock("next/cache", () => ({
-  cacheLife: vi.fn(),
-}));
+let isCloudflareIp: typeof import("./cloudflare").isCloudflareIp;
 
 describe("isCloudflareIp", () => {
-  afterEach(() => {
+  beforeAll(async () => {
+    // Use in-memory Redis for testing
+    const { makeInMemoryRedis } = await import("@/lib/redis-mock");
+    const impl = makeInMemoryRedis();
+    vi.doMock("@/lib/redis", () => impl);
+
+    // Import module AFTER mocks are set up
+    const module = await import("./cloudflare");
+    isCloudflareIp = module.isCloudflareIp;
+  });
+
+  afterEach(async () => {
+    // Reset Redis state between tests
+    const { resetInMemoryRedis } = await import("@/lib/redis-mock");
+    resetInMemoryRedis();
     vi.restoreAllMocks();
   });
 
@@ -29,6 +39,35 @@ describe("isCloudflareIp", () => {
     expect(await isCloudflareIp("5.6.7.8")).toBe(false);
     expect(await isCloudflareIp("2001:db8::1")).toBe(true);
     expect(await isCloudflareIp("2001:dead::1")).toBe(false);
+
+    // Verify fetch was called only once (subsequent calls should use Redis cache)
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+
+    fetchMock.mockRestore();
+  });
+
+  it("uses Redis cache for subsequent requests", async () => {
+    const body = (data: unknown) =>
+      new Response(JSON.stringify(data), { status: 200 });
+    const fetchMock = vi.spyOn(global, "fetch").mockImplementation(async () =>
+      body({
+        result: {
+          ipv4_cidrs: ["1.2.3.0/24"],
+          ipv6_cidrs: ["2001:db8::/32"],
+        },
+      }),
+    );
+
+    // First call should fetch from API
+    await isCloudflareIp("1.2.3.4");
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+
+    // Second call should use Redis cache (React cache() only dedups within same request)
+    // Note: In real scenarios, React's cache() would reset between requests,
+    // but Redis cache would persist
+    await isCloudflareIp("1.2.3.5");
+    expect(fetchMock).toHaveBeenCalledTimes(1); // Still only 1 fetch
+
     fetchMock.mockRestore();
   });
 });
diff --git a/lib/cloudflare.ts b/lib/cloudflare.ts
@@ -1,30 +1,28 @@
 import "server-only";
+
 import * as ipaddr from "ipaddr.js";
-import { cacheLife } from "next/cache";
 import { cache } from "react";
+import { acquireLockOrWaitForResult } from "@/lib/cache";
 import { CLOUDFLARE_IPS_URL } from "@/lib/constants";
 import { ipV4InCidr, ipV6InCidr } from "@/lib/ip";
+import { redis } from "@/lib/redis";
 
 export interface CloudflareIpRanges {
   ipv4Cidrs: string[];
   ipv6Cidrs: string[];
 }
 
+const CACHE_KEY = "cloudflare:ip-ranges";
+const LOCK_KEY = "cloudflare:ip-ranges:lock";
+const CACHE_TTL_SECONDS = 604800; // 1 week
+
 let lastLoadedIpv4Parsed: Array<[ipaddr.IPv4, number]> | undefined;
 let lastLoadedIpv6Parsed: Array<[ipaddr.IPv6, number]> | undefined;
 
 /**
- * Fetch Cloudflare IP ranges with Cache Components.
- *
- * The IP ranges change infrequently (when Cloudflare expands infrastructure),
- * so we cache for 1 day using Next.js 16 Cache Components.
- *
- * Also wrapped in React's cache() for per-request deduplication.
+ * Fetch Cloudflare IP ranges from their API.
  */
-const getCloudflareIpRanges = cache(async (): Promise<CloudflareIpRanges> => {
-  "use cache";
-  cacheLife("days");
-
+async function fetchCloudflareIpRanges(): Promise<CloudflareIpRanges> {
   const res = await fetch(CLOUDFLARE_IPS_URL);
 
   if (!res.ok) {
@@ -33,12 +31,18 @@ const getCloudflareIpRanges = cache(async (): Promise<CloudflareIpRanges> => {
 
   const data = await res.json();
 
-  const ranges: CloudflareIpRanges = {
+  return {
     ipv4Cidrs: data.result?.ipv4_cidrs || [],
     ipv6Cidrs: data.result?.ipv6_cidrs || [],
   };
+}
 
-  // Pre-parse IPv4 CIDRs for fast sync/async checks
+/**
+ * Parse IP ranges into ipaddr.js objects for fast matching.
+ * Updates module-level cache for synchronous access.
+ */
+function parseAndCacheRanges(ranges: CloudflareIpRanges): void {
+  // Pre-parse IPv4 CIDRs for fast matching
   try {
     lastLoadedIpv4Parsed = ranges.ipv4Cidrs
       .map((cidr) => {
@@ -55,7 +59,7 @@ const getCloudflareIpRanges = cache(async (): Promise<CloudflareIpRanges> => {
     lastLoadedIpv4Parsed = undefined;
   }
 
-  // Pre-parse IPv6 CIDRs for fast sync/async checks
+  // Pre-parse IPv6 CIDRs for fast matching
   try {
     lastLoadedIpv6Parsed = ranges.ipv6Cidrs
       .map((cidr) => {
@@ -71,10 +75,71 @@ const getCloudflareIpRanges = cache(async (): Promise<CloudflareIpRanges> => {
   } catch {
     lastLoadedIpv6Parsed = undefined;
   }
+}
+
+/**
+ * Fetch Cloudflare IP ranges with Redis caching.
+ *
+ * The IP ranges change infrequently (when Cloudflare expands infrastructure),
+ * so we cache for 1 day in Redis with distributed locking to prevent thundering herd.
+ *
+ * Also wrapped in React's cache() for per-request deduplication.
+ */
+const getCloudflareIpRanges = cache(async (): Promise<CloudflareIpRanges> => {
+  let ranges = await redis.get<CloudflareIpRanges>(CACHE_KEY);
+
+  if (!ranges) {
+    const lock = await acquireLockOrWaitForResult<CloudflareIpRanges>({
+      lockKey: LOCK_KEY,
+      resultKey: CACHE_KEY,
+      lockTtl: 30,
+      pollIntervalMs: 250,
+      maxWaitMs: 20_000,
+    });
+
+    if (lock.acquired) {
+      try {
+        ranges = await fetchCloudflareIpRanges();
+        await redis.set(CACHE_KEY, ranges, {
+          ex: CACHE_TTL_SECONDS,
+        });
+        parseAndCacheRanges(ranges);
+        console.info("[cloudflare-ips] IP ranges fetched (not cached)");
+      } catch (err) {
+        console.error(
+          "[cloudflare-ips] fetch error",
+          err instanceof Error ? err : new Error(String(err)),
+        );
+        // Write a short-TTL negative cache to prevent hammering during outages
+        try {
+          await redis.set(CACHE_KEY, null, { ex: 60 });
+        } catch (cacheErr) {
+          console.warn("[cloudflare-ips] negative cache failed", cacheErr);
+        }
+      } finally {
+        // Always release the lock so waiters don't stall
+        try {
+          await redis.del(LOCK_KEY);
+        } catch (delErr) {
+          console.warn("[cloudflare-ips] lock release failed", delErr);
+        }
+      }
+    } else {
+      ranges = lock.cachedResult;
+    }
+  }
 
-  return ranges;
+  // If we got ranges from cache, ensure parsed versions are available
+  if (ranges) {
+    parseAndCacheRanges(ranges);
+  }
+
+  return ranges ?? { ipv4Cidrs: [], ipv6Cidrs: [] };
 });
 
+/**
+ * Check if a given IP address is part of Cloudflare's IP ranges.
+ */
 export const isCloudflareIp = cache(async (ip: string): Promise<boolean> => {
   const ranges = await getCloudflareIpRanges();
 
