refactor: address review comments for join view

lib/membership/join_request.ex

@@ -37,6 +37,7 @@ defmodule Mv.Membership.JoinRequest do
       accept [:email, :first_name, :last_name, :form_data, :schema_version]
 
       change Mv.Membership.JoinRequest.Changes.SetConfirmationToken
+      change Mv.Membership.JoinRequest.Changes.FilterFormDataByAllowlist
     end
 
     read :get_by_confirmation_token_hash do
@@ -77,6 +78,8 @@ defmodule Mv.Membership.JoinRequest do
   end
 
   validations do
+    # Format/formatting of email is not validated here; invalid addresses may fail at send time
+    # or can be enforced via an Ash change if needed.
     validate present(:email), on: [:create]
   end
 

lib/membership/join_request/changes/filter_form_data_by_allowlist.ex

@@ -0,0 +1,38 @@
+defmodule Mv.Membership.JoinRequest.Changes.FilterFormDataByAllowlist do
+  @moduledoc """
+  Filters form_data to only keys that are in the join form allowlist (server-side).
+
+  Ensures that even when submit_join_request/2 is called directly (e.g. from tests or API),
+  only allowlisted custom fields are persisted. Typed fields (email, first_name, last_name)
+  are not part of form_data; allowlist is join_form_field_ids minus those.
+  """
+  use Ash.Resource.Change
+
+  alias Mv.Membership
+
+  @typed_fields ["email", "first_name", "last_name"]
+
+  @spec change(Ash.Changeset.t(), keyword(), Ash.Resource.Change.context()) :: Ash.Changeset.t()
+  def change(changeset, _opts, _context) do
+    form_data = Ash.Changeset.get_attribute(changeset, :form_data) || %{}
+
+    allowlist_ids =
+      case Membership.get_join_form_allowlist() do
+        list when is_list(list) ->
+          list
+          |> Enum.map(fn item -> item.id end)
+          |> MapSet.new()
+          |> MapSet.difference(MapSet.new(@typed_fields))
+
+        _ ->
+          MapSet.new()
+      end
+
+    filtered =
+      form_data
+      |> Enum.filter(fn {key, _} -> MapSet.member?(allowlist_ids, to_string(key)) end)
+      |> Map.new()
+
+    Ash.Changeset.force_change_attribute(changeset, :form_data, filtered)
+  end
+end

lib/mv_web/endpoint.ex

@@ -12,8 +12,8 @@ defmodule MvWeb.Endpoint do
   ]
 
   socket "/live", Phoenix.LiveView.Socket,
-    websocket: [connect_info: [:peer_data, session: @session_options]],
-    longpoll: [connect_info: [:peer_data, session: @session_options]]
+    websocket: [connect_info: [:peer_data, :x_headers, session: @session_options]],
+    longpoll: [connect_info: [:peer_data, :x_headers, session: @session_options]]
 
   # Serve at "/" the static files from "priv/static" directory.
   #

lib/mv_web/join_rate_limit.ex

@@ -15,6 +15,7 @@ defmodule MvWeb.JoinRateLimit do
   - `{:deny, _retry_after_ms}` - rate limit exceeded
   """
   def check(key) when is_binary(key) do
+    # Read at runtime so config can be changed without restart (e.g. in tests).
     config = Application.get_env(:mv, :join_rate_limit, [])
     scale_ms = Keyword.get(config, :scale_ms, 60_000)
     limit = Keyword.get(config, :limit, 10)

lib/mv_web/live/join_live.ex

@@ -213,9 +213,7 @@ defmodule MvWeb.JoinLive do
       form_data =
         params
         |> Enum.filter(fn {key, _} -> key in allowlist_ids and key not in typed end)
-        |> Map.new()
-        |> Enum.map(fn {k, v} -> {k, String.trim(to_string(v))} end)
-        |> Map.new()
+        |> Map.new(fn {k, v} -> {k, String.trim(to_string(v))} end)
 
       attrs = %{attrs | form_data: form_data}
       {:ok, attrs}
@@ -227,13 +225,37 @@ defmodule MvWeb.JoinLive do
     if is_binary(v), do: String.trim(v), else: nil
   end
 
+  # Prefer X-Forwarded-For / X-Real-IP when behind a reverse proxy; fall back to peer_data.
+  # Uses :inet.ntoa/1 for correct IPv4 and IPv6 string representation.
   defp client_ip_from_socket(socket) do
-    case get_connect_info(socket, :peer_data) do
-      %{address: address} when is_tuple(address) ->
-        address |> Tuple.to_list() |> Enum.join(".")
-
-      _ ->
-        "unknown"
+    with nil <- client_ip_from_headers(socket),
+         %{address: address} when is_tuple(address) <- get_connect_info(socket, :peer_data) do
+      address |> :inet.ntoa() |> to_string()
+    else
+      ip when is_binary(ip) -> ip
+      _ -> "unknown"
     end
   end
+
+  defp client_ip_from_headers(socket) do
+    headers = get_connect_info(socket, :x_headers) || []
+    real_ip = header_value(headers, "x-real-ip")
+    forwarded = header_value(headers, "x-forwarded-for")
+
+    cond do
+      real_ip != nil -> real_ip
+      forwarded != nil -> String.split(forwarded, ~r/,\s*/) |> List.first() |> String.trim()
+      true -> nil
+    end
+  end
+
+  defp header_value(headers, name) do
+    name_lower = String.downcase(name)
+
+    headers
+    |> Enum.find_value(fn
+      {h, v} when is_binary(h) -> if String.downcase(h) == name_lower, do: String.trim(v)
+      _ -> nil
+    end)
+  end
 end

lib/mv_web/plugs/join_form_enabled.ex

@@ -24,6 +24,7 @@ defmodule MvWeb.Plugs.JoinFormEnabled do
     end
   end
 
+  # Same body as default ErrorHTML 404 (no custom error templates in this app).
   defp send_404(conn) do
     conn
     |> put_resp_content_type("text/html")