Is there a way to obtain the origin information of a remote server making requests to my api server? The objective is to prevent possible server-to-server authentication token spoofing.
To test, I basically sent remote requests to the server from a test server listening on port 8000. While the req.connection.remote.address logged by the api server was consistent, the req.connection.remote.port changed with every request.
Is there a way to obtain the address of the test server along with its port 8000 from the request object at the api server? An outside of the box solution would be appreciated as well.
No, there is not unless the requesting server specifically provides that information for you in a non-standard (custom) header. It is not part of TCP/IP or HTTP that you would know anything about what type of http client it is that is making the request or that it's even actually an http server making a request of your http server. From the networking point of view, it's just some http client at some IP address and you don't know anything about what else that http client might be doing (in your case also an http server).
An incoming TCP/IP connection never comes from the public, incoming port of the requesting web server. Instead, it comes from some dynamically assigned outbound port that is likely different for every request. That's how TCP/IP works. Outbound ports are dynamically assigned when the socket is created and they come from a different port range than is typically used for listening for incoming requests.
If the request is originating from a cooperating server, then you can ask it to set a custom header that indicates what port it is running on for incoming requests, but if it's not a cooperating server, there is no way for you to know what port is listens for incoming requests or if even it is a server at all.