Javascript operates at HTTP level, so there is no such thing as an IP address in Javascript world.
The workaround you devised is widely used and it is, I believe, the only way to get the client's private address. As hek2mgl advises, this solution is insecure indeed, although in your case, the concern is less relevant because you seem to have complete control of the clients, the server, and the network in between.
For a really secure solution, use client certificates. I understand you do not really care about the client's IP addresses per se, but only want to use them as a mean of authentication (or was it just identification? :D).
Configuration is not trivial but not rocket sience either. Here is a nice tutorial (Apache). It assumes the use of certificates issued by a public certification authority, but you can generate and use your own self-signed certificates (tutorial 1, tutorial 2)