siftlode/backend
npeter83 7297dbd2a8 feat(auth): SA3 — trusted-proxy X-Forwarded-For for rate limiting
_client_ip trusted the first X-Forwarded-For hop unconditionally, so anyone able to
reach the app port could forge XFF and dodge the login/register/reset/demo rate limits.
Now trust XFF ONLY when the request's socket peer is a configured reverse proxy
(settings.trusted_proxy_ips, e.g. the VPS Caddy's WireGuard peer IP), and take the
RIGHTMOST entry — the client our proxy actually saw and appended, immune to a client
pre-seeding a fake XFF. A request from any other peer (hitting the port directly) is
keyed on its real socket IP, so XFF can't be forged to bypass the limits.

New TRUSTED_PROXY_IPS env (empty default = no proxy, use the direct peer). Documented in
.env.example, docs/self-hosting.md, README. Unit-verified against spoof-through-proxy and
direct-bypass cases.
2026-07-12 03:42:41 +02:00
..
alembic feat(auth): SA4 — server-side session revocation via per-user session epoch 2026-07-12 03:00:16 +02:00
app feat(auth): SA3 — trusted-proxy X-Forwarded-For for rate limiting 2026-07-12 03:42:41 +02:00
alembic.ini feat: M1 foundation — compose stack, FastAPI, Google OAuth, encrypted tokens 2026-06-11 01:01:37 +02:00
Dockerfile feat: M1 foundation — compose stack, FastAPI, Google OAuth, encrypted tokens 2026-06-11 01:01:37 +02:00
entrypoint.sh fix(api): raise uvicorn keepalive above the proxy reuse window 2026-06-18 15:13:01 +02:00
log_config.json chore: rename remaining subfeed references to siftlode 2026-06-21 06:53:12 +02:00
requirements.txt feat(downloads): Deno JS runtime + web/android clients to complete the POT setup 2026-07-03 22:46:32 +02:00
ruff.toml chore(hygiene): Phase 4 guardrails — noUnusedLocals/Parameters + dead-code sweep 2026-07-12 02:15:52 +02:00