fix(security): make rate-limit client IP proxy-aware

The limiter keyed solely on the direct peer address, so behind a reverse proxy every request shares the proxy's IP (collapsing all users into one bucket). Blindly trusting X-Forwarded-For would instead let clients spoof it. Add a trusted_proxy_count setting (default 0). When > 0, the client IP is read from X-Forwarded-For counting that many hops from the right (ProxyFix-style); when 0, the header is ignored and the peer address is used. Refs: porchlight-8qj Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-05 13:35:29 +02:00 · 2026-06-05 13:35:29 +02:00 · efb265a68b
commit efb265a68b
parent aedb451128
3 changed files with 65 additions and 1 deletions
--- a/tests/test_rate_limit.py
+++ b/tests/test_rate_limit.py
@ -1,6 +1,10 @@
+from types import SimpleNamespace
+
 import pytest
 from httpx import AsyncClient
+from starlette.requests import Request

+from porchlight.rate_limit import _client_identifier
 from tests.conftest import get_csrf_token


@ -23,3 +27,38 @@ async def test_password_login_rate_limited(client: AsyncClient) -> None:
    )

    assert response.status_code == 429
+
+
+def _make_request(headers: dict[str, str], client_host: str, trusted_proxy_count: int) -> Request:
+    scope = {
+        "type": "http",
+        "headers": [(k.lower().encode(), v.encode()) for k, v in headers.items()],
+        "client": (client_host, 12345),
+        "app": SimpleNamespace(
+            state=SimpleNamespace(settings=SimpleNamespace(trusted_proxy_count=trusted_proxy_count))
+        ),
+    }
+    return Request(scope)
+
+
+def test_client_identifier_ignores_forwarded_when_no_trusted_proxy() -> None:
+    req = _make_request({"x-forwarded-for": "203.0.113.9"}, "127.0.0.1", trusted_proxy_count=0)
+    # Spoofable header must be ignored when no proxy is trusted.
+    assert _client_identifier(req) == "127.0.0.1"
+
+
+def test_client_identifier_uses_forwarded_with_one_trusted_proxy() -> None:
+    req = _make_request({"x-forwarded-for": "203.0.113.9"}, "10.0.0.1", trusted_proxy_count=1)
+    assert _client_identifier(req) == "203.0.113.9"
+
+
+def test_client_identifier_picks_correct_hop_with_two_trusted_proxies() -> None:
+    req = _make_request({"x-forwarded-for": "client, proxyA, proxyB"}, "10.0.0.1", trusted_proxy_count=2)
+    # Two trusted proxies appended their peers; the client as seen by the
+    # outermost trusted proxy is the 2nd-from-right entry.
+    assert _client_identifier(req) == "proxyA"
+
+
+def test_client_identifier_falls_back_when_forwarded_missing() -> None:
+    req = _make_request({}, "10.0.0.1", trusted_proxy_count=1)
+    assert _client_identifier(req) == "10.0.0.1"