fix(backend): fix #16994 by approach 6 (#17005)

* fix(backend): narrow down trustproxy default value and enhance documentation on how to configure it * Update Changelog * indent [ci skip] * Update CHANGELOG.md [ci skip] * add cloudflare specific example * Update .config/example.yml Co-authored-by: anatawa12 <anatawa12@icloud.com> * fix: productionでIPレートリミットされる際にlocalhostからリクエストが来たらログを残すように * fix: wrong condition * fix: use own logger for signin api * flip configuration * fix * fix [ci skip] * fix: wrong message [ci skip] * fix: どこがおかしいか明記 [ci skip] --------- Co-authored-by: anatawa12 <anatawa12@icloud.com>
2026-05-19 17:05:35 +02:00 · 2025-12-20 19:07:05 +09:00
parent 6d00645bc7
commit ee8dccea2f
7 changed files with 84 additions and 25 deletions
--- a/packages/backend/src/server/api/SigninWithPasskeyApiService.ts
+++ b/packages/backend/src/server/api/SigninWithPasskeyApiService.ts
@@ -84,9 +84,11 @@ export class SigninWithPasskeyApiService {
 			return error(status ?? 500, failure ?? { id: '4e30e80c-e338-45a0-8c8f-44455efa3b76' });
 		};

-		if (request.ip === '::1' || request.ip === '127.0.0.1') {
-			console.warn('request ip is localhost, maybe caused by misconfiguration of trustProxy or reverse proxy');
-		} else {
+		if (this.config.enableIpRateLimit) {
+			if (process.env.NODE_ENV === 'production' && (request.ip === '::1' || request.ip === '127.0.0.1')) {
+				this.logger.warn('Recieved signin with passkey request from localhost IP address for rate limiting in production environment. This is likely due to an improper trustProxy setting in the config file.');
+			}
+
 			try {
 			// Not more than 1 API call per 250ms and not more than 100 attempts per 30min
 			// NOTE: 1 Sign-in require 2 API calls