H1K0
99668ec0d8
The auth rate limiter keys on c.ClientIP(), but the router was built with gin.New() and never called SetTrustedProxies — so Gin trusted all proxies by default. Behind a host reverse proxy that meant the limiter either bucketed every request under the proxy's IP, or (with the port reachable directly) could be bypassed by a forged X-Forwarded-For. NewRouter now takes a trusted-proxy list and configures SetTrustedProxies, returning an error on an invalid list so misconfiguration fails fast at startup. The list comes from a new TRUSTED_PROXIES config (CSV of CIDRs/IPs), defaulting to loopback plus the Docker bridge ranges a host proxy reaches the container through. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>