Skip to content

fix: prevent localhost auth bypass via X-Forwarded-For spoofing#38

Closed
marcusquinn wants to merge 3 commits intojohnwaldo:mainfrom
marcusquinn:bugfix/fix-localhost-auth-bypass
Closed

fix: prevent localhost auth bypass via X-Forwarded-For spoofing#38
marcusquinn wants to merge 3 commits intojohnwaldo:mainfrom
marcusquinn:bugfix/fix-localhost-auth-bypass

Conversation

@marcusquinn
Copy link
Collaborator

@marcusquinn marcusquinn commented Feb 26, 2026

Summary

Fixes #19Security: Localhost auth bypass via X-Forwarded-For spoofing

  • Add TRUST_PROXY config flag (default false). When false, the server uses Bun's native requestIP() to read the TCP socket address for client IP detection — this cannot be spoofed by clients sending fake X-Forwarded-For or X-Real-IP headers
  • When TRUST_PROXY=true (for deployments behind Tailscale Serve, Traefik, nginx), proxy headers are trusted as before
  • Consolidate duplicate IP extraction logic from server/index.ts into server/middleware/auth.ts as extractClientIp() — single source of truth
  • Document proxy trust model and Tailscale Serve header security in README

Changes

File Change
server/config.ts Add trustProxy config (env: TRUST_PROXY, default false)
server/middleware/auth.ts Replace extractIp() with extractClientIp() that respects trustProxy; export for use by index.ts
server/index.ts Remove duplicate extractRemoteIp(); import extractClientIp from auth; add trustProxy to startup log
README.md Document TRUST_PROXY flag, deployment matrix, Tailscale Serve header stripping

Security Impact

Before: Any remote client could send X-Forwarded-For: 127.0.0.1 and bypass authentication entirely.

After: By default, proxy headers are ignored. The TCP socket address (from requestIP()) determines the client IP. Only when TRUST_PROXY=true are forwarded headers consulted.

Testing

  • Server starts cleanly with trust proxy: false in startup log
  • Localhost requests authenticated via TCP socket address (not headers)
  • Spoofed X-Forwarded-For headers ignored when TRUST_PROXY=false

@marcusquinn
chore: aidevops init — planning, git workflow, code quality, models (#1)
fc54867
@marcusquinn
fix: treat Docker bridge IPs as localhost for Traefik proxy auth
95d7d96
@marcusquinn
fix: prevent localhost auth bypass via X-Forwarded-For spoofing
392a743 
Add TRUST_PROXY config flag (default false). When false, use Bun's native
requestIP() for client IP detection instead of trusting spoofable proxy
headers. Consolidate IP extraction into auth.ts as single source of truth.

Closes johnwaldo#19
@johnwaldo
Copy link
Owner

johnwaldo commented Feb 26, 2026

This issue has already been resolved in PR #39 (#39).

The fix adds the DASHBOARD_TRUST_PROXY config (default: false) which prevents X-Forwarded-For spoofing attacks.

Closing as duplicate.

@johnwaldo johnwaldo closed this Feb 26, 2026
@marcusquinn marcusquinn deleted the bugfix/fix-localhost-auth-bypass branch March 18, 2026 13:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: Localhost auth bypass via X-Forwarded-For spoofing

2 participants

@marcusquinn @johnwaldo