fix: extract real client IP from X-Forwarded-For/X-Real-IP headers

Behind Docker reverse proxy, request.client.host always returns the proxy container IP (172.20.0.2). Now reads X-Forwarded-For first, then X-Real-IP, falling back to request.client.host.
2026-03-02 00:03:05 +00:00 · 2026-02-25 03:49:33 +03:00
parent 8893fc128e
commit af6686ccfa
1 changed files with 5 additions and 1 deletions
--- a/app/cabinet/dependencies.py
+++ b/app/cabinet/dependencies.py
@@ -289,7 +289,11 @@ def require_permission(*permissions: str):
    ) -> User:
        from app.services.permission_service import PermissionService

-        ip_address = request.client.host if request.client else None
+        ip_address = (
+            request.headers.get('X-Forwarded-For', '').split(',')[0].strip()
+            or request.headers.get('X-Real-IP', '').strip()
+            or (request.client.host if request.client else None)
+        )
        user_agent = request.headers.get('user-agent', '')

        for perm in permissions: