From af6686ccfae12876e867cdabe729d0c893bd85a1 Mon Sep 17 00:00:00 2001
From: Fringg <egor.andrianovv@gmail.com>
Date: Wed, 25 Feb 2026 03:49:33 +0300
Subject: [PATCH] fix: extract real client IP from X-Forwarded-For/X-Real-IP
 headers

Behind Docker reverse proxy, request.client.host always returns
the proxy container IP (172.20.0.2). Now reads X-Forwarded-For
first, then X-Real-IP, falling back to request.client.host.
---
 app/cabinet/dependencies.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/app/cabinet/dependencies.py b/app/cabinet/dependencies.py
index b79c21c9..ffcb6df0 100644
--- a/app/cabinet/dependencies.py
+++ b/app/cabinet/dependencies.py
@@ -289,7 +289,11 @@ def require_permission(*permissions: str):
     ) -> User:
         from app.services.permission_service import PermissionService
 
-        ip_address = request.client.host if request.client else None
+        ip_address = (
+            request.headers.get('X-Forwarded-For', '').split(',')[0].strip()
+            or request.headers.get('X-Real-IP', '').strip()
+            or (request.client.host if request.client else None)
+        )
         user_agent = request.headers.get('user-agent', '')
 
         for perm in permissions: