[F] Add ability to define request header to use as rate limiting key

timfrazee · timfrazee · commit 7fda61c45173 · 2026-03-19T10:03:54.000-07:00
Addresses an issue where proxies using non-standard forwarding headers were being rate limited on the proxy's IP
diff --git a/api/config/application.rb b/api/config/application.rb
@@ -28,6 +28,7 @@ module Dotenv
   class Railtie < Rails::Railtie
     def load
       Dotenv.load(
+        root.join("./.env"),
         root.join("../.env.local"),
         root.join("../.env.#{Rails.env}"),
         root.join("../.env")
diff --git a/api/config/initializers/rack_attack.rb b/api/config/initializers/rack_attack.rb
@@ -39,7 +39,12 @@
 
     Rack::Attack.throttle throttler.ip_key, **throttler.options do |request|
       next unless request.env["manifold_env.throttled_category"] == throttler.category
-      request.env["action_dispatch.remote_ip"]&.calculate_ip || request.ip
+
+      ENV["PROXY_CLIENT_IP_HEADER"].split(/,\s*/).map do |header|
+        request.get_header(header)
+      end.push(request.env["action_dispatch.remote_ip"].to_s, request.ip)
+         .compact_blank
+         .first
     end
   end
 
diff --git a/docker/local.env b/docker/local.env
@@ -11,9 +11,9 @@ API_CABLE_PORT=13120
 
 CLIENT_URL=http://localhost:13100
 
-CLIENT_BROWSER_API_URL=https://web.manifold.orb.local
+CLIENT_BROWSER_API_URL=http://localhost:13110
 CLIENT_BROWSER_API_CABLE_URL=http://localhost:13120
-CLIENT_SERVER_API_URL=https://web.manifold.orb.local
+CLIENT_SERVER_API_URL=http://localhost:13110
 
 CLIENT_SERVER_PROXIES=true
 
