Kyle Isom
d3b63b1f87
- Add grpcClientIP() helper that mirrors middleware.ClientIP for proxy-aware IP extraction from gRPC metadata - Update rateLimitInterceptor to use grpcClientIP with the TrustedProxy config setting - Only trust x-forwarded-for/x-real-ip metadata when the peer address matches the configured trusted proxy - Add 7 unit tests covering: no proxy, xff, x-real-ip preference, untrusted peer ignoring headers, no headers fallback, invalid header fallback, and no peer Security: gRPC rate limiter now extracts real client IPs behind a reverse proxy using the same trust model as the REST middleware (DEF-03). Headers from untrusted peers are ignored, preventing IP-spoofing for rate-limit bypass. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
23 KiB
23 KiB