From d35ddc77d285879a4f5dd8a40497bf58930cb30e Mon Sep 17 00:00:00 2001
From: syuilo <4439005+syuilo@users.noreply.github.com>
Date: Tue, 16 Dec 2025 19:56:44 +0900
Subject: [PATCH] =?UTF-8?q?enhance(backend):=20request=20ip=20=E3=81=8C=20?=
 =?UTF-8?q?localhost=20=E3=81=A0=E3=81=A3=E3=81=9F=E5=A0=B4=E5=90=88?=
 =?UTF-8?q?=E3=80=81=E3=83=AC=E3=83=BC=E3=83=88=E3=83=AA=E3=83=9F=E3=83=83?=
 =?UTF-8?q?=E3=83=88=E3=82=92=E3=82=B9=E3=82=AD=E3=83=83=E3=83=97=20&=20?=
 =?UTF-8?q?=E8=AD=A6=E5=91=8A=E3=82=92=E5=87=BA=E3=81=99=E3=82=88=E3=81=86?=
 =?UTF-8?q?=E3=81=AB?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../backend/src/server/api/ApiCallService.ts  | 12 ++++++---
 .../src/server/api/SigninApiService.ts        | 24 ++++++++++-------
 .../server/api/SigninWithPasskeyApiService.ts | 26 +++++++++++--------
 3 files changed, 37 insertions(+), 25 deletions(-)

diff --git a/packages/backend/src/server/api/ApiCallService.ts b/packages/backend/src/server/api/ApiCallService.ts
index 27c79ab438..261e147040 100644
--- a/packages/backend/src/server/api/ApiCallService.ts
+++ b/packages/backend/src/server/api/ApiCallService.ts
@@ -313,12 +313,16 @@ export class ApiCallService implements OnApplicationShutdown {
 		}
 
 		if (ep.meta.limit) {
-			// koa will automatically load the `X-Forwarded-For` header if `proxy: true` is configured in the app.
-			let limitActor: string;
+			let limitActor: string | null;
 			if (user) {
 				limitActor = user.id;
 			} else {
-				limitActor = getIpHash(request.ip);
+				if (request.ip === '::1' || request.ip === '127.0.0.1') {
+					console.warn('request ip is localhost, maybe caused by misconfiguration of trustProxy or reverse proxy');
+					limitActor = null;
+				} else {
+					limitActor = getIpHash(request.ip);
+				}
 			}
 
 			const limit = Object.assign({}, ep.meta.limit);
@@ -330,7 +334,7 @@ export class ApiCallService implements OnApplicationShutdown {
 			// TODO: 毎リクエスト計算するのもあれだしキャッシュしたい
 			const factor = user ? (await this.roleService.getUserPolicies(user.id)).rateLimitFactor : 1;
 
-			if (factor > 0) {
+			if (limitActor != null && factor > 0) {
 				// Rate limit
 				const rateLimit = await this.rateLimiterService.limit(limit as IEndpointMeta['limit'] & { key: NonNullable<string> }, limitActor, factor);
 				if (rateLimit != null) {
diff --git a/packages/backend/src/server/api/SigninApiService.ts b/packages/backend/src/server/api/SigninApiService.ts
index 3e889372d8..14726f8411 100644
--- a/packages/backend/src/server/api/SigninApiService.ts
+++ b/packages/backend/src/server/api/SigninApiService.ts
@@ -89,17 +89,21 @@ export class SigninApiService {
 			return { error };
 		}
 
+		if (request.ip === '::1' || request.ip === '127.0.0.1') {
+			console.warn('request ip is localhost, maybe caused by misconfiguration of trustProxy or reverse proxy');
+		} else {
 		// not more than 1 attempt per second and not more than 10 attempts per hour
-		const rateLimit = await this.rateLimiterService.limit({ key: 'signin', duration: 60 * 60 * 1000, max: 10, minInterval: 1000 }, getIpHash(request.ip));
-		if (rateLimit != null) {
-			reply.code(429);
-			return {
-				error: {
-					message: 'Too many failed attempts to sign in. Try again later.',
-					code: 'TOO_MANY_AUTHENTICATION_FAILURES',
-					id: '22d05606-fbcf-421a-a2db-b32610dcfd1b',
-				},
-			};
+			const rateLimit = await this.rateLimiterService.limit({ key: 'signin', duration: 60 * 60 * 1000, max: 10, minInterval: 1000 }, getIpHash(request.ip));
+			if (rateLimit != null) {
+				reply.code(429);
+				return {
+					error: {
+						message: 'Too many failed attempts to sign in. Try again later.',
+						code: 'TOO_MANY_AUTHENTICATION_FAILURES',
+						id: '22d05606-fbcf-421a-a2db-b32610dcfd1b',
+					},
+				};
+			}
 		}
 
 		if (typeof username !== 'string') {
diff --git a/packages/backend/src/server/api/SigninWithPasskeyApiService.ts b/packages/backend/src/server/api/SigninWithPasskeyApiService.ts
index 9ba23c54e2..1b89752340 100644
--- a/packages/backend/src/server/api/SigninWithPasskeyApiService.ts
+++ b/packages/backend/src/server/api/SigninWithPasskeyApiService.ts
@@ -84,19 +84,23 @@ export class SigninWithPasskeyApiService {
 			return error(status ?? 500, failure ?? { id: '4e30e80c-e338-45a0-8c8f-44455efa3b76' });
 		};
 
-		try {
+		if (request.ip === '::1' || request.ip === '127.0.0.1') {
+			console.warn('request ip is localhost, maybe caused by misconfiguration of trustProxy or reverse proxy');
+		} else {
+			try {
 			// Not more than 1 API call per 250ms and not more than 100 attempts per 30min
 			// NOTE: 1 Sign-in require 2 API calls
-			await this.rateLimiterService.limit({ key: 'signin-with-passkey', duration: 60 * 30 * 1000, max: 200, minInterval: 250 }, getIpHash(request.ip));
-		} catch (err) {
-			reply.code(429);
-			return {
-				error: {
-					message: 'Too many failed attempts to sign in. Try again later.',
-					code: 'TOO_MANY_AUTHENTICATION_FAILURES',
-					id: '22d05606-fbcf-421a-a2db-b32610dcfd1b',
-				},
-			};
+				await this.rateLimiterService.limit({ key: 'signin-with-passkey', duration: 60 * 30 * 1000, max: 200, minInterval: 250 }, getIpHash(request.ip));
+			} catch (err) {
+				reply.code(429);
+				return {
+					error: {
+						message: 'Too many failed attempts to sign in. Try again later.',
+						code: 'TOO_MANY_AUTHENTICATION_FAILURES',
+						id: '22d05606-fbcf-421a-a2db-b32610dcfd1b',
+					},
+				};
+			}
 		}
 
 		// Initiate Passkey Auth challenge with context