enhance(backend): request ip が localhost だった場合、レートリミットをスキップ & 警告を出すように

2025-12-16 19:56:44 +09:00 · 2025-12-16 19:56:44 +09:00 · d35ddc77d2
parent 8d871a58e3
commit d35ddc77d2
3 changed files with 37 additions and 25 deletions
--- a/packages/backend/src/server/api/ApiCallService.ts
+++ b/packages/backend/src/server/api/ApiCallService.ts
@ -313,13 +313,17 @@ export class ApiCallService implements OnApplicationShutdown {
 		}

 		if (ep.meta.limit) {
-			// koa will automatically load the `X-Forwarded-For` header if `proxy: true` is configured in the app.
-			let limitActor: string;
+			let limitActor: string | null;
 			if (user) {
 				limitActor = user.id;
+			} else {
+				if (request.ip === '::1' || request.ip === '127.0.0.1') {
+					console.warn('request ip is localhost, maybe caused by misconfiguration of trustProxy or reverse proxy');
+					limitActor = null;
 				} else {
 					limitActor = getIpHash(request.ip);
 				}
+			}

 			const limit = Object.assign({}, ep.meta.limit);

@ -330,7 +334,7 @@ export class ApiCallService implements OnApplicationShutdown {
 			// TODO: 毎リクエスト計算するのもあれだしキャッシュしたい
 			const factor = user ? (await this.roleService.getUserPolicies(user.id)).rateLimitFactor : 1;

-			if (factor > 0) {
+			if (limitActor != null && factor > 0) {
 				// Rate limit
 				const rateLimit = await this.rateLimiterService.limit(limit as IEndpointMeta['limit'] & { key: NonNullable<string> }, limitActor, factor);
 				if (rateLimit != null) {
--- a/packages/backend/src/server/api/SigninApiService.ts
+++ b/packages/backend/src/server/api/SigninApiService.ts
@ -89,6 +89,9 @@ export class SigninApiService {
 			return { error };
 		}

+		if (request.ip === '::1' || request.ip === '127.0.0.1') {
+			console.warn('request ip is localhost, maybe caused by misconfiguration of trustProxy or reverse proxy');
+		} else {
 		// not more than 1 attempt per second and not more than 10 attempts per hour
 			const rateLimit = await this.rateLimiterService.limit({ key: 'signin', duration: 60 * 60 * 1000, max: 10, minInterval: 1000 }, getIpHash(request.ip));
 			if (rateLimit != null) {
@ -101,6 +104,7 @@ export class SigninApiService {
 					},
 				};
 			}
+		}

 		if (typeof username !== 'string') {
 			reply.code(400);
--- a/packages/backend/src/server/api/SigninWithPasskeyApiService.ts
+++ b/packages/backend/src/server/api/SigninWithPasskeyApiService.ts
@ -84,6 +84,9 @@ export class SigninWithPasskeyApiService {
 			return error(status ?? 500, failure ?? { id: '4e30e80c-e338-45a0-8c8f-44455efa3b76' });
 		};

+		if (request.ip === '::1' || request.ip === '127.0.0.1') {
+			console.warn('request ip is localhost, maybe caused by misconfiguration of trustProxy or reverse proxy');
+		} else {
 			try {
 			// Not more than 1 API call per 250ms and not more than 100 attempts per 30min
 			// NOTE: 1 Sign-in require 2 API calls
@ -98,6 +101,7 @@ export class SigninWithPasskeyApiService {
 					},
 				};
 			}
+		}

 		// Initiate Passkey Auth challenge with context
 		if (!credential) {