fix(gateway): trusted-proxy auth rejected when bind=loopback (#20097)

Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: 8de62f1a8f Co-authored-by: xinhuagu <562450+xinhuagu@users.noreply.github.com> Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com> Reviewed-by: @mbelinky
2026-05-08 19:28:28 +00:00 · 2026-02-20 18:51:35 +01:00
parent 868fe48d58
commit 9c5249714d
5 changed files with 32 additions and 15 deletions
--- a/src/gateway/server-runtime-config.test.ts
+++ b/src/gateway/server-runtime-config.test.ts
@@ -30,7 +30,7 @@ describe("resolveGatewayRuntimeConfig", () => {
      expect(result.bindHost).toBe("0.0.0.0");
    });

-    it("should reject loopback binding with trusted-proxy auth mode", async () => {
+    it("should allow loopback binding with trusted-proxy auth mode", async () => {
      const cfg = {
        gateway: {
          bind: "loopback" as const,
@@ -40,7 +40,28 @@ describe("resolveGatewayRuntimeConfig", () => {
              userHeader: "x-forwarded-user",
            },
          },
-          trustedProxies: ["192.168.1.1"],
+          trustedProxies: ["127.0.0.1"],
+        },
+      };
+
+      const result = await resolveGatewayRuntimeConfig({
+        cfg,
+        port: 18789,
+      });
+      expect(result.bindHost).toBe("127.0.0.1");
+    });
+
+    it("should reject loopback trusted-proxy without trustedProxies configured", async () => {
+      const cfg = {
+        gateway: {
+          bind: "loopback" as const,
+          auth: {
+            mode: "trusted-proxy" as const,
+            trustedProxy: {
+              userHeader: "x-forwarded-user",
+            },
+          },
+          trustedProxies: [],
        },
      };

@@ -49,7 +70,9 @@ describe("resolveGatewayRuntimeConfig", () => {
          cfg,
          port: 18789,
        }),
-      ).rejects.toThrow("gateway auth mode=trusted-proxy makes no sense with bind=loopback");
+      ).rejects.toThrow(
+        "gateway auth mode=trusted-proxy requires gateway.trustedProxies to be configured",
+      );
    });

    it("should reject trusted-proxy without trustedProxies configured", async () => {
--- a/src/gateway/server-runtime-config.ts
+++ b/src/gateway/server-runtime-config.ts
@@ -117,11 +117,6 @@ export async function resolveGatewayRuntimeConfig(params: {
  }

  if (authMode === "trusted-proxy") {
-    if (isLoopbackHost(bindHost)) {
-      throw new Error(
-        "gateway auth mode=trusted-proxy makes no sense with bind=loopback; use bind=lan or bind=custom with gateway.trustedProxies configured",
-      );
-    }
    if (trustedProxies.length === 0) {
      throw new Error(
        "gateway auth mode=trusted-proxy requires gateway.trustedProxies to be configured with at least one proxy IP",