fix: honor trusted proxy client IPs (PR #1654)

Thanks @ndbroadbent. Co-authored-by: Nathan Broadbent <git@ndbroadbent.com>
2026-05-08 09:11:26 +00:00 · 2026-01-25 01:51:31 +00:00
parent 2684a364c6
commit e6e71457e0
15 changed files with 189 additions and 20 deletions
--- a/src/gateway/server-http.ts
+++ b/src/gateway/server-http.ts
@@ -227,21 +227,36 @@ export function createGatewayHttpServer(opts: {
    if (String(req.headers.upgrade ?? "").toLowerCase() === "websocket") return;

    try {
+      const configSnapshot = loadConfig();
+      const trustedProxies = configSnapshot.gateway?.trustedProxies ?? [];
      if (await handleHooksRequest(req, res)) return;
      if (await handleSlackHttpRequest(req, res)) return;
      if (handlePluginRequest && (await handlePluginRequest(req, res))) return;
-      if (await handleToolsInvokeHttpRequest(req, res, { auth: resolvedAuth })) return;
+      if (
+        await handleToolsInvokeHttpRequest(req, res, {
+          auth: resolvedAuth,
+          trustedProxies,
+        })
+      )
+        return;
      if (openResponsesEnabled) {
        if (
          await handleOpenResponsesHttpRequest(req, res, {
            auth: resolvedAuth,
            config: openResponsesConfig,
+            trustedProxies,
          })
        )
          return;
      }
      if (openAiChatCompletionsEnabled) {
-        if (await handleOpenAiHttpRequest(req, res, { auth: resolvedAuth })) return;
+        if (
+          await handleOpenAiHttpRequest(req, res, {
+            auth: resolvedAuth,
+            trustedProxies,
+          })
+        )
+          return;
      }
      if (canvasHost) {
        if (await handleA2uiHttpRequest(req, res)) return;
@@ -251,14 +266,14 @@ export function createGatewayHttpServer(opts: {
        if (
          handleControlUiAvatarRequest(req, res, {
            basePath: controlUiBasePath,
-            resolveAvatar: (agentId) => resolveAgentAvatar(loadConfig(), agentId),
+            resolveAvatar: (agentId) => resolveAgentAvatar(configSnapshot, agentId),
          })
        )
          return;
        if (
          handleControlUiHttpRequest(req, res, {
            basePath: controlUiBasePath,
-            config: loadConfig(),
+            config: configSnapshot,
          })
        )
          return;