feat: add trust_proxy_headers switch for auth rate-limit IP source

Raven95676 · Raven95676 · commit 2d12187a953b · 2026-05-14T21:26:55.000+08:00
diff --git a/astrbot/core/config/default.py b/astrbot/core/config/default.py
@@ -252,6 +252,7 @@
         "host": "0.0.0.0",
         "port": 6185,
         "disable_access_log": True,
+        "trust_proxy_headers": False,
         "totp": {
             "enable": False,
             "secret": "",
@@ -2971,6 +2972,7 @@
                 "options": ["DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL"],
             },
             "dashboard.ssl.enable": {"type": "bool"},
+            "dashboard.trust_proxy_headers": {"type": "bool"},
             "dashboard.ssl.cert_file": {
                 "type": "string",
                 "condition": {"dashboard.ssl.enable": True},
@@ -4213,6 +4215,11 @@
                         "type": "bool",
                         "hint": "启用后，WebUI 将直接使用 HTTPS 提供服务。",
                     },
+                    "dashboard.trust_proxy_headers": {
+                        "description": "信任代理请求头获取客户端 IP",
+                        "type": "bool",
+                        "hint": "关闭时忽略 X-Forwarded-For/X-Real-IP，仅使用连接地址。",
+                    },
                     "dashboard.totp.enable": {
                         "description": "启用 WebUI TOTP 双因素认证",
                         "type": "bool",
diff --git a/astrbot/dashboard/server.py b/astrbot/dashboard/server.py
@@ -283,10 +283,11 @@ async def auth_middleware(self):
             os.environ.get("ASTRBOT_TEST_MODE") != "true"
             and request.path in _RATE_LIMITED_ENDPOINTS
         ):
-            limiter = _rate_limiters.get(request.path)
+            client_ip = self._get_request_client_ip()
+            limiter = _rate_limiters.get(client_ip)
             if limiter is None:
                 limiter = _AuthRateLimiter(capacity=3, refill_rate=1.0)
-                _rate_limiters[request.path] = limiter
+                _rate_limiters[client_ip] = limiter
             if not await limiter.acquire():
                 r = jsonify(
                     Response()
@@ -345,6 +346,26 @@ async def auth_middleware(self):
             r.status_code = 401
             return r
 
+    def _get_request_client_ip(self) -> str:
+        trust_proxy_headers = bool(
+            self.config.get("dashboard", {}).get("trust_proxy_headers", False)
+        )
+        if trust_proxy_headers:
+            forwarded_for = request.headers.get("X-Forwarded-For", "").strip()
+            if forwarded_for:
+                first_ip = forwarded_for.split(",", 1)[0].strip()
+                if first_ip and first_ip.lower() != "unknown":
+                    return first_ip
+
+            real_ip = request.headers.get("X-Real-IP", "").strip()
+            if real_ip and real_ip.lower() != "unknown":
+                return real_ip
+
+        remote_addr = request.remote_addr
+        if remote_addr:
+            return str(remote_addr)
+        return "unknown"
+
     @staticmethod
     def _extract_dashboard_jwt() -> str | None:
         auth_header = request.headers.get("Authorization", "").strip()
diff --git a/dashboard/src/i18n/locales/en-US/features/config-metadata.json b/dashboard/src/i18n/locales/en-US/features/config-metadata.json
@@ -1088,6 +1088,10 @@
         "hint": "When disabled, AstrBot will not upload anonymous usage statistics."
       },
       "dashboard": {
+        "trust_proxy_headers": {
+          "description": "Trust Proxy Headers for Client IP",
+          "hint": "When disabled, ignore X-Forwarded-For/X-Real-IP and use the connection address only."
+        },
         "ssl": {
           "enable": {
             "description": "Enable WebUI HTTPS",
diff --git a/dashboard/src/i18n/locales/ru-RU/features/config-metadata.json b/dashboard/src/i18n/locales/ru-RU/features/config-metadata.json
@@ -1089,6 +1089,10 @@
                 "hint": "После отключения AstrBot не будет отправлять анонимные данные об использовании."
             },
             "dashboard": {
+                "trust_proxy_headers": {
+                    "description": "Доверять прокси-заголовкам для IP клиента",
+                    "hint": "Если выключено, X-Forwarded-For/X-Real-IP игнорируются и используется только адрес соединения."
+                },
                 "ssl": {
                     "enable": {
                         "description": "Включить HTTPS для WebUI",
diff --git a/dashboard/src/i18n/locales/zh-CN/features/config-metadata.json b/dashboard/src/i18n/locales/zh-CN/features/config-metadata.json
@@ -1090,6 +1090,10 @@
         "hint": "禁用后，AstrBot 将不再上传匿名使用统计数据。"
       },
       "dashboard": {
+        "trust_proxy_headers": {
+          "description": "信任代理请求头获取客户端 IP",
+          "hint": "关闭时忽略 X-Forwarded-For/X-Real-IP，仅使用连接地址。"
+        },
         "ssl": {
           "enable": {
             "description": "启用 WebUI HTTPS",
diff --git a/tests/test_dashboard.py b/tests/test_dashboard.py
@@ -18,6 +18,7 @@
 from quart import Quart, jsonify
 from werkzeug.datastructures import FileStorage
 
+import astrbot.dashboard.server as dashboard_server
 from astrbot.core import LogBroker
 from astrbot.core.core_lifecycle import AstrBotCoreLifecycle
 from astrbot.core.db.sqlite import SQLiteDatabase
@@ -361,6 +362,107 @@ async def test_auth_login_secure_cookie_override(
     assert "SameSite=Strict" in jwt_cookie_header
 
 
+@pytest.mark.asyncio
+async def test_auth_rate_limit_uses_client_ip_bucket_across_paths(
+    app: Quart,
+    core_lifecycle_td: AstrBotCoreLifecycle,
+    monkeypatch: pytest.MonkeyPatch,
+):
+    monkeypatch.setenv("ASTRBOT_TEST_MODE", "false")
+    dashboard_server._rate_limiters.clear()
+    original_value = core_lifecycle_td.astrbot_config["dashboard"].get(
+        "trust_proxy_headers", False
+    )
+    core_lifecycle_td.astrbot_config["dashboard"]["trust_proxy_headers"] = True
+
+    try:
+        test_client = app.test_client()
+        headers = {"X-Forwarded-For": "198.51.100.10"}
+        await test_client.post(
+            "/api/auth/login",
+            json={"username": "wrong", "password": "wrong"},
+            headers=headers,
+        )
+        await test_client.post("/api/auth/totp/setup", json={}, headers=headers)
+
+        assert len(dashboard_server._rate_limiters) == 1
+        assert "198.51.100.10" in dashboard_server._rate_limiters
+    finally:
+        core_lifecycle_td.astrbot_config["dashboard"]["trust_proxy_headers"] = (
+            original_value
+        )
+
+
+@pytest.mark.asyncio
+async def test_auth_rate_limit_separates_different_client_ips(
+    app: Quart,
+    core_lifecycle_td: AstrBotCoreLifecycle,
+    monkeypatch: pytest.MonkeyPatch,
+):
+    monkeypatch.setenv("ASTRBOT_TEST_MODE", "false")
+    dashboard_server._rate_limiters.clear()
+    original_value = core_lifecycle_td.astrbot_config["dashboard"].get(
+        "trust_proxy_headers", False
+    )
+    core_lifecycle_td.astrbot_config["dashboard"]["trust_proxy_headers"] = True
+
+    try:
+        test_client = app.test_client()
+        await test_client.post(
+            "/api/auth/login",
+            json={"username": "wrong", "password": "wrong"},
+            headers={"X-Forwarded-For": "198.51.100.10"},
+        )
+        await test_client.post(
+            "/api/auth/login",
+            json={"username": "wrong", "password": "wrong"},
+            headers={"X-Forwarded-For": "198.51.100.11"},
+        )
+
+        assert len(dashboard_server._rate_limiters) == 2
+        assert "198.51.100.10" in dashboard_server._rate_limiters
+        assert "198.51.100.11" in dashboard_server._rate_limiters
+    finally:
+        core_lifecycle_td.astrbot_config["dashboard"]["trust_proxy_headers"] = (
+            original_value
+        )
+
+
+@pytest.mark.asyncio
+async def test_auth_rate_limit_ignores_proxy_headers_by_default(
+    app: Quart,
+    core_lifecycle_td: AstrBotCoreLifecycle,
+    monkeypatch: pytest.MonkeyPatch,
+):
+    monkeypatch.setenv("ASTRBOT_TEST_MODE", "false")
+    dashboard_server._rate_limiters.clear()
+    original_value = core_lifecycle_td.astrbot_config["dashboard"].get(
+        "trust_proxy_headers", False
+    )
+    core_lifecycle_td.astrbot_config["dashboard"]["trust_proxy_headers"] = False
+
+    try:
+        test_client = app.test_client()
+        await test_client.post(
+            "/api/auth/login",
+            json={"username": "wrong", "password": "wrong"},
+            headers={"X-Forwarded-For": "198.51.100.20"},
+        )
+        await test_client.post(
+            "/api/auth/login",
+            json={"username": "wrong", "password": "wrong"},
+            headers={"X-Forwarded-For": "198.51.100.21"},
+        )
+
+        assert len(dashboard_server._rate_limiters) == 1
+        assert "198.51.100.20" not in dashboard_server._rate_limiters
+        assert "198.51.100.21" not in dashboard_server._rate_limiters
+    finally:
+        core_lifecycle_td.astrbot_config["dashboard"]["trust_proxy_headers"] = (
+            original_value
+        )
+
+
 @pytest.mark.asyncio
 async def test_auth_login_requires_totp_when_enabled_and_not_trusted(
     app: Quart,
