fix(server): resilient rate-limit key + narrower trustProxy for reverse-proxy setups (#1303)

Two production fixes triggered by the fastify 5.8.5 security patch for
CVE-2026-33806 (trustProxy socketAddr null-check). Under the tightened
code path, `request.ip` can resolve to `undefined` when the raw TCP
socket lacks metadata, which collapses `@fastify/rate-limit`'s default
`keyGenerator` (which uses `request.ip`) to a single `undefined`
bucket — effectively shared across all unknown-IP callers.

Changes:
- `server/src/plugins/rateLimitPlugin.ts`: add explicit keyGenerator
  that falls back through `request.ip` → first x-forwarded-for →
  x-real-ip → literal "unknown". Unknown-IP requests are still
  rate-limited (bucketed as "unknown") rather than silently shared.
- `server/src/app.ts`: pass `trustProxy: 1` (number of hops) instead
  of boolean `true`. We sit behind exactly one reverse proxy in
  production; the number-based path is the more precise and robust
  semantic, and it's the code path explicitly restored/hardened in
  5.8.5 per the CVE advisory.

Public `/api/config` still exposes `trustProxy` as boolean — the
external contract is unchanged. Only the Fastify constructor arg is
narrowed.

Unblocks PR #1215 (beta → main promotion) E2E Gates by fixing the
`proxy-setup.spec.ts:186` X-Forwarded-For regression.

Co-authored-by: Frank Steiler <frank@steiler.de>
Co-authored-by: Claude backend-developer (Haiku 4.5) <noreply@anthropic.com>

Author: 3 people

server/src/app.ts

@@ -65,7 +65,7 @@ export async function buildApp(): Promise<FastifyInstance> {
     logger: {
       level: process.env.LOG_LEVEL || 'info',
     },
-    trustProxy: process.env.TRUST_PROXY === 'true',
+    trustProxy: process.env.TRUST_PROXY === 'true' ? 1 : false,
   });
 
   // Add custom HTTP methods for WebDAV (CalDAV/CardDAV)

server/src/plugins/rateLimitPlugin.ts

@@ -8,6 +8,19 @@ export default fp(
       global: false,
       max: 200,
       timeWindow: '1 minute',
+      keyGenerator: (request) => {
+        const ip = request.ip;
+        if (ip) return ip;
+        const fwdFor = request.headers['x-forwarded-for'];
+        if (fwdFor) {
+          // X-Forwarded-For may be comma-separated; use the first (client) IP
+          const first = Array.isArray(fwdFor) ? fwdFor[0] : fwdFor.split(',')[0]?.trim();
+          if (first) return first;
+        }
+        const realIp = request.headers['x-real-ip'];
+        if (typeof realIp === 'string' && realIp.length > 0) return realIp;
+        return 'unknown';
+      },
       errorResponseBuilder: (_request, context) =>
         new AppError(
           'RATE_LIMIT_EXCEEDED',