3x-ui/docs/Tasktracking/2026-04-25-fix-login-ratelimit-and-ip-spoofing.md at e29584258bc1a5c55bd6802cd084010d88ef8373 - Alex-Devera/3x-ui - Forgejo: Beyond coding. We Forge.

Alex-Devera/3x-ui

mirror of https://github.com/MHSanaei/3x-ui.git synced 2026-06-06 21:24:10 +00:00

root e29584258b docs: update tasktracking with CF-Connecting-IP trust

2026-04-25 11:45:22 +08:00

1.1 KiB

Raw Blame History

Changes

Add RateLimitMiddleware(10, time.Minute) to POST /login endpoint (was unprotected, only register had rate limiting)
Fix getRemoteIp() to use c.Request.RemoteAddr instead of trusting X-Real-IP / X-Forwarded-For headers
Fix RateLimitMiddleware to use RemoteAddr directly, preventing IP-based rate limit bypass via header spoofing

Security Issue

Login endpoint had zero rate limiting, enabling unlimited brute-force attempts
Both IP extraction and rate limiter trusted client-supplied headers, allowing attackers to spoof IPs and bypass all rate limiting

Files Modified

web/controller/index.go — add rate limit middleware to login route
web/controller/util.go — use RemoteAddr in getRemoteIp()
web/middleware/ratelimit.go — use RemoteAddr in rate limiter

Note

Trusts Cloudflare's CF-Connecting-IP header (CF overwrites it, clients cannot spoof)
Falls back to RemoteAddr for direct connections without CDN
X-Real-IP / X-Forwarded-For are NOT trusted (can be spoofed by clients)