fix(server,agent): apply Tasks 3-5 review fixes (non-blocking)
All checks were successful
All checks were successful
From the secure-session-core Tasks 3-5 code review (APPROVE-WITH-FIXES): - MEDIUM-2: delete the dead `validate_agent_key` "accept-any-key" placeholder + its AuthenticatedAgent/AuthState scaffolding (zero callers; the real agent auth is validate_agent_api_key + per-agent cak_ keys). Removes an auth landmine. - LOW-3: stop interpolating support-code values into 3 relay log lines (bearer credentials). - LOW-1: document the X-Real-IP trust requirement in ip_extract.rs (NPM must set it from $remote_addr); behavior unchanged. - LOW-2: correct the consent/heartbeat comment in agent session loop (the loop awaits the dialog; safe because CONSENT_TIMEOUT 60s < HEARTBEAT_TIMEOUT 90s). cargo fmt/clippy(-D warnings)/test all green on GURU-5070 (89 tests, 0 warnings). MEDIUM-1 (viewer-token logout revocation) remains a tracked follow-up. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -154,6 +154,14 @@ pub fn client_ip(peer: &SocketAddr, headers: &HeaderMap, trusted: &TrustedProxie
|
||||
}
|
||||
|
||||
// Trusted peer: prefer the single-value X-Real-IP if the proxy set it.
|
||||
//
|
||||
// SECURITY: we take X-Real-IP verbatim here, trusting it as set by the
|
||||
// reverse proxy. The proxy (NPM) MUST overwrite it from the real TCP peer:
|
||||
// proxy_set_header X-Real-IP $remote_addr;
|
||||
// It must NOT pass through a client-supplied X-Real-IP. A trusted peer that
|
||||
// forwards an attacker-controlled value would let the client spoof the IP
|
||||
// used for rate-limiting and audit logging. The trusted-proxy gate above
|
||||
// only authenticates the immediate hop, not the contents of this header.
|
||||
if let Some(ip) = header_single_ip(headers, X_REAL_IP) {
|
||||
return ip;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user