From 5d219095b324efdd29273f1dd0f19fb56959d9db Mon Sep 17 00:00:00 2001
From: fuomag9 <1580624+fuomag9@users.noreply.github.com>
Date: Wed, 25 Feb 2026 09:25:34 +0100
Subject: [PATCH] fix: use rightmost XFF entry in rate limiter to prevent IP
 spoofing

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 app/api/auth/[...nextauth]/route.ts | 3 ++-
 app/api/instances/sync/route.ts     | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/app/api/auth/[...nextauth]/route.ts b/app/api/auth/[...nextauth]/route.ts
index 7e6035fa..bb5ebb25 100644
--- a/app/api/auth/[...nextauth]/route.ts
+++ b/app/api/auth/[...nextauth]/route.ts
@@ -12,7 +12,8 @@ function getClientIp(request: NextRequest): string {
   // In production, ensure your reverse proxy (Caddy) sets these headers correctly
   const forwarded = request.headers.get("x-forwarded-for");
   if (forwarded) {
-    return forwarded.split(",")[0]?.trim() || "unknown";
+    const parts = forwarded.split(",");
+    return parts[parts.length - 1]?.trim() || "unknown";
   }
   const real = request.headers.get("x-real-ip");
   if (real) {
diff --git a/app/api/instances/sync/route.ts b/app/api/instances/sync/route.ts
index d4b75697..a2e62313 100644
--- a/app/api/instances/sync/route.ts
+++ b/app/api/instances/sync/route.ts
@@ -24,7 +24,8 @@ function secureTokenCompare(a: string, b: string): boolean {
 function getClientIp(request: NextRequest): string {
   const forwarded = request.headers.get("x-forwarded-for");
   if (forwarded) {
-    return forwarded.split(",")[0]?.trim() || "unknown";
+    const parts = forwarded.split(",");
+    return parts[parts.length - 1]?.trim() || "unknown";
   }
   const real = request.headers.get("x-real-ip");
   if (real) {