Fix session cookie routing and proxy-aware auth throttling

2026-03-01 23:57:31 -05:00
parent b8375e82f7
commit 2956fa8083
5 changed files with 90 additions and 9 deletions
--- a/server/tests/test_server_message_handling.py
+++ b/server/tests/test_server_message_handling.py
@@ -3,6 +3,7 @@ from __future__ import annotations
 import asyncio
 import json
 from pathlib import Path
+from types import SimpleNamespace
 from time import monotonic
 from typing import cast
 import uuid
@@ -23,6 +24,32 @@ def _packet_types(payloads: list[object]) -> list[str]:
    return [getattr(packet, "type", "") for packet in payloads]


+def test_client_ip_prefers_forwarded_for_from_loopback_proxy() -> None:
+    server = SignalingServer("127.0.0.1", 8765, None, None)
+    ws = cast(
+        ServerConnection,
+        SimpleNamespace(
+            remote_address=("127.0.0.1", 12345),
+            request=SimpleNamespace(headers={"X-Forwarded-For": "198.51.100.25, 127.0.0.1"}),
+        ),
+    )
+    client = ClientConnection(websocket=ws, id="u1", nickname="tester")
+    assert server._client_ip(client) == "198.51.100.25"
+
+
+def test_client_ip_ignores_forwarded_for_from_non_loopback_peer() -> None:
+    server = SignalingServer("127.0.0.1", 8765, None, None)
+    ws = cast(
+        ServerConnection,
+        SimpleNamespace(
+            remote_address=("203.0.113.20", 12345),
+            request=SimpleNamespace(headers={"X-Forwarded-For": "198.51.100.25"}),
+        ),
+    )
+    client = ClientConnection(websocket=ws, id="u1", nickname="tester")
+    assert server._client_ip(client) == "203.0.113.20"
+
+
@pytest.mark.asyncio
 async def test_update_position_rejects_out_of_bounds(monkeypatch: pytest.MonkeyPatch) -> None:
    server = SignalingServer("127.0.0.1", 8765, None, None, grid_size=41)