Harden forwarded IP parsing for auth throttling

server/app/server.py

@@ -481,7 +481,10 @@ class SignalingServer:
         forwarded = str(headers.get("X-Forwarded-For", "")).strip()
         if not forwarded:
             return peer_ip
-        for candidate in forwarded.split(","):
+        # In common reverse-proxy chains, the trusted proxy appends the immediate
+        # client IP to the end of X-Forwarded-For. Read right-to-left so a
+        # client-supplied left-side value can't spoof throttling/audit identity.
+        for candidate in reversed(forwarded.split(",")):
             parsed = SignalingServer._normalized_ip(candidate)
             if parsed:
                 return parsed

server/tests/test_server_message_handling.py

@@ -30,7 +30,7 @@ def test_client_ip_prefers_forwarded_for_from_loopback_proxy() -> None:
         ServerConnection,
         SimpleNamespace(
             remote_address=("127.0.0.1", 12345),
-            request=SimpleNamespace(headers={"X-Forwarded-For": "198.51.100.25, 127.0.0.1"}),
+            request=SimpleNamespace(headers={"X-Forwarded-For": "203.0.113.10, 198.51.100.25"}),
         ),
     )
     client = ClientConnection(websocket=ws, id="u1", nickname="tester")