DanielRamosAcosta opened a new pull request, #6053:
URL: https://github.com/apache/couchdb/pull/6053

   ## Overview
   
   The auth lockout from 3.4 identifies clients by the socket peer. Behind a 
reverse proxy or CDN that peer is the proxy, so the lockout stops working: an 
attacker rotates the upstream IP, and clients sharing a proxy egress IP can 
lock each other out.
   
   This adds an optional `[chttpd_auth_lockout] client_ip_header` setting that 
names the header carrying the real client IP (`X-Forwarded-For`, `X-Real-IP`, 
`CF-Connecting-IP`). The first address is used if the header holds a list. 
Unset by default, so current behaviour is unchanged.
   
   ## Testing recommendations
   
   `make eunit apps=couch suites=couch_auth_lockout` and `make elixir 
tests=test/elixir/test/auth_lockout_test.exs`.
   
   The integration test sets `client_ip_header = X-Forwarded-For` and checks 
that one forwarded client gets locked out (403) while another still gets 401, 
so the lockout keys on the header and not on the shared socket peer.
   
   ## Related Issues or Pull Requests
   
   Fixes #6052
   
   ## Checklist
   
   - [ ] This is my own work, I did not use AI, LLM's or similar technology
   - [x] Code is written and works correctly
   - [x] Changes are covered by tests
   - [x] Any new configurable parameters are documented in 
`rel/overlay/etc/default.ini`
   - [x] Documentation changes were made in the `src/docs` folder
   - [ ] Documentation changes were backported (separated PR) to affected 
branches
   
   ## Note on AI assistance
   
   I used AI to help me understand the codebase and explore the approach. I 
reviewed and validated the design, the tests and the final code myself, so this 
is not an unreviewed AI dump. I am Spanish and my English is not great, so I 
also used AI to translate this message. Flagging it for transparency.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to