diff --git a/CHANGELOG.md b/CHANGELOG.md index 36d126e2ac7..08883f48134 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,10 @@ ## [Unreleased] +### Fixed + +- Trust the reverse proxy's `X-Forwarded-For` header for login rate limiting, so failed-login limits apply per visitor instead of collapsing into a single site-wide bucket. + ## [4.11.3] - 2026-01-05 ### Changed diff --git a/nextcloudappstore/settings/base.py b/nextcloudappstore/settings/base.py index fcf913d62f6..e622d190170 100644 --- a/nextcloudappstore/settings/base.py +++ b/nextcloudappstore/settings/base.py @@ -139,6 +139,12 @@ "manage_email": "3/h/user", } +# We run behind a single reverse proxy, which sets X-Forwarded-For. Without +# this, allauth's rate limiting (e.g. ACCOUNT_RATE_LIMITS["login_failed"] +# above) falls back to REMOTE_ADDR, which is the proxy's own address for +# every request -- collapsing per-IP limits into a single site-wide bucket. +ALLAUTH_TRUSTED_PROXY_COUNT = 1 + SITE_ID = 1 # Allauth configuration