fix(06.2): WR-07 document X-Forwarded-For trust boundary in all IP extraction code

2026-06-01 14:29:35 +02:00
parent 2542c81602
commit 50b6e7fd06
3 changed files with 45 additions and 12 deletions
@@ -377,6 +377,9 @@ async def confirm_upload(

    doc.status = "uploaded"
    # D-13: document uploaded event — size_bytes + storage_backend only, NO filename, NO extracted_text (T-04-07-02)
+    # TRUST BOUNDARY: X-Forwarded-For is client-controlled — for audit logging only,
+    # not for auth/access control. Use a trusted reverse proxy in production to
+    # overwrite this header with the real remote IP before it reaches FastAPI.
    _ip = request.headers.get("X-Forwarded-For") or (request.client.host if request.client else None)
    await write_audit_log(
        session,
@@ -633,6 +636,9 @@ async def delete_document(
    is_cloud = doc.storage_backend != "minio"
    _doc_size = doc.size_bytes
    _doc_id = doc.id
+    # TRUST BOUNDARY: X-Forwarded-For is client-controlled — for audit logging only,
+    # not for auth/access control. Use a trusted reverse proxy in production to
+    # overwrite this header with the real remote IP before it reaches FastAPI.
    _ip = request.headers.get("X-Forwarded-For") or (request.client.host if request.client else None)

    # Cloud routing: attempt provider delete unless remove_only is set