From 5e6e8852d99a8731361e7dbe281d3ecd376961b7 Mon Sep 17 00:00:00 2001
From: Jake Bromberg <jake@funlandresearch.com>
Date: Sat, 21 Feb 2026 08:31:26 -0800
Subject: [PATCH] fix: enable trust proxy for correct client IP resolution

Without trust proxy, req.ip returns the load balancer IP, making
IP-based rate limiting ineffective behind a reverse proxy.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 apps/backend/app.ts                   |  2 ++
 tests/unit/config/trust-proxy.test.ts | 10 ++++++++++
 2 files changed, 12 insertions(+)
 create mode 100644 tests/unit/config/trust-proxy.test.ts

diff --git a/apps/backend/app.ts b/apps/backend/app.ts
index e06f510..a77ea5a 100644
--- a/apps/backend/app.ts
+++ b/apps/backend/app.ts
@@ -18,6 +18,8 @@ import { requirePermissions } from '@wxyc/authentication';
 const port = process.env.PORT || 8080;
 const app = express();
 
+app.set('trust proxy', true);
+
 //Interpret parse json into js objects
 app.use(express.json());
 
diff --git a/tests/unit/config/trust-proxy.test.ts b/tests/unit/config/trust-proxy.test.ts
new file mode 100644
index 0000000..32acdc1
--- /dev/null
+++ b/tests/unit/config/trust-proxy.test.ts
@@ -0,0 +1,10 @@
+import { readFileSync } from 'fs';
+import { resolve } from 'path';
+
+describe('Express trust proxy configuration', () => {
+  const appSource = readFileSync(resolve(__dirname, '../../../apps/backend/app.ts'), 'utf-8');
+
+  it('should enable trust proxy so req.ip reflects the real client IP behind a reverse proxy', () => {
+    expect(appSource).toMatch(/app\.set\(\s*['"]trust proxy['"]/);
+  });
+});