From 843782249e41798b6bc1294e39272770d900b840 Mon Sep 17 00:00:00 2001
From: Ricardo Carneiro <ricardoroberto@outlook.com>
Date: Fri, 15 May 2026 22:57:07 -0300
Subject: [PATCH] fix: configure ForwardedHeaders so playground rate limit uses
 real client IP

Without this, RemoteIpAddress was always 127.0.0.1 (nginx),
making the 10-calls/day limit shared across all users instead of per-IP.
Clears KnownNetworks/KnownProxies to trust Cloudflare's X-Forwarded-For.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/Nalu.Web/Program.cs | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/Nalu.Web/Program.cs b/src/Nalu.Web/Program.cs
index f7f271f..17c5236 100644
--- a/src/Nalu.Web/Program.cs
+++ b/src/Nalu.Web/Program.cs
@@ -257,6 +257,16 @@ StripeConfiguration.ApiKey = builder.Configuration["Stripe:SecretKey"];
 
 var app = builder.Build();
 
+// ── Forwarded headers (Cloudflare → nginx → app) ─────────────────────────────
+var fwdOpts = new ForwardedHeadersOptions
+{
+    ForwardedHeaders = Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedFor |
+                       Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedProto
+};
+fwdOpts.KnownNetworks.Clear(); // trust all proxies — Cloudflare IPs vary widely
+fwdOpts.KnownProxies.Clear();
+app.UseForwardedHeaders(fwdOpts);
+
 // Initialize MongoDB indexes on startup
 var mongo = app.Services.GetRequiredService<MongoDbContext>();
 await mongo.InitializeAsync();