Security: X-Forwarded-For trusted without proxy validation in SLM login

[mrveiss]

Problem

_get_client_ip() in autobot-slm-backend/api/auth.py (line 30-35) blindly trusts the X-Forwarded-For header:

forwarded_for = http_request.headers.get("X-Forwarded-For")
if forwarded_for:
    return forwarded_for.split(",")[0].strip()

An attacker can spoof their IP in audit logs by sending X-Forwarded-For: 10.0.0.1. Since this is the canonical auth endpoint after #1922, all login audit trails are affected.

Location

• autobot-slm-backend/api/auth.py, lines 30-35

Proposed Fix

• Validate X-Forwarded-For against a trusted proxy list from SSOT config
• Or configure FastAPI's TrustedHostMiddleware
• At minimum, only trust the header when the direct client IP matches a known reverse proxy

Impact

High — audit log IP addresses can be spoofed, undermining forensic value of login audit trail.

Discovered During

Code review of PR #2223 (#1922)

[github-actions]

PR #2251 (merged to Dev_new_gui) references this issue with a close keyword.

fix(auth): validate X-Forwarded-For against trusted proxies (#2239)

If this issue is fully resolved, close it manually. If work remains, no action is needed.

[mrveiss]

Merged via PR. Closing.