[Security] SSE getClientIp trusts client X-Forwarded-For, letting attackers bypass the per-IP SSE connection limit (DoS)

[grantfox-oss]

Telegram (ask questions / claim the issue here first): https://t.me/+DOylgFv1jyJlNzM0

Why this matters

sse.controller.ts:15-26 getClientIp reads req.headers['x-forwarded-for'] unconditionally and returns its first entry as sourceIp; that value feeds sseService.checkCapacity(sourceIp) and addClient(...,sourceIp). Express never sets trust proxy, so this header is fully attacker-controlled - a client rotating a fake X-Forwarded-For per request opens unlimited SSE connections, defeating the per-IP connection cap and exhausting connection slots.

Acceptance criteria

• Derive the client IP from req.ip after configuring a correct trust proxy setting, not directly from the raw X-Forwarded-For header
• When trust proxy is not enabled, ignore X-Forwarded-For and use req.socket.remoteAddress
• Add a test proving two connections with different spoofed X-Forwarded-For values from the same socket still count against one per-IP bucket

Files to touch

• backend/src/controllers/sse.controller.ts
• backend/src/services/sse.service.ts

Out of scope

• Changing the per-IP limit value
• Redis-backed SSE fan-out

[Emelie-Dev]

@Emelie-Dev has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hi, I would love to work on this issue

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Emelie-Dev to this issue.

[charlesedeh021-cell]

@charlesedeh021-cell has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hi maintainers!

I’d love to help out with this issue. I’ve checked the current codebase/documentation and know exactly what needs to be updated to make this clearer. I will ensure everything aligns perfectly with your existing contribution guidelines.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @charlesedeh021-cell to this issue.

[dhareymu]

@dhareymu has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hi maintainer, deadline is almost here.

I can help you fix the issues on the project swiftly and create a PR for it in no time.

Please kindly assign it to me. I look forward to working with you. Thank you.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @dhareymu to this issue.

[grantfox-oss]

🦊 GrantFox — @charlesedeh021-cell has been assigned to this issue!

Next steps:

1. Open a Pull Request referencing this issue (e.g., Closes #817)
2. Your PR will be reviewed by the LabsCrypt maintainers

Good luck! Track your progress on GrantFox.

[drips-wave]

Congratulations, @charlesedeh021-cell! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @charlesedeh021-cell: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊