fix: only trust forwarded IP header from configured trusted proxies

[kanishka0411]

Description

Added network.trustedProxies config option. The x-forwarded-for header (or any configured remoteIpHeader) is now only trusted when the request's socket IP is in the trustedProxies list. Otherwise Nostream falls back to the real socket address. Also added a runtime warning when remoteIpHeader is set but trustedProxies is empty.

Related Issue

Fixes #492

Motivation and Context

Previously any client could set x-forwarded-for to any IP and Nostream would blindly trust it. This allowed attackers to spoof their IP and bypass rate limits, IP blacklists, and payment throttling.

How Has This Been Tested?

Added unit tests for:

• trusted proxy allows forwarded header
• untrusted proxy falls back to socket address
• IPv4-mapped proxy address normalization

Screenshots (if appropriate):

Types of changes

• Non-functional change (docs, style, minor refactor)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my code changes.
• All new and existing tests passed.

[Copilot]

Pull request overview

This PR mitigates IP spoofing by only trusting x-forwarded-for (or configured network.remoteIpHeader) when the connection comes from an allow-listed proxy IP (network.trustedProxies).

Changes:

• Added network.trustedProxies setting and updated getRemoteAddress() to require a trusted proxy before using forwarded headers.
• Added IP normalization for IPv4-mapped proxy socket addresses and improved forwarded-header parsing (trim).
• Updated unit tests and configuration docs/default settings to include the new option.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/utils/http.ts	Implements trusted-proxy gating + IP normalization and warning behavior for forwarded headers.
src/@types/settings.ts	Adds trustedProxies?: string[] to the Network settings type.
resources/default-settings.yaml	Documents and introduces network.trustedProxies in the default config.
CONFIGURATION.md	Documents the new network.trustedProxies setting.
test/unit/utils/http.spec.ts	Adds unit tests covering trusted/untrusted proxy behavior and IPv4-mapped normalization.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The new warning for network.remoteIpHeader + empty network.trustedProxies runs inside getRemoteAddress(), which is called per request/connection and can spam logs (and add overhead) in misconfigured or default setups. Consider emitting this warning once (e.g., via a module-level "warned" flag) or moving validation to settings load/startup instead of the hot path.

[cameri]

@kanishka0411 looks like we have some conflicts now. I'm wondering if we should re-order CONFIGURATION.md list of settings A-Z so there's less conflicts.

[cameri]

@copilot resolve the merge conflicts in this pull request

[cameri]

@copilot resolve the merge conflicts in this pull request

[coveralls]

coverage: 73.323% (+0.2%) from 73.153% — kanishka0411:fix/trusted-proxy-ip-spoofing-v2 into cameri:main