P0 Security Flaw in Amnezia Allows IP Spoofing to Bypass Login Rate Limits

A critical vulnerability in Amnezia's IP address detection logic allows attackers to spoof their source IP and circumvent rate limiting protections on the login endpoint. The flaw, documented in a code review dated May 2, 2026, affects the `_get_client_ip` function in `app/utils/helpers.py`, which unconditionally trusts the `X-Forwarded-For` HTTP header without validating the requester's actual TCP connection peer.

Under default Docker deployments, where the management panel operates without a reverse proxy in front of it, any client can send a crafted `X-Forwarded-For: 1.2.3.4` header to masquerade as a different IP address. This enables repeated login attempts without triggering the built-in five-per-minute rate limit, significantly lowering the barrier for credential stuffing and brute-force attacks. The security review explicitly flags this as directly exploitable in production environments.

The proposed remediation involves introducing a `TRUSTED_PROXIES` environment variable containing a comma-separated list of approved proxy IP addresses or CIDR ranges. The `_get_client_ip` function would then only honor the `X-Forwarded-For` header when the actual incoming TCP connection originates from one of these whitelisted sources. Without this check, the panel cannot distinguish between requests forwarded by an authorized proxy and those fabricated by a direct client. Full implementation details and code examples are referenced in the associated code review at `/tasks/amnezia-web-ui-code-review.md`.