Fix #34: Replace setup redirect allowlist prefix matching with explicit allowlist

- Replace fragile startswith() matching with explicit path matching - Split allowlist into _EXACT_ALLOWED (exact paths) and _PREFIX_ALLOWED (prefixes) - Prefix paths MUST end with '/' to prevent matching unintended paths like /api/setup-debug - Paths correctly matched: /api/setup, /api/health, /api/docs, /api/redoc, /api/openapi.json, /api/setup/timezone - Paths correctly blocked: /api/setup-debug, /api/setup123, /api/jails - Add comprehensive Setup Guard Route Policy documentation to Backend-Development.md - Update line numbers in documentation to reflect current implementation This prevents future route additions from accidentally bypassing the setup guard. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-29 19:45:42 +02:00
parent 6bc440dce4
commit bc4ba703f0
3 changed files with 99 additions and 33 deletions
--- a/Docs/Tasks.md
+++ b/Docs/Tasks.md
@@ -1,23 +1,3 @@
-## 33) Trusted proxy configuration is hardcoded in auth router
- Where found:
-	- [backend/app/routers/auth.py](backend/app/routers/auth.py#L46)
-	- [backend/app/utils/client_ip.py](backend/app/utils/client_ip.py)
- Why this is needed:
-	- Incorrect client IP extraction can break per-IP rate limiting behind proxies.
- Goal:
-	- Move trusted proxies to validated runtime config.
- What to do:
-	- Add settings for trusted proxy IPs/CIDRs.
-	- Validate and use these in client IP extraction.
- Possible traps and issues:
-	- Over-trusting headers can enable spoofing.
- Docs changes needed:
-	- Add reverse-proxy deployment configuration section.
- Doc references:
-	- [Docs/Instructions.md](Docs/Instructions.md)
-
---
-
 ## 34) Setup redirect allowlist uses broad prefix matching
 - Where found:
 	- [backend/app/main.py](backend/app/main.py#L434)