Merge pull request #16998 from misskey-dev/develop

Release: 2025.12.2
author: misskey-release-bot[bot] <157398866+misskey-release-bot[bot]@users.noreply.github.com> 2025-12-22 05:30:45 +0000
committer: GitHub <noreply@github.com> 2025-12-22 05:30:45 +0000
commit: 0d46089f9a18abbb001fee2860dfaabf881831b3 (patch)
tree: 8315f33781b790084279680d05ea521f47fe1219 /packages/backend/src/server/api/ApiCallService.ts
parent: Merge pull request #16972 from misskey-dev/develop (diff)
parent: Release: 2025.12.2 (diff)
download: misskey-0d46089f9a18abbb001fee2860dfaabf881831b3.tar.gz
misskey-0d46089f9a18abbb001fee2860dfaabf881831b3.tar.bz2
misskey-0d46089f9a18abbb001fee2860dfaabf881831b3.zip
1 files changed, 7 insertions, 4 deletions
diff --git a/packages/backend/src/server/api/ApiCallService.ts b/packages/backend/src/server/api/ApiCallService.ts
index 27c79ab438..8bae46d9fb 100644
--- a/packages/backend/src/server/api/ApiCallService.ts
+++ b/packages/backend/src/server/api/ApiCallService.ts
@@ -313,11 +313,14 @@ export class ApiCallService implements OnApplicationShutdown {
 		}
 
 		if (ep.meta.limit) {
-			// koa will automatically load the `X-Forwarded-For` header if `proxy: true` is configured in the app.
-			let limitActor: string;
+			let limitActor: string | null = null;
 			if (user) {
 				limitActor = user.id;
-			} else {
+			} else if (this.config.enableIpRateLimit) {
+				if (process.env.NODE_ENV === 'production' && (request.ip === '::1' || request.ip === '127.0.0.1')) {
+					this.logger.warn('Recieved API request from localhost IP address for rate limiting in production environment. This is likely due to an improper trustProxy setting in the config file.');
+				}
+
 				limitActor = getIpHash(request.ip);
 			}
 
@@ -330,7 +333,7 @@ export class ApiCallService implements OnApplicationShutdown {
 			// TODO: 毎リクエスト計算するのもあれだしキャッシュしたい
 			const factor = user ? (await this.roleService.getUserPolicies(user.id)).rateLimitFactor : 1;
 
-			if (factor > 0) {
+			if (limitActor != null && factor > 0) {
 				// Rate limit
 				const rateLimit = await this.rateLimiterService.limit(limit as IEndpointMeta['limit'] & { key: NonNullable<string> }, limitActor, factor);
 				if (rateLimit != null) {
author	misskey-release-bot[bot] <157398866+misskey-release-bot[bot]@users.noreply.github.com>	2025-12-22 05:30:45 +0000
committer	GitHub <noreply@github.com>	2025-12-22 05:30:45 +0000
commit	0d46089f9a18abbb001fee2860dfaabf881831b3 (patch)
tree	8315f33781b790084279680d05ea521f47fe1219 /packages/backend/src/server/api/ApiCallService.ts
parent	Merge pull request #16972 from misskey-dev/develop (diff)
parent	Release: 2025.12.2 (diff)
download	misskey-0d46089f9a18abbb001fee2860dfaabf881831b3.tar.gz misskey-0d46089f9a18abbb001fee2860dfaabf881831b3.tar.bz2 misskey-0d46089f9a18abbb001fee2860dfaabf881831b3.zip