Fix: Allow setting allauth rate limit configuration settings (#12798)

diff --git a/docs/configuration.md b/docs/configuration.md
index 08925387386d937212dbf23c39d5494b13873b70..43fa6b70498e63dd9c6358a99105c274131b2a15 100644 (file)
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -518,8 +518,25 @@ do CORS calls. Set this to your public domain name.
 fail2ban with log entries for failed authorization attempts. Value should be
 IP address(es).
 
+    This setting also controls allauth's
+    [`ALLAUTH_TRUSTED_PROXY_COUNT`](https://docs.allauth.org/en/latest/account/configuration.html),
+    which is set to the number of proxies listed here. Without this,
+    allauth cannot determine the client IP address for rate limiting when
+    running behind a reverse proxy, resulting in a `403 Forbidden` on login.
+
     Defaults to empty string.
 
+#### [`PAPERLESS_ALLAUTH_TRUSTED_CLIENT_IP_HEADER=<header-name>`](#PAPERLESS_ALLAUTH_TRUSTED_CLIENT_IP_HEADER) {#PAPERLESS_ALLAUTH_TRUSTED_CLIENT_IP_HEADER}
+
+: Sets allauth's
+[`ALLAUTH_TRUSTED_CLIENT_IP_HEADER`](https://docs.allauth.org/en/latest/account/configuration.html).
+Use this when your reverse proxy sets a dedicated header for the real
+client IP instead of `X-Forwarded-For`, for example `X-Real-IP` (nginx)
+or `CF-Connecting-IP` (Cloudflare). When set, this takes precedence over
+[`PAPERLESS_TRUSTED_PROXIES`](#PAPERLESS_TRUSTED_PROXIES).
+
+    Defaults to none.
+
 #### [`PAPERLESS_FORCE_SCRIPT_NAME=<path>`](#PAPERLESS_FORCE_SCRIPT_NAME) {#PAPERLESS_FORCE_SCRIPT_NAME}
 
 : To host paperless under a subpath url like example.com/paperless you

diff --git a/docs/migration-v3.md b/docs/migration-v3.md
index e17dd3b65729e67a67367451d855243aae8d50da..4fff1f8589ce5a4272f9dca12e7ee6d5053afcfe 100644 (file)
--- a/docs/migration-v3.md
+++ b/docs/migration-v3.md
@@ -318,3 +318,11 @@ echo "Document ${DOCUMENT_ID} from ${DOCUMENT_CORRESPONDENT} tagged: ${DOCUMENT_
 Update any pre- or post-consumption scripts that read `$1`, `$2`, etc. to use the
 corresponding environment variables instead. Environment variables have been the preferred
 option since v1.8.0.
+
+## Reverse Proxy and Login Rate Limiting
+
+Allauth changed how it determines the client IP address for login rate limiting. Users running
+behind a reverse proxy may need to set
+[`PAPERLESS_TRUSTED_PROXIES`](configuration.md#PAPERLESS_TRUSTED_PROXIES),
+[`PAPERLESS_ALLAUTH_TRUSTED_CLIENT_IP_HEADER`](configuration.md#PAPERLESS_ALLAUTH_TRUSTED_CLIENT_IP_HEADER),
+or both, to avoid `403 Forbidden` errors on login.

diff --git a/src/paperless/settings/__init__.py b/src/paperless/settings/__init__.py
index d021cffbb79894f266cd65d7f6a207e4fa25910c..5d208c9f30b2b36e9066b7b096fe53f06d6b5e8f 100644 (file)
--- a/src/paperless/settings/__init__.py
+++ b/src/paperless/settings/__init__.py
@@ -454,6 +454,12 @@ PAPERLESS_URL = _parse_paperless_url()
 
 # For use with trusted proxies
 TRUSTED_PROXIES = get_list_from_env("PAPERLESS_TRUSTED_PROXIES")
+# Derive allauth's proxy count from the same list so X-Forwarded-For is trusted
+# correctly when users have configured PAPERLESS_TRUSTED_PROXIES.
+ALLAUTH_TRUSTED_PROXY_COUNT = len(TRUSTED_PROXIES)
+ALLAUTH_TRUSTED_CLIENT_IP_HEADER = os.getenv(
+    "PAPERLESS_ALLAUTH_TRUSTED_CLIENT_IP_HEADER",
+)
 
 USE_X_FORWARDED_HOST = get_bool_from_env("PAPERLESS_USE_X_FORWARD_HOST", "false")
 USE_X_FORWARDED_PORT = get_bool_from_env("PAPERLESS_USE_X_FORWARD_PORT", "false")