[Bug] public-api: rate limiter sets validate.trustProxy: false but app.set('trust proxy', 1) is not applied, causing all cloud-deployed clients to share one rate-limit bucket

[anshul23102]

Bug Summary

The public API rate limiter in apps/public-api/src/middlewares/api_usage.js is configured with:

const limiter = rateLimit({
    windowMs: 15 * 60 * 1000,
    max: 100,
    validate: {
        xForwardedForHeader: false,
        trustProxy: false
    }
});

Setting validate.trustProxy: false suppresses the express-rate-limit warning about proxy trust but does NOT configure Express to trust X-Forwarded-For headers. When the public API server is deployed behind a load balancer or reverse proxy (which is the case on Render, as indicated by render.yaml), all incoming requests arrive at the Node.js process with the same internal load-balancer IP as req.socket.remoteAddress.

Because app.set('trust proxy', 1) is absent from the public API Express setup, express-rate-limit keys every request on the same internal IP. The effect is that all SDK users on the platform share a single rate-limit counter: once any combination of users makes 100 requests in 15 minutes, every other user is throttled as well. Conversely, a single abusive client can exhaust the shared bucket for all users by making 100 rapid requests.

The dashboard API correctly sets app.set('trust proxy', 1) (line 17 of apps/dashboard-api/src/app.js), but the public API does not.

Steps to Reproduce

1. Deploy the public API behind a load balancer.
2. Send 101 requests from two different client IPs.
3. Observe that the 101st request from Client B is rate-limited even though Client B has only made 1 request.

Expected Behavior

The public API should set app.set('trust proxy', 1) to correctly extract the real client IP from the X-Forwarded-For header, so each client is rate-limited independently.

Affected Files

• apps/public-api/src/app.js: missing app.set('trust proxy', 1)
• apps/public-api/src/middlewares/api_usage.js: validate.trustProxy: false suppresses the warning without fixing the root issue

---

@geturbackend I would like to work on this issue. Could you please assign/ it to me? Contributing under NSoC '26.

[Gagan-astatine]

Hi
I would like to work on this issue under SSOC'26.
Kindly assign this issue to me.
Thank you!

[anshul23102]

Hi @yash-pouranik, I am the author of this issue and would like to work on it under GSSoC '26.

I have traced the root cause and have a targeted fix ready for the trust proxy misconfiguration causing all cloud-deployed clients to share one rate-limit bucket.

I will request formal assignment once my work on issue #245 is complete, in line with the one-issue-at-a-time rule. Flagging my interest here so the issue stays on your radar.

GSSoC '26

[yash-pouranik]

how willl u solve this ?
@Gagan-astatine

[anshul23102]

@yash-pouranik Could you please assign/ this issue to me? I'd like to work on it under GSSoC '26. I have traced the root cause: app.set('trust proxy', 1) is missing from the public-api setup, causing all cloud-deployed clients to share one rate-limit bucket. The fix is a one-line addition. Thank you.

[Gagan-astatine]

@yash-pouranik
From the issue description, the root cause seems to be the missing app.set('trust proxy', 1) in the public API — without it Express never reads X-Forwarded-For and everyone ends up sharing the same rate limit bucket. The validate.trustProxy: false looks like it was just suppressing the warning rather than actually solving it. The dashboard API already handles this correctly so it's likely a straightforward fix to bring the public API in line.

That said I haven't dug into the full codebase yet so I'd want to verify the middleware ordering, confirm trust proxy: 1 is the right value for Render's setup, and make sure there's nothing else in the chain affecting req.ip before pushing anything. I'd rather flag something unexpected than rush into it.
If you assign this to me I'll go through the code properly first and make sure it's done right end to end.

[yash-pouranik]

bro @anshul23102
I already told u I cant assign more that 1
please understand.
Also please join discord to have a small convo
https://discord.com/invite/CXJjvJkNWn

[yash-pouranik]

Assigned
please done create PR with sharing approach.

[yash-pouranik]

@Gagan-astatine

[Gagan-astatine]

Hey @yash-pouranik, looked into the codebase and I found this:

app.set('trust proxy', 1) is already present in public-api/src/app.js at line 16 right after const app = express() so that part is fine. The actual fix is only in api_usage.js , removing the validate block:
validate: {
xForwardedForHeader: false,
trustProxy: false
}
This was just silencing the express-rate-limit warning without fixing anything. Once removed, the library will automatically detect that trust proxy is correctly set and read req.ip from X-Forwarded-For properly , giving each client their own independent rate limit counter.
That's the only change needed. Should I go ahead and open the PR?

[yash-pouranik]

yh sure, u can go.
@Gagan-astatine

[Gagan-astatine]

Hey @yash-pouranik, I've just submitted a PR to fix the rate limiter issue (#248) when behind a proxy. It's ready for your review: #293