fix(backend): require Request for rate limiting, enable proxy headers

- rate_limit decorator now requires Request parameter (raises 500 if missing)
- Routes updated: request: Request, body: PydanticModel pattern
- Added proxy-headers flag to Dockerfile for X-Forwarded-For support
- Added FORWARDED_ALLOW_IPS env var to docker-compose
- Documented proxy header configuration in decorator docstring

Behind reverse proxy, this ensures rate limiting uses real client IP
instead of proxy IP (which would bucket all users together).

Author: DevanshuNEU

backend/Dockerfile

@@ -29,5 +29,6 @@ EXPOSE 8000
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
     CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8000/health').read()" || exit 1
 
-# Run with uvicorn
-CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]
+# Run with uvicorn (proxy-headers enabled for rate limiting behind reverse proxy)
+# Set FORWARDED_ALLOW_IPS env var in production to your proxy's IP range
+CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000", "--proxy-headers"]

backend/routes/feedback.py

@@ -5,7 +5,7 @@
 import os
 import httpx
 from datetime import datetime
-from fastapi import APIRouter, HTTPException
+from fastapi import APIRouter, HTTPException, Request
 from pydantic import BaseModel, EmailStr
 from typing import Optional
 from services.rate_limiter import rate_limit
@@ -52,12 +52,12 @@ async def post_to_discord(embed: dict) -> bool:
 
 @router.post("")
 @rate_limit(requests_per_minute=5)
-async def submit_feedback(request: FeedbackRequest):
+async def submit_feedback(request: Request, body: FeedbackRequest):
     """Submit user feedback - posts to Discord."""
     if not DISCORD_WEBHOOK_URL:
         raise HTTPException(status_code=503, detail="Feedback service unavailable")
 
-    mood_info = MOOD_CONFIG.get(request.mood, MOOD_CONFIG["good"])
+    mood_info = MOOD_CONFIG.get(body.mood, MOOD_CONFIG["good"])
 
     embed = {
         "title": "💬 New Feedback",
@@ -69,11 +69,11 @@ async def submit_feedback(request: FeedbackRequest):
         "timestamp": datetime.utcnow().isoformat(),
     }
 
-    if request.email:
-        embed["fields"].append({"name": "User", "value": request.email, "inline": True})
+    if body.email:
+        embed["fields"].append({"name": "User", "value": body.email, "inline": True})
 
-    if request.message:
-        embed["fields"].append({"name": "Message", "value": request.message[:1000], "inline": False})
+    if body.message:
+        embed["fields"].append({"name": "Message", "value": body.message[:1000], "inline": False})
 
     success = await post_to_discord(embed)
     if not success:
@@ -84,19 +84,19 @@ async def submit_feedback(request: FeedbackRequest):
 
 @router.post("/waitlist")
 @rate_limit(requests_per_minute=3)
-async def join_waitlist(request: WaitlistRequest):
+async def join_waitlist(request: Request, body: WaitlistRequest):
     """Join waitlist for Pro or Enterprise plan."""
     if not DISCORD_WEBHOOK_URL:
         raise HTTPException(status_code=503, detail="Waitlist service unavailable")
 
-    is_enterprise = request.plan.lower() == "enterprise"
+    is_enterprise = body.plan.lower() == "enterprise"
 
     if is_enterprise:
         embed = {
             "title": "🏢 Enterprise Inquiry",
             "color": 0x8B5CF6,
             "fields": [
-                {"name": "Email", "value": request.email, "inline": True},
+                {"name": "Email", "value": body.email, "inline": True},
                 {"name": "Plan", "value": "Enterprise (Custom)", "inline": True},
             ],
             "footer": {"text": "OpenCodeIntel Enterprise"},
@@ -107,7 +107,7 @@ async def join_waitlist(request: WaitlistRequest):
             "title": "🚀 New Waitlist Signup",
             "color": 0x3B82F6,
             "fields": [
-                {"name": "Email", "value": request.email, "inline": True},
+                {"name": "Email", "value": body.email, "inline": True},
                 {"name": "Plan Interest", "value": "Pro ($19/month)", "inline": True},
             ],
             "footer": {"text": "OpenCodeIntel Waitlist"},

backend/services/rate_limiter.py

@@ -23,23 +23,33 @@ def rate_limit(requests_per_minute: int = 60):
     Simple rate limit decorator for FastAPI routes.
     Uses in-memory storage - suitable for single-instance deployments.
     For production, use Redis-backed RateLimiter class instead.
+    
+    IMPORTANT: Routes using this decorator MUST include `request: Request` as
+    a parameter. For correct client IP detection behind a reverse proxy, 
+    configure Uvicorn with:
+        --proxy-headers --forwarded-allow-ips="<your-proxy-ips>"
+    This ensures request.client.host reflects the real client IP from 
+    X-Forwarded-For header, not the proxy's IP.
     """
     def decorator(func: Callable):
         @wraps(func)
         async def wrapper(*args, **kwargs):
-            # Try to get request from kwargs or args
+            # Get Request from kwargs (FastAPI injects it by parameter name)
             request = kwargs.get('request')
             if not request:
                 for arg in args:
                     if isinstance(arg, Request):
                         request = arg
                         break
 
-            # Get client identifier (IP or fallback)
-            if request:
-                client_id = request.client.host if request.client else "unknown"
-            else:
-                client_id = "unknown"
+            if not request or not isinstance(request, Request):
+                raise HTTPException(
+                    status_code=500,
+                    detail="Rate limiting requires Request parameter in route"
+                )
+            
+            # Get client IP (relies on Uvicorn proxy-headers config for real IP)
+            client_id = request.client.host if request.client else "unknown"
 
             key = f"{func.__name__}:{client_id}"
             now = time.time()

docker-compose.yml

@@ -37,6 +37,7 @@ services:
       - API_KEY=${API_KEY}
       - BACKEND_API_URL=http://backend:8000
       - DISCORD_FEEDBACK_WEBHOOK=${DISCORD_FEEDBACK_WEBHOOK}
+      - FORWARDED_ALLOW_IPS=*
     volumes:
       - ./backend/repos:/app/repos
       - ./backend:/app