try: ip fix for cludflare

- Introduced AI File Sorting functionality to automatically organize documents into a smart folder hierarchy based on source, date, and topic.
- Updated README.md to include the new feature.
- Enhanced homepage components with new illustrations and descriptions for AI File Sorting.
- Refactored rate limiting logic to extract real client IPs more accurately.

surfsense_backend/app/app.py

@@ -15,7 +15,7 @@ from fastapi.middleware.cors import CORSMiddleware
 from fastapi.responses import JSONResponse
 from slowapi.errors import RateLimitExceeded
 from slowapi.middleware import SlowAPIMiddleware
-from slowapi.util import get_remote_address
+from slowapi.util import get_remote_address  # noqa: F401 — kept for reference
 from sqlalchemy.ext.asyncio import AsyncSession
 from starlette.middleware.base import BaseHTTPMiddleware, RequestResponseEndpoint
 from starlette.requests import Request as StarletteRequest
@@ -35,7 +35,7 @@ from app.config import (
 )
 from app.db import User, create_db_and_tables, get_async_session
 from app.exceptions import GENERIC_5XX_MESSAGE, ISSUES_URL, SurfSenseError
-from app.rate_limiter import limiter
+from app.rate_limiter import get_real_client_ip, limiter
 from app.routes import router as crud_router
 from app.routes.auth_routes import router as auth_router
 from app.schemas import UserCreate, UserRead, UserUpdate
@@ -290,7 +290,7 @@ def _check_rate_limit(
     Uses atomic INCR + EXPIRE to avoid race conditions.
     Falls back to in-memory sliding window if Redis is unavailable.
     """
-    client_ip = get_remote_address(request)
+    client_ip = get_real_client_ip(request)
     key = f"surfsense:auth_rate_limit:{scope}:{client_ip}"
 
     try:

surfsense_backend/app/rate_limiter.py

@@ -1,13 +1,33 @@
 """Shared SlowAPI limiter instance used by app.py and route modules."""
 
+from __future__ import annotations
+
 from limits.storage import MemoryStorage
 from slowapi import Limiter
-from slowapi.util import get_remote_address
+from starlette.requests import Request
 
 from app.config import config
 
+
+def get_real_client_ip(request: Request) -> str:
+    """Extract the real client IP behind Cloudflare / reverse proxies.
+
+    Priority: CF-Connecting-IP > X-Real-IP > X-Forwarded-For (first entry) > socket peer.
+    """
+    cf_ip = request.headers.get("cf-connecting-ip")
+    if cf_ip:
+        return cf_ip.strip()
+    real_ip = request.headers.get("x-real-ip")
+    if real_ip:
+        return real_ip.strip()
+    forwarded = request.headers.get("x-forwarded-for")
+    if forwarded:
+        return forwarded.split(",")[0].strip()
+    return request.client.host if request.client else "127.0.0.1"
+
+
 limiter = Limiter(
-    key_func=get_remote_address,
+    key_func=get_real_client_ip,
     storage_uri=config.REDIS_APP_URL,
     default_limits=["1024/minute"],
     in_memory_fallback_enabled=True,

surfsense_backend/app/routes/anonymous_chat_routes.py

@@ -51,12 +51,17 @@ def _get_or_create_session_id(request: Request, response: Response) -> str:
 
 
 def _get_client_ip(request: Request) -> str:
+    """Extract the real client IP, preferring Cloudflare's header."""
+    cf_ip = request.headers.get("cf-connecting-ip")
+    if cf_ip:
+        return cf_ip.strip()
+    real_ip = request.headers.get("x-real-ip")
+    if real_ip:
+        return real_ip.strip()
     forwarded = request.headers.get("x-forwarded-for")
-    return (
-        forwarded.split(",")[0].strip()
-        if forwarded
-        else (request.client.host if request.client else "unknown")
-    )
+    if forwarded:
+        return forwarded.split(",")[0].strip()
+    return request.client.host if request.client else "unknown"
 
 
 # ---------------------------------------------------------------------------