From 3b384dc5fb85883fcfca5ca3218c6249eb49104b Mon Sep 17 00:00:00 2001
From: Zimeng Xiong <zxzimeng@gmail.com>
Date: Tue, 20 Jan 2026 13:38:51 -0800
Subject: [PATCH] CSRF token validation failing behind nginx proxy (#38)
 Express was not configured to trust proxy headers, causing req.ip to return
 nginx's internal container IP instead of the actual client IP. In Docker
 environments, nginx can appear with different internal IPs between requests,
 causing the CSRF clientId to change and token validation to fail.

---
 backend/src/index.ts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/backend/src/index.ts b/backend/src/index.ts
index 5e2025f..0a4a773 100644
--- a/backend/src/index.ts
+++ b/backend/src/index.ts
@@ -129,6 +129,12 @@ const initializeUploadDir = async () => {
 };
 
 const app = express();
+
+// Trust proxy headers (X-Forwarded-For, X-Real-IP) from nginx
+// Required for correct client IP detection when running behind a reverse proxy
+// This fixes CSRF token validation failures in Docker/K8s environments
+app.set("trust proxy", 1);
+
 const httpServer = createServer(app);
 const io = new Server(httpServer, {
   cors: {