Bump lodash from 4.17.21 to 4.17.23 in /backend

Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](https://github.com/lodash/lodash/compare/4.17.21...4.17.23) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
chore: release v0.3.2
2026-02-02 00:07:20 +00:00 · 2026-02-01 16:06:19 -08:00 · 2026-02-01 16:05:58 -08:00 · 2026-02-01 16:04:52 -08:00 · 2026-02-01 16:04:52 -08:00 · 2026-02-01 16:01:02 -08:00
6 changed files with 19 additions and 13 deletions
@@ -120,14 +120,17 @@ docker compose up -d

 When running ExcaliDash behind Traefik, Nginx, or another reverse proxy, configure both containers so that API + WebSocket calls resolve correctly:

- `FRONTEND_URL` (backend) must match the public URL that users hit (e.g. `https://excalidash.example.com`). This controls CORS and Socket.IO origin checks.
+- `FRONTEND_URL` (backend) must match the public URL that users hit (e.g. `https://excalidash.example.com`). This controls CORS and Socket.IO origin checks. **Supports multiple comma-separated URLs** for accessing from different addresses.
 - `BACKEND_URL` (frontend) tells the Nginx container how to reach the backend from inside Docker/Kubernetes. Override it if your reverse proxy exposes the backend under a different hostname.

 ```yaml
 # docker-compose.yml example
 backend:
  environment:
+    # Single URL
    - FRONTEND_URL=https://excalidash.example.com
+    # Or multiple URLs (comma-separated) for local + network access
+    # - FRONTEND_URL=http://localhost:6767,http://192.168.1.100:6767,http://nas.local:6767
 frontend:
  environment:
    # For standard Docker Compose (default)
@@ -1 +1 @@
-0.3.1
+0.3.2
@@ -1,12 +1,12 @@
 {
  "name": "backend",
-  "version": "0.3.1",
+  "version": "0.3.2",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "backend",
-      "version": "0.3.1",
+      "version": "0.3.2",
      "license": "ISC",
      "dependencies": {
        "@prisma/client": "^5.22.0",
@@ -3286,9 +3286,9 @@
      }
    },
    "node_modules/lodash": {
-      "version": "4.17.21",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
-      "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==",
+      "version": "4.17.23",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
+      "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
      "license": "MIT"
    },
    "node_modules/lru-cache": {
@@ -1,6 +1,6 @@
 {
  "name": "backend",
-  "version": "0.3.1",
+  "version": "0.3.2",
  "description": "",
  "main": "index.js",
  "scripts": {
@@ -51,12 +51,13 @@ describe("Issue #38: CSRF with trust proxy settings", () => {
      .set("X-Forwarded-For", "203.0.113.42, 10.0.0.5, 172.17.0.3")
      .set("User-Agent", "Mozilla/5.0 Test");

-    // With trust proxy: 1, Express takes second-to-last IP (the external proxy)
-    expect(response1.body.ip).toBe("10.0.0.5");
+    // With trust proxy: 1 in supertest (no real socket), Express takes the last IP
+    // In production with a real connection, behavior differs - the key point is it's NOT the client IP
+    expect(response1.body.ip).toBe("172.17.0.3");
    console.log(
      "trust proxy: 1 → IP:",
      response1.body.ip,
-      "(external proxy IP - WRONG)",
+      "(not the real client IP)",
    );

    // With trust proxy: true
@@ -160,10 +161,12 @@ describe("Issue #38: CSRF with trust proxy settings", () => {
    });

    // Client -> Synology (192.168.1.x) -> Docker frontend (192.168.11.x) -> Backend
+    // In supertest without real socket, trust proxy: 1 returns last IP
+    // Key point: it's NOT the real client IP (192.168.0.100)
    await request(app)
      .get("/test")
      .set("X-Forwarded-For", "192.168.0.100, 192.168.1.4, 192.168.11.166");
    console.log("  With trust proxy: 1, Express sees:", seenIp);
-    expect(seenIp).toBe("192.168.1.4"); // Proxy IP, not client IP
+    expect(seenIp).toBe("192.168.11.166"); // Not the real client IP
  });
 });
@@ -1,7 +1,7 @@
 {
  "name": "frontend",
  "private": true,
-  "version": "0.3.1",
+  "version": "0.3.2",
  "type": "module",
  "scripts": {
    "dev": "vite",
Author	SHA1	Message	Date
dependabot[bot]	0d1fe8e0e5	Bump lodash from 4.17.21 to 4.17.23 in /backend Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](https://github.com/lodash/lodash/compare/4.17.21...4.17.23) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2026-02-02 00:07:20 +00:00
Zimeng Xiong	b6d0150d44	chore: release v0.3.2	2026-02-01 16:06:19 -08:00
Zimeng Xiong	55cd816cca	fix: correct test assertions for trust proxy behavior in supertest The demonstration tests had incorrect assumptions about how Express trust proxy works in supertest (no real socket connection). Updated assertions to match actual behavior while preserving the test's purpose of showing that trust proxy: true extracts the correct client IP.	2026-02-01 16:05:58 -08:00
Zimeng Xiong	d67bd1daf8	fix express proxy headers	2026-02-01 16:04:52 -08:00
Zimeng Xiong	4b56d3cfc6	repro issue	2026-02-01 16:04:52 -08:00
Zimeng Xiong	88ed4360c0	docs: document comma-separated FRONTEND_URL support Clarifies that FRONTEND_URL accepts multiple comma-separated URLs for accessing ExcaliDash from different addresses (e.g., localhost and LAN IP simultaneously).	2026-02-01 16:01:02 -08:00
@@ -1 +1 @@
 .3.1
 .3.2