From 50c3b116f779eb35dc3e691d0ad38cc88b3a0b0f Mon Sep 17 00:00:00 2001
From: Mikkel Georgsen <msgeorgsen@gmail.com>
Date: Mon, 30 Mar 2026 11:35:53 +0000
Subject: [PATCH] security: restrict /api/ingest to internal IPs only

Checks X-Forwarded-For/X-Real-IP from NPM proxy to get real client IP.
Only allows localhost, LAN (10.5.0.x), and NetBird (100.79.x) prefixes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 mcp_bridge/mcp_server.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/mcp_bridge/mcp_server.py b/mcp_bridge/mcp_server.py
index 3326229..5925f35 100644
--- a/mcp_bridge/mcp_server.py
+++ b/mcp_bridge/mcp_server.py
@@ -102,8 +102,18 @@ def queue_status() -> str:
 
 
 # Custom non-MCP routes (no auth required - local access only)
+INTERNAL_PREFIXES = ("127.", "10.5.0.", "::1", "100.79.")  # localhost, LAN, NetBird
+
+
 async def ingest_message(request: Request) -> JSONResponse:
     """HTTP endpoint for local services to log messages into the bridge."""
+    # Check real client IP (X-Forwarded-For from NPM, or direct connection)
+    forwarded = request.headers.get("x-forwarded-for", "")
+    real_ip = request.headers.get("x-real-ip", "")
+    client_ip = forwarded.split(",")[0].strip() or real_ip or (request.client.host if request.client else "")
+    if not any(client_ip.startswith(p) for p in INTERNAL_PREFIXES):
+        return JSONResponse({"error": "forbidden"}, status_code=403)
+
     try:
         data = await request.json()
     except Exception: