app.services.abuse_prevention_service module¶

class app.services.abuse_prevention_service.AbusePreventionService(counter_backend)[source]¶

Bases: object

Service responsible for abuse prevention checks on sensitive endpoints.

Parameters:: counter_backend (RateLimitCounterBackend)

static extract_client_ip(request)[source]¶

Extracts the best-effort client IP.

X-Forwarded-For and X-Real-IP are honored only when the direct socket peer is in configs.TRUSTED_PROXY_IPS. Without that gate any client can forge these headers and bypass per-IP rate limiting (see security finding H10). When the peer is trusted, X-Forwarded-For is walked right-to-left, skipping further trusted hops, to find the leftmost untrusted address.

Parameters:: request (Request | None)
Return type:: str | None

async enforce_task_mutation_limits(api_key, client_ip, external_user_id, now=None)[source]¶

Enforces abuse controls for task mutation endpoints (/points, /action).

Parameters:

api_key (str | None)
client_ip (str | None)
external_user_id (str | None)
now (datetime | None)

Return type:

None