fix: configurable trusted IP header (do-connecting-ip), reject http:// URLs

- Replace TRUST_PROXY bool with TRUSTED_IP_HEADER string (set to
  do-connecting-ip for DO App Platform, empty to disable)
- Only accept https:// URLs (http:// causes mixed-content in the editor)

Author: bendersej

agents/.do/app.yaml

@@ -32,9 +32,9 @@ services:
       - key: DEFAULT_EDITOR_HOST
         scope: RUN_TIME
         value: ai.simplepdf.com
-      - key: TRUST_PROXY
+      - key: TRUSTED_IP_HEADER
         scope: RUN_TIME
-        value: "true"
+        value: do-connecting-ip
       - key: RATE_LIMIT_PER_MIN
         scope: RUN_TIME
         value: "30"

agents/SKILL.md

@@ -151,7 +151,7 @@ Once the user opens the editor link, they can:
 - Maximum PDF size: 50 MB (file uploads only)
 - Uploaded files expire after 24 hours
 - Rate limit: 30 requests per minute per IP
-- URL must start with http:// or https://
+- URL must start with https://
 - companyIdentifier must be a valid SimplePDF portal identifier
 
 ## Legal

agents/src/config.rs

@@ -4,7 +4,7 @@ pub struct Config {
     pub s3_region: String,
     pub default_editor_host: String,
     pub rate_limit_per_minute: u32,
-    pub trust_proxy: bool,
+    pub trusted_ip_header: String,
 }
 
 impl Config {
@@ -17,7 +17,7 @@ impl Config {
             rate_limit_per_minute: env("RATE_LIMIT_PER_MIN")
                 .parse()
                 .expect("RATE_LIMIT_PER_MIN must be a number"),
-            trust_proxy: env("TRUST_PROXY") == "true",
+            trusted_ip_header: env("TRUSTED_IP_HEADER"),
         }
     }
 

agents/src/routes.rs

@@ -89,15 +89,13 @@ async fn handle_get(
         Some(url) => url,
     };
 
-    let ip = client_ip(&request, addr.ip(), state.config.trust_proxy);
+    let ip = client_ip(&request, addr.ip(), &state.config.trusted_ip_header);
     if !state.rate_limiter.check(ip) {
         return Err(AppError::RateLimited);
     }
 
     if !is_valid_url(&pdf_url) {
-        return Err(AppError::BadRequest(
-            "url must start with http:// or https://".into(),
-        ));
+        return Err(AppError::BadRequest("url must start with https://".into()));
     }
 
     let company_identifier = validate_company_identifier(query.company_identifier.as_deref())?;
@@ -117,7 +115,7 @@ async fn handle_post(
     Query(query): Query<PostQuery>,
     request: axum::extract::Request,
 ) -> Result<Json<AgentResponse>, AppError> {
-    let ip = client_ip(&request, addr.ip(), state.config.trust_proxy);
+    let ip = client_ip(&request, addr.ip(), &state.config.trusted_ip_header);
     if !state.rate_limiter.check(ip) {
         return Err(AppError::RateLimited);
     }
@@ -161,9 +159,7 @@ async fn handle_post(
         })?;
 
         if !is_valid_url(&input.url) {
-            return Err(AppError::BadRequest(
-                "url must start with http:// or https://".into(),
-            ));
+            return Err(AppError::BadRequest("url must start with https://".into()));
         }
 
         let company_identifier = validate_company_identifier(
@@ -211,16 +207,20 @@ async fn extract_multipart(mut multipart: Multipart) -> Result<MultipartUpload,
     ))
 }
 
-fn client_ip(request: &axum::extract::Request, fallback: IpAddr, trust_proxy: bool) -> IpAddr {
-    if !trust_proxy {
+fn client_ip(
+    request: &axum::extract::Request,
+    fallback: IpAddr,
+    trusted_ip_header: &str,
+) -> IpAddr {
+    if trusted_ip_header.is_empty() {
         return fallback;
     }
 
     request
         .headers()
-        .get("x-forwarded-for")
+        .get(trusted_ip_header)
         .and_then(|v| v.to_str().ok())
-        .and_then(|v| v.rsplit(',').next())
+        .and_then(|v| v.split(',').next())
         .and_then(|v| v.trim().parse::<IpAddr>().ok())
         .unwrap_or(fallback)
 }
@@ -266,7 +266,7 @@ fn is_valid_subdomain(identifier: &str) -> bool {
 }
 
 fn is_valid_url(url: &str) -> bool {
-    url.starts_with("https://") || url.starts_with("http://")
+    url.starts_with("https://")
 }
 
 fn validate_company_identifier(identifier: Option<&str>) -> Result<Option<&str>, AppError> {