Forward client IP to Go server for auto-login trust

The Go server checks if the client is on a private network for
auto-login. Since we proxy over a unix socket, the Go server
can't see the real client IP. Forward it via X-Forwarded-For
and X-Real-IP headers.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/proxy.ts

@@ -8,7 +8,7 @@ export interface WsData {
 const upstreams = new Map<ServerWebSocket<WsData>, WebSocket>()
 
 export function createProxy(socketPath: string, isHealthy: () => boolean, isRunning: () => boolean) {
-  async function proxyFetch(req: Request): Promise<Response> {
+  async function proxyFetch(req: Request, clientIP?: string): Promise<Response> {
     const url = new URL(req.url)
 
     if (url.pathname === '/ok') {
@@ -20,10 +20,14 @@ export function createProxy(socketPath: string, isHealthy: () => boolean, isRunn
 
     const hasBody = req.method !== 'GET' && req.method !== 'HEAD'
     const body = hasBody ? await req.arrayBuffer() : undefined
+    const headers = new Headers(req.headers)
+    const forwardedFor = req.headers.get('x-forwarded-for')
+    headers.set('x-forwarded-for', forwardedFor ? `${forwardedFor}, ${clientIP}` : (clientIP ?? ''))
+    headers.set('x-real-ip', clientIP ?? '')
 
     return fetch(`http://localhost${url.pathname}${url.search}`, {
       method: req.method,
-      headers: req.headers,
+      headers,
       body,
       unix: socketPath,
     }).then((r) => {

src/server.ts

@@ -25,7 +25,9 @@ const server = Bun.serve({
       return new Response('WebSocket upgrade failed', { status: 500 })
     }
 
-    return proxyFetch(req)
+    const clientIP = req.headers.get('x-forwarded-for')?.split(',')[0]?.trim()
+      || server.requestIP(req)?.address
+    return proxyFetch(req, clientIP)
   },
 
   websocket,