fix(middleware): prioritize request.ip and x-real-ip to prevent rate limit spoofing (#1845)

[swarupio]

Description
Fixes #1845

This PR addresses the IP spoofing vulnerability in the rate-limiting middleware. Previously, the middleware blindly trusted the x-forwarded-for header, which allowed users to bypass the 60 req/min limit by injecting fake IPs.

Changes made:

Refactored middleware.ts to prioritize authoritative, platform-provided headers.

The middleware now attempts to use x-real-ip (set securely by reverse proxies like Vercel/Nginx) as the primary source of truth.

x-forwarded-for has been relegated to a secondary fallback, and is now properly parsed with .trim() to prevent spacing-based spoofing tricks.

Replaced the missing NextRequest .ip property with explicit header extraction to satisfy strict TypeScript (npm run typecheck) requirements.

Pillar
[ ] 🎨 Pillar 1 — New Theme Design

[ ] 📐 Pillar 2 — Geometric SVG Improvement

[ ] 🕐 Pillar 3 — Timezone Logic Optimization

[x] 🔐 Other (Security, Middleware, Rate Limiting)

Checklist before requesting a review:
[x] I have read the CONTRIBUTING.md file.

[x] I have tested these changes locally.

[x] I have run npm run typecheck and npm run lint locally and resolved all errors.

[x] My commits follow the Conventional Commits format.

[x] I have made sure that I have only one commit to merge in this PR.

[vercel]

@swarupio is attempting to deploy a commit to the jhasourav07's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

👋 Hey @swarupio, it looks like you didn't use our PR template!

The section ## Description is missing from your PR description.

Please update your PR description to include all required sections so we can review this properly:

• ## Description — What does this PR do? Which issue does it fix?
• ## Pillar — Which contribution pillar does this fall under?
• ## Checklist — Have you ticked off the quality checklist?

You can find the full template in CONTRIBUTING.md. Just edit your PR description and the needs-details label will be removed automatically. 🙌

[github-actions]

⚠️ Hey @swarupio, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @swarupio, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @swarupio, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @swarupio, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @swarupio, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @swarupio, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

🚨 Hey @swarupio, the CI Pipeline is failing on this PR and it has been marked as status:blocked.

Please fix the issues before this can be reviewed. Here's how:

1. Run checks locally before pushing:

npm run format:check   # Check Prettier formatting
npm run lint           # Run ESLint
npm run typecheck      # TypeScript type check
npm run test           # Run unit tests (Vitest)
npm run build          # Verify production build passes

2. Auto-fix common issues:

npm run format         # Auto-fix formatting with Prettier
npm run lint -- --fix  # Auto-fix lint errors where possible

3. Check the full failure log here:
👉 View CI Run

Once you push a fix and the CI passes, the status:blocked label will be removed automatically. 💪

[github-actions]

⚠️ Hey @swarupio, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @swarupio, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @swarupio, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @swarupio, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @swarupio, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @swarupio, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @swarupio, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[Aamod007]

The IP prioritization change breaks the existing test 'prefers x-forwarded-for over x-real-ip' which expects \1.2.3.4\ but now gets \9.9.9.9. Either update that test to match the new behavior, or reconsider whether x-real-ip should take priority over x-forwarded-for in all cases.

[Aamod007]

Unapproving — this PR has the \status:blocked\ and
eeds-rebase\ labels. Please resolve the blocking issues and re-request review.

[Aamod007]

This PR has \status:blocked\ and
eeds-rebase\ labels. Please resolve before re-requesting.