@kaavee315checks…feat/trusted-proxy-client-ip-kill-switch → master5 files · +222 −6updated 2d agoFollow-up to #10478 (merged): puts the trusted-proxy client-IP feature behind a LaunchDarkly kill switch so it can be disabled instantly from the LD UI, without a deploy or Doppler change.
New flag: trustedProxyClientIpEnabled (global context key trusted-proxy-client-ip, boolean, default true).
true (or unset / LD outage): behavior is identical to today. Apollo trusts the worker-forwarded x-composio-client-ip when the x-composio-proxy-secret matches APOLLO_TRUSTED_PROXY_FORWARD_SECRET.false: isTrustedProxy short-circuits and Apollo ignores the forwarded header entirely, falling back to x-real-ip. This is exactly the pre-#10478 behavior (worker-proxied traffic collapses back to the worker egress IP). The secret env gating still applies independently.Why a cached sync reader: getClientIpFromHeaders is synchronous and sits in hot paths (ip_rate_limit, addOrgAuthInfo, req_id, route resolvers), so it cannot await an LD evaluation per request. New trusted_proxy_flag.ts keeps a module-level cached boolean with a 30s TTL and a single fire-and-forget background refresh; LD errors keep the last-known value. Net effect: flipping the flag off takes effect within ~30s per warm instance, with zero added request latency.
Apollo-side gating is the complete kill switch, so the Worker (wrangler/backend-proxy), the rerouted-hop header forwarding, and the header stripping are untouched.
To disable the feature: set trustedProxyClientIpEnabled to false in LaunchDarkly (all contexts). No deploy needed.
trusted_proxy_flag.unit.test.ts, 5 tests, fake timers): default-true + refresh kick-off, refreshed-false propagation, TTL behavior (no LD call within 30s, refresh after), LD rejection keeps last-known value without throwing, single in-flight refresh.get_client_ip.unit.test.ts: flag disabled + valid secret + forwarded header falls through to x-real-ip; all existing cases still pass with the flag mocked on. Both files: 12/12 passing.check-types: no new errors from this change (pre-existing stale-codegen errors only).🤖 Generated with Claude Code