Fix: Allow setting allauth rate limit configuration settings (#12798)

docs/configuration.md

@@ -518,8 +518,25 @@ do CORS calls. Set this to your public domain name.
 fail2ban with log entries for failed authorization attempts. Value should be
 IP address(es).
 
+    This setting also controls allauth's
+    [`ALLAUTH_TRUSTED_PROXY_COUNT`](https://docs.allauth.org/en/latest/account/configuration.html),
+    which is set to the number of proxies listed here. Without this,
+    allauth cannot determine the client IP address for rate limiting when
+    running behind a reverse proxy, resulting in a `403 Forbidden` on login.
+
     Defaults to empty string.
 
+#### [`PAPERLESS_ALLAUTH_TRUSTED_CLIENT_IP_HEADER=<header-name>`](#PAPERLESS_ALLAUTH_TRUSTED_CLIENT_IP_HEADER) {#PAPERLESS_ALLAUTH_TRUSTED_CLIENT_IP_HEADER}
+
+: Sets allauth's
+[`ALLAUTH_TRUSTED_CLIENT_IP_HEADER`](https://docs.allauth.org/en/latest/account/configuration.html).
+Use this when your reverse proxy sets a dedicated header for the real
+client IP instead of `X-Forwarded-For`, for example `X-Real-IP` (nginx)
+or `CF-Connecting-IP` (Cloudflare). When set, this takes precedence over
+[`PAPERLESS_TRUSTED_PROXIES`](#PAPERLESS_TRUSTED_PROXIES).
+
+    Defaults to none.
+
 #### [`PAPERLESS_FORCE_SCRIPT_NAME=<path>`](#PAPERLESS_FORCE_SCRIPT_NAME) {#PAPERLESS_FORCE_SCRIPT_NAME}
 
 : To host paperless under a subpath url like example.com/paperless you

docs/migration-v3.md

@@ -318,3 +318,11 @@ echo "Document ${DOCUMENT_ID} from ${DOCUMENT_CORRESPONDENT} tagged: ${DOCUMENT_
 Update any pre- or post-consumption scripts that read `$1`, `$2`, etc. to use the
 corresponding environment variables instead. Environment variables have been the preferred
 option since v1.8.0.
+
+## Reverse Proxy and Login Rate Limiting
+
+Allauth changed how it determines the client IP address for login rate limiting. Users running
+behind a reverse proxy may need to set
+[`PAPERLESS_TRUSTED_PROXIES`](configuration.md#PAPERLESS_TRUSTED_PROXIES),
+[`PAPERLESS_ALLAUTH_TRUSTED_CLIENT_IP_HEADER`](configuration.md#PAPERLESS_ALLAUTH_TRUSTED_CLIENT_IP_HEADER),
+or both, to avoid `403 Forbidden` errors on login.

src/paperless/settings/__init__.py

@@ -454,6 +454,12 @@ PAPERLESS_URL = _parse_paperless_url()
 
 # For use with trusted proxies
 TRUSTED_PROXIES = get_list_from_env("PAPERLESS_TRUSTED_PROXIES")
+# Derive allauth's proxy count from the same list so X-Forwarded-For is trusted
+# correctly when users have configured PAPERLESS_TRUSTED_PROXIES.
+ALLAUTH_TRUSTED_PROXY_COUNT = len(TRUSTED_PROXIES)
+ALLAUTH_TRUSTED_CLIENT_IP_HEADER = os.getenv(
+    "PAPERLESS_ALLAUTH_TRUSTED_CLIENT_IP_HEADER",
+)
 
 USE_X_FORWARDED_HOST = get_bool_from_env("PAPERLESS_USE_X_FORWARD_HOST", "false")
 USE_X_FORWARDED_PORT = get_bool_from_env("PAPERLESS_USE_X_FORWARD_PORT", "false")