Fix _get_real_ip: use X-Real-IP from NPM instead of X-Forwarded-For

app/main.py

@@ -67,10 +67,12 @@ logger = logging.getLogger("portal")
 templates = Jinja2Templates(directory="templates")
 
 def _get_real_ip(request) -> str:
-    """Return real client IP, accounting for NPM → app proxy chain."""
+    """Return real client IP. NPM sets X-Real-IP to the actual client IP."""
+    real_ip = request.headers.get("x-real-ip", "").strip()
+    if real_ip:
+        return real_ip
     forwarded_for = request.headers.get("x-forwarded-for", "")
     if forwarded_for:
-        # X-Forwarded-For: client, proxy1, proxy2 — take leftmost (real client)
         return forwarded_for.split(",")[0].strip()
     return request.client.host if request.client else "unknown"