From 35d4fc14336c4f8551a5bbb200d3fcae3daa1bde Mon Sep 17 00:00:00 2001
From: ryzendigo <ryzendigo@gmail.com>
Date: Tue, 17 Mar 2026 06:56:28 +0800
Subject: [PATCH] fix: handle missing x-forwarded-for header in get_remote_addr

When accessing Frigate directly without a reverse proxy, the
x-forwarded-for header is absent. Calling .split() on the None
return value from headers.get() raises AttributeError, crashing
the rate limiter on every login attempt.

Fall back to request.remote_addr when the header is missing.
---
 frigate/api/auth.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/frigate/api/auth.py b/frigate/api/auth.py
index 39089b583..b4fb60932 100644
--- a/frigate/api/auth.py
+++ b/frigate/api/auth.py
@@ -244,7 +244,12 @@ rateLimiter = RateLimiter()
 
 
 def get_remote_addr(request: Request):
-    route = list(reversed(request.headers.get("x-forwarded-for").split(",")))
+    forwarded_for = request.headers.get("x-forwarded-for")
+    if forwarded_for is None:
+        if hasattr(request, "remote_addr"):
+            return request.remote_addr or "127.0.0.1"
+        return "127.0.0.1"
+    route = list(reversed(forwarded_for.split(",")))
     logger.debug(f"IP Route: {[r for r in route]}")
     trusted_proxies = []
     for proxy in request.app.frigate_config.auth.trusted_proxies: