From 44bb7810a75e6ab0ab43bc9ce12492ff800a96ce Mon Sep 17 00:00:00 2001
From: Hendrik Garske <hendrik@corexmanagement.de>
Date: Thu, 7 May 2026 15:29:40 +0200
Subject: [PATCH] =?UTF-8?q?v0.1.31=20=E2=80=94=20fix:=20PDF-Export=20403?=
 =?UTF-8?q?=20wenn=20IP-Allowlist=20aktiv?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Puppeteer rendert /r/{token} intern von 127.0.0.1 — Allowlist-Check
blockierte auch Loopback-Adressen. Loopback (127.x, ::1, ::ffff:127.)
wird jetzt vor dem Allowlist-Check ausgenommen.
---
 package.json | 2 +-
 server.ts    | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/package.json b/package.json
index 3cd59ce..014b1ca 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "corex-nexredirect",
-  "version": "0.1.30",
+  "version": "0.1.31",
   "license": "MIT",
   "overrides": {
     "postcss": "^8.5.13",
diff --git a/server.ts b/server.ts
index dcdaf30..68a6190 100644
--- a/server.ts
+++ b/server.ts
@@ -101,7 +101,7 @@ app.prepare().then(() => {
         return;
       }
 
-      // IP allowlist for admin UI (skips /api/v1 public API)
+      // IP allowlist for admin UI (skips /api/v1 public API and loopback)
       const reqPath = parsedUrl.pathname || "/";
       if (!reqPath.startsWith("/api/v1")) {
         const allowlist = parseAllowlist(getSetting("admin_ip_allowlist"));
@@ -110,7 +110,8 @@ app.prepare().then(() => {
             ((req.headers["x-forwarded-for"] || "") as string).split(",")[0].trim() ||
             req.socket.remoteAddress ||
             "unknown";
-          if (!isIpAllowed(clientIp, allowlist)) {
+          const isLoopback = clientIp === "127.0.0.1" || clientIp === "::1" || clientIp.startsWith("::ffff:127.");
+          if (!isLoopback && !isIpAllowed(clientIp, allowlist)) {
             res.writeHead(403, { "Content-Type": "text/html; charset=utf-8" });
             res.end(
               `<!doctype html><html><head><title>403 Forbidden</title><style>body{background:#0a0c10;color:#e5e7eb;font-family:ui-monospace,monospace;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0}</style></head><body><div style="text-align:center"><h1 style="color:#f87171">403 Forbidden</h1><p>Deine IP-Adresse (<code>${clientIp}</code>) ist nicht in der Zugriffsliste.</p></div></body></html>`