get_ipaddr reads wrong header key ("X_FORWARDED_FOR") and doesn't parse X-Forwarded-For list

[idlefella]

Describe the bug
The function get_ipaddr in slowapi/util.py checks for the header "X_FORWARDED_FOR" (underscores). In practice the header is "X-Forwarded-For" (hyphens) and ASGI/Starlette expose headers case-insensitively (commonly accessible via lowercased keys). Because of this the header lookup fails and the function falls back to request.client.host or "127.0.0.1".

slowapi/slowapi/util.py

Lines 4 to 17 in 5e2b9c1

	def get_ipaddr(request: Request) -> str:
	"""
	Returns the ip address for the current request (or 127.0.0.1 if none found)
	based on the X-Forwarded-For headers.
	Note that a more robust method for determining IP address of the client is
	provided by uvicorn's ProxyHeadersMiddleware.
	"""
	if "X_FORWARDED_FOR" in request.headers:
	return request.headers["X_FORWARDED_FOR"]
	else:
	if not request.client or not request.client.host:
	return "127.0.0.1"
	return request.client.host

To Reproduce
Run a fastapi application behind a reverse proxy like nginx.

Expected behavior
The rate limit should be by the original client IP address (from the X-Forwarded-For header), not by the proxy's IP or the fallback 127.0.0.1. When a reverse proxy sets the X-Forwarded-For header, get_ipaddr should correctly extract and return the client's real IP address for rate limiting purposes.

Screenshots
No screenshots.

Your app (please complete the following information):

• fastapi or starlette? fastapi
• Version? [e.g., fastapi 0.115+]
• slowapi version (have you tried with the latest version)? 0.1.9

Additional context

None

[ArkNill]

This is the same underlying issue reported in #59 — get_ipaddr has never worked with X-Forwarded-For behind a reverse proxy.

The root cause is in slowapi/util.py: the header lookup uses underscores (X_FORWARDED_FOR) which is a WSGI convention. Starlette/ASGI uses hyphens, and Starlette's request.headers does case-insensitive matching but does not convert underscores to hyphens:

>>> "X_FORWARDED_FOR" in request.headers  # always False
>>> "x-forwarded-for" in request.headers  # works

There's also a second issue: X-Forwarded-For can contain multiple IPs (client, proxy1, proxy2), but the current code would return the entire string instead of just the client IP.

A minimal fix for both:

def get_ipaddr(request: Request) -> str:
    if "x-forwarded-for" in request.headers:
        return request.headers["x-forwarded-for"].split(",")[0].strip()
    else:
        if not request.client or not request.client.host:
            return "127.0.0.1"
        return request.client.host

Verified with Starlette TestClient — the current code always falls back to request.client.host, the fix correctly extracts the client IP from single and multi-hop X-Forwarded-For headers.