fix: disable trustProxy validation in express-rate-limit

Indiekit sets Express trust proxy to true globally (behind reverse
proxy). express-rate-limit v7+ throws ERR_ERL_PERMISSIVE_TRUST_PROXY.
Disable the check since the proxy (Cloudron nginx) is trusted infra.

lib/mastodon/router.js

@@ -22,13 +22,17 @@ import searchRouter from "./routes/search.js";
 import mediaRouter from "./routes/media.js";
 import stubsRouter from "./routes/stubs.js";
 
-// Rate limiters for different endpoint categories
+// Rate limiters for different endpoint categories.
+// validate.trustProxy disabled — Indiekit sets Express trust proxy to true
+// (behind Cloudron/nginx), which express-rate-limit v7+ rejects as too
+// permissive. The proxy is trusted infrastructure, not user-controlled.
 const apiLimiter = rateLimit({
   windowMs: 5 * 60 * 1000, // 5 minutes
   max: 300,
   standardHeaders: true,
   legacyHeaders: false,
   message: { error: "Too many requests, please try again later" },
+  validate: { trustProxy: false },
 });
 
 const authLimiter = rateLimit({
@@ -37,6 +41,7 @@ const authLimiter = rateLimit({
   standardHeaders: true,
   legacyHeaders: false,
   message: { error: "Too many authentication attempts" },
+  validate: { trustProxy: false },
 });
 
 const appRegistrationLimiter = rateLimit({
@@ -45,6 +50,7 @@ const appRegistrationLimiter = rateLimit({
   standardHeaders: true,
   legacyHeaders: false,
   message: { error: "Too many app registrations" },
+  validate: { trustProxy: false },
 });
 
 /**

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rmdes/indiekit-endpoint-activitypub",
-  "version": "3.10.5",
+  "version": "3.10.6",
   "description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.",
   "keywords": [
     "indiekit",