01:39 <blacknova> hi, anyone familiar with Plaid API's ruby quickstart sample app? https://github.com/plaid/quickstart/blob/master/ruby/app.rb it seems to use Sinatra which uses Rack::Protection and trying to get it to stop thinking localhost calls are "attacks". Tried changing L15 to `use Rack::Protection, except: [:json_csrf, :host_authorization]` and restarted their container to no avail :/

01:40 <blacknova> Any help appreciated!

02:30 <blacknova> tried adding `use Rack::Protection::HostAuthorization, permitted_hosts: ["localhost"]` but still keep getting `quickstart-ruby-1 | W, [2025-04-28T02:24:42.942950 #1] WARN -- : attack prevented by Rack::Protection::HostAuthorization`

02:30 <blacknova> `quickstart-ruby-1 | 172.19.0.2 - - [28/Apr/2025:02:24:42 +0000] "POST /api/create_link_token HTTP/1.1" 403 - 0.0003` I'm assuming it's originating from https://github.com/sinatra/sinatra/blob/main/rack-protection/lib/rack/protection/host_authorization.rb ?

02:38 <mange> If you're running in a container then the requests won't be coming from "localhost", they'll be coming from another IP address that represents the host from inside the container. 172.19.0.2 is a reserved IP, so I assume that's it.

03:36 <blacknova> mange: yes, I already tried adding that too as `ip_hosts` per https://github.com/sinatra/sinatra/blob/main/rack-protection/lib/rack/protection/host_authorization.rb#L37 in the style of L19 to no avail, truly stumped :(

03:37 <blacknova> `use Rack::Protection::HostAuthorization, ip_hosts: ["172.22.0.2"]`

03:37 <blacknova> had to rebuild the container as nothing was working

03:37 <blacknova> I don't understand why this is so hard

03:40 <blacknova> this Debian ("Bullseye") container doesn't have `ip addr...` but `/etc/hosts` shows what the container's IP is and I assume source IP is from that message