Cambios en .env, gitlab-ci y dockercompose

backend/app/core/rate_limit.py

@@ -25,11 +25,17 @@ def _key_func(request: Request) -> str:
     Devuelve la clave de rate limit para el request.
 
     - Si hay un investigador autenticado en el state, usa su orcid_id.
-    - En caso contrario, usa la IP remota.
+    - Si hay cabecera X-Forwarded-For (ngrok, nginx, cualquier proxy inverso),
+      usa la primera IP de la cadena (la del cliente real).
+    - En caso contrario, usa la IP remota del socket.
     """
     researcher = getattr(request.state, "researcher", None)
     if researcher is not None:
         return f"user:{getattr(researcher, 'orcid_id', None) or researcher.id}"
+    forwarded_for = request.headers.get("x-forwarded-for")
+    if forwarded_for:
+        client_ip = forwarded_for.split(",")[0].strip()
+        return f"ip:{client_ip}"
     return f"ip:{get_remote_address(request)}"
 
 

backend/app/core/security_headers.py

@@ -49,7 +49,8 @@ class SecurityHeadersMiddleware(BaseHTTPMiddleware):
             "geolocation=(), microphone=(), camera=(), payment=(), usb=(), "
             "accelerometer=(), gyroscope=(), magnetometer=(), interest-cohort=()",
         )
-        response.headers.setdefault("Cross-Origin-Opener-Policy", "same-origin")
+       
+        response.headers.setdefault("Cross-Origin-Opener-Policy", "same-origin-allow-popups")
         response.headers.setdefault("Cross-Origin-Resource-Policy", "same-site")
         response.headers.setdefault("X-Permitted-Cross-Domain-Policies", "none")
 
@@ -66,7 +67,6 @@ class SecurityHeadersMiddleware(BaseHTTPMiddleware):
                 hsts += "; preload"
             response.headers.setdefault("Strict-Transport-Security", hsts)
 
-        # `MutableHeaders` no implementa `.pop()`. Eliminamos de forma segura.
         if "server" in response.headers:
             del response.headers["server"]
         if "x-powered-by" in response.headers: