- Set express trust proxy=1 so req.ip is the real client (one Dokku
nginx hop). Drop the X-Forwarded-For fallback — it was client-spoofable.
- Add a global redeem rate limit (30/min across all IPs) so rotating
proxies can't outpace the per-IP limiter.
- Every failed redeem now decrements life from all active pair codes
via a shared failures counter. After 5 wrong guesses during a code's
5-minute TTL, the owner's real code gets burned and they must re-mint.
This makes the 20-bit entropy of a 6-digit code defensible: an
attacker doesn't know which code is real and can't probe long enough
to find it before triggering the burn.
tony
36118b4a4f