Add IP whitelist for SSO authentication headers (#5404)

* feat: add trusted proxies configuration for SSO authentication

* Refactor check to accept IP address directly

* Refactor IP patterns validation

* Unify warning message format

default/config.yaml

@@ -127,6 +127,13 @@ sso:
   # as that used for authentik. (Ensure the username in authentik
   # is an exact match in lowercase with that in sillytavern).
   authentikAuth: false
+  # List of trusted proxy IPs for SSO authentication.
+  # Supports wildcards or CIDR notation for subnets.
+  # Example: ['127.0.0.1', '192.168.1.1']
+  # Set to ['*'] to trust all proxies (NOT RECOMMENDED unless you have other security measures in place)
+  trustedProxies:
+    - ::1
+    - 127.0.0.1
 
 # Host whitelist configuration. Recommended if you're using a listen mode
 hostWhitelist: