feat: add browser proxy helpers: forward_export_request and logfire_proxy

[AlanPonnachan]

Closes #1640

Description

This PR adds experimental helper functions to simplify setting up a backend proxy for browser monitoring.

Problem:
To send traces/logs from a browser (frontend) to Logfire, the browser needs to authenticate. However, exposing the Logfire Write Token in frontend code is insecure. The recommended solution is to send data to the backend, which then forwards it to Logfire with the token injected.

Solution (Updated):
This PR introduces two new functions in logfire.experimental.forwarding to make this pattern trivial to implement while allowing maximum flexibility for production security:

1. forward_export_request(...): A low-level function that takes request details (method, path, headers, body), strips sensitive client headers, injects the server's configured Logfire token, and securely forwards it to the Logfire API.
2. logfire_proxy: An asynchronous Starlette/FastAPI handler. By exposing this as a standalone handler rather than a baked-in method, developers can mount it to their own routes. This makes it easy to add FastAPI dependencies (like custom authentication, CORS, or rate-limiting) to protect the endpoint.

Usage Example

FastAPI

from fastapi import FastAPI
import logfire
from logfire.experimental.forwarding import logfire_proxy

app = FastAPI()
logfire.configure()

# Mount the proxy handler. The browser OTel SDK can now send traces to /logfire-proxy/v1/traces
# Note: You can easily add dependencies here for authentication: dependencies=[Depends(verify_session)]
app.add_route('/logfire-proxy/{path:path}', logfire_proxy, methods=['POST'])

Implementation Details

• Security: forward_export_request strictly validates that the method is POST and the target path starts with /v1/traces, /v1/logs, or /v1/metrics. It also normalizes paths to prevent directory traversal attacks.
• Headers: Hop-by-hop headers (like Host, Content-Length) and sensitive headers (like client-side Authorization or Cookie) are stripped before forwarding.
• DoS Mitigation: The logfire_proxy handler enforces a configurable body size limit (default 50MB) checking both the Content-Length header early and the actual body read late.
• Observability: The outbound proxy request is wrapped in logfire.suppress_instrumentation() so the proxy doesn't generate infinite traces of its own exported telemetry.

Changes

• New Module: Created logfire/experimental/forwarding.py to encapsulate the forwarding logic and ASGI handler, keeping the core Logfire class clean.
• Tests: Added tests/test_experimental_forwarding.py covering path traversal, limits, method restrictions, explicit configs.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[AlanPonnachan]

@alexmojaki comments are resolved and all tests are passing.

[alexmojaki]

ideally this would use a session created in logfire.configure, which in particular would handle retrying. let that be a followup.

[alexmojaki]

possible followup: gzip compression

[devin-ai-integration]

Devin Review found 1 new potential issue.

View 17 additional findings in Devin Review.

[AlanPonnachan]

@alexmojaki

[alexmojaki]

Thanks! Please also write some documentation.