fix: avoid o(2n) complexity in acl lookup

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,38 +0,0 @@
----
-name: Bug report
-about: Create a report to help improve Tinyauth
-title: "[BUG]"
-labels: bug
-assignees:
-  - steveiliop56
-
----
-
-**Describe the bug**
-A clear and concise description of what the bug is.
-
-**To Reproduce**
-Steps to reproduce the behavior:
-1. Go to '...'
-2. Click on '....'
-3. Scroll down to '....'
-4. See error
-
-**Expected behavior**
-A clear and concise description of what you expected to happen.
-
-**Screenshots**
-If applicable, add screenshots to help explain your problem.
-
-**Logs**
-Please include the Tinyauth logs below, make sure to not include sensitive info.
-
-**Device (please complete the following information):**
- - OS: [e.g. iOS]
- - Browser [e.g. chrome, safari]
- - Tinyauth [e.g. v2.1.1]
- - Docker [e.g. 27.3.1]
-
-**
-**Additional context**
-Add any other context about the problem here.

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,89 @@
+name: Bug Report
+description: Create a report to help us improve this project
+title: "[BUG]"
+labels: bug
+assignees:
+  - steveiliop56
+
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for reporting a bug! Please provide detailed information below.
+
+  - type: textarea
+    id: description
+    attributes:
+      label: Describe the Bug
+      description: "A clear and concise description of what the bug is."
+    validations:
+      required: true
+
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: How to Reproduce
+      description: Steps to reproduce the behavior.
+      value: |
+        1. Go to '...'
+        2. Click on '....'
+        3. Scroll down to '....'
+        4. See error
+    validations:
+      required: false
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected Behavior
+      description: "A clear and concise description of what you expected to happen."
+    validations:
+      required: true
+
+  - type: textarea
+    id: context
+    attributes:
+      label: "Additional Context"
+      description: "If applicable add screenshots to help explain your problem."
+    validations:
+      required: false
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: "Logs"
+      description: "Please include the Tinyauth logs, make sure to not include sensitive info."
+    validations:
+      required: false
+
+  - type: input
+    id: os
+    attributes:
+      label: Operating System
+      placeholder: "e.g. iOS, Android, Windows, Linux, etc"
+
+  - type: input
+    id: browser
+    attributes:
+      label: Browser
+      placeholder: "e.g. Chrome, Firefox, Safari, Edge, etc"
+
+  - type: input
+    id: tinyauth
+    attributes:
+      label: Tinyauth Version
+      placeholder: "e.g. v5.0.0"
+
+  - type: input
+    id: docker
+    attributes:
+      label: Docker Version (if applicable)
+      placeholder: "e.g. 27.3.1"
+
+  - type: checkboxes
+    id: not-llm
+    attributes:
+      label: Human Written Confirmation
+      options:
+        - label: I confirm this issue was written by me and not generated by an LLM or AI assistant.
+          required: true

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: true
+contact_links:
+  - name: Tinyauth Community Support on Discord
+    url: https://discord.gg/eHzVaCzRRd
+    about: Please ask and answer questions here.
+  - name: Tinyauth Documentation
+    url: https://tinyauth.app/docs/getting-started/
+    about: Please check the documentation here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,21 +0,0 @@
----
-name: Feature request
-about: Suggest an idea for this project
-title: "[FEATURE]"
-labels: enhancement
-assignees:
-  - steveiliop56
-
----
-
-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Describe alternatives you've considered**
-A clear and concise description of any alternative solutions or features you've considered.
-
-**Additional context**
-Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,52 @@
+name: Feature request
+description: Suggest an idea for this project
+title: "[FEATURE]"
+labels: enhancement
+assignees:
+  - steveiliop56
+
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for suggesting a feature! Please provide detailed information below.
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: Is your feature request related to a problem? Please describe.
+      description: "A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]"
+    validations:
+      required: false
+
+  - type: textarea
+    id: solution
+    attributes:
+      label: Describe the solution you'd like.
+      description: "A clear and concise description of what you want to happen."
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Describe alternatives you've considered.
+      description: "A clear and concise description of any alternative solutions or features you've considered."
+    validations:
+      required: false
+
+  - type: textarea
+    id: context
+    attributes:
+      label: Additional context
+      description: "Add any other context or screenshots about the feature request here."
+    validations:
+      required: false
+
+  - type: checkboxes
+    id: not-llm
+    attributes:
+      label: Human Written Confirmation
+      options:
+        - label: I confirm this request was written by me and not generated by an LLM or AI assistant.
+          required: true

.github/dependabot.yml

@@ -1,6 +1,6 @@
 version: 2
 updates:
-  - package-ecosystem: "bun"
+  - package-ecosystem: "npm"
     directory: "/frontend"
     groups:
       minor-patch:

.github/workflows/ci.yml

@@ -15,8 +15,10 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Setup bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+      - name: Setup pnpm
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+        with:
+          package_json_file: ./frontend/package.json
 
       - name: Setup go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -27,27 +29,22 @@ jobs:
         run: go mod download
 
       - name: Install frontend dependencies
-        run: |
-          cd frontend
-          bun install --frozen-lockfile
+        working-directory: ./frontend
+        run: pnpm ci
 
       - name: Set version
-        run: |
-          echo testing > internal/assets/version
+        run: echo testing > internal/assets/version
 
       - name: Lint frontend
-        run: |
-          cd frontend
-          bun run lint
+        working-directory: ./frontend
+        run: pnpm run lint
 
       - name: Build frontend
-        run: |
-          cd frontend
-          bun run build
+        working-directory: ./frontend
+        run: pnpm run build
 
       - name: Copy frontend
-        run: |
-          cp -r frontend/dist internal/assets/dist
+        run: cp -r frontend/dist internal/assets/dist
 
       - name: Run tests
         run: go test -coverprofile=coverage.txt -v ./...

.github/workflows/nightly.yml

@@ -59,8 +59,10 @@ jobs:
         with:
           ref: nightly
 
-      - name: Install bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+      - name: Setup pnpm
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+        with:
+          package_json_file: ./frontend/package.json
 
       - name: Install go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -68,18 +70,15 @@ jobs:
           go-version: "^1.26.0"
 
       - name: Install frontend dependencies
-        run: |
-          cd frontend
-          bun install --frozen-lockfile
+        working-directory: ./frontend
+        run: pnpm ci
 
       - name: Install backend dependencies
-        run: |
-          go mod download
+        run: go mod download
 
       - name: Build frontend
-        run: |
-          cd frontend
-          bun run build
+        working-directory: ./frontend
+        run: pnpm run build
 
       - name: Build
         run: |
@@ -105,8 +104,10 @@ jobs:
         with:
           ref: nightly
 
-      - name: Install bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+      - name: Setup pnpm
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+        with:
+          package_json_file: ./frontend/package.json
 
       - name: Install go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -114,18 +115,15 @@ jobs:
           go-version: "^1.26.0"
 
       - name: Install frontend dependencies
-        run: |
-          cd frontend
-          bun install --frozen-lockfile
+        working-directory: ./frontend
+        run: pnpm ci
 
       - name: Install backend dependencies
-        run: |
-          go mod download
+        run: go mod download
 
       - name: Build frontend
-        run: |
-          cd frontend
-          bun run build
+        working-directory: ./frontend
+        run: pnpm run build
 
       - name: Build
         run: |

.github/workflows/release.yml

@@ -35,8 +35,10 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Install bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+      - name: Setup pnpm
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+        with:
+          package_json_file: ./frontend/package.json
 
       - name: Install go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -44,18 +46,15 @@ jobs:
           go-version: "^1.26.0"
 
       - name: Install frontend dependencies
-        run: |
-          cd frontend
-          bun install --frozen-lockfile
+        working-directory: ./frontend
+        run: pnpm ci
 
       - name: Install backend dependencies
-        run: |
-          go mod download
+        run: go mod download
 
       - name: Build frontend
-        run: |
-          cd frontend
-          bun run build
+        working-directory: ./frontend
+        run: pnpm run build
 
       - name: Build
         run: |
@@ -78,8 +77,10 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Install bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+      - name: Setup pnpm
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+        with:
+          package_json_file: ./frontend/package.json
 
       - name: Install go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -87,18 +88,15 @@ jobs:
           go-version: "^1.26.0"
 
       - name: Install frontend dependencies
-        run: |
-          cd frontend
-          bun install --frozen-lockfile
+        working-directory: ./frontend
+        run: pnpm ci
 
       - name: Install backend dependencies
-        run: |
-          go mod download
+        run: go mod download
 
       - name: Build frontend
-        run: |
-          cd frontend
-          bun run build
+        working-directory: ./frontend
+        run: pnpm run build
 
       - name: Build
         run: |

CONTRIBUTING.md

@@ -7,7 +7,7 @@ Contributing to Tinyauth is straightforward. Follow the steps below to set up a
 
 ## Requirements
 
-- Bun
+- pnpm
 - Golang v1.24.0 or later
 - Git
 - Docker
@@ -34,7 +34,7 @@ Frontend dependencies can be installed as follows:
 
 ```sh
 cd frontend/
-bun install
+pnpm ci
 ```
 
 ## Create the `.env` file

Dockerfile

@@ -1,12 +1,14 @@
 # Site builder
-FROM oven/bun:1.3.13-alpine AS frontend-builder
+FROM node:26.1-alpine3.23 AS frontend-builder
 
 WORKDIR /frontend
 
-COPY ./frontend/package.json ./
-COPY ./frontend/bun.lock ./
+RUN npm install -g pnpm@11.1.2
 
-RUN bun install --frozen-lockfile
+COPY ./frontend/package.json ./
+COPY ./frontend/pnpm-lock.yaml ./
+
+RUN pnpm ci
 
 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -17,7 +19,7 @@ COPY ./frontend/tsconfig.app.json ./
 COPY ./frontend/tsconfig.node.json ./
 COPY ./frontend/vite.config.ts ./
 
-RUN bun run build
+RUN pnpm run build
 
 # Builder
 FROM golang:1.26-alpine3.23 AS builder

Dockerfile.dev

@@ -8,7 +8,7 @@ COPY go.sum ./
 RUN go mod download
 
 RUN go install github.com/air-verse/air@v1.61.7
-RUN go install github.com/go-delve/delve/cmd/dlv@latest
+RUN go install github.com/go-delve/delve/cmd/dlv@v1.26.3
 
 COPY ./cmd ./cmd
 COPY ./internal ./internal

Dockerfile.distroless

@@ -1,12 +1,14 @@
 # Site builder
-FROM oven/bun:1.3.13-alpine AS frontend-builder
+FROM node:26.1-alpine3.23 AS frontend-builder
 
 WORKDIR /frontend
 
-COPY ./frontend/package.json ./
-COPY ./frontend/bun.lock ./
+RUN npm install -g pnpm@11.1.2
 
-RUN bun install --frozen-lockfile
+COPY ./frontend/package.json ./
+COPY ./frontend/pnpm-lock.yaml ./
+
+RUN pnpm ci
 
 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -17,7 +19,7 @@ COPY ./frontend/tsconfig.app.json ./
 COPY ./frontend/tsconfig.node.json ./
 COPY ./frontend/vite.config.ts ./
 
-RUN bun run build
+RUN pnpm run build
 
 # Builder
 FROM golang:1.26-alpine3.23 AS builder

Makefile

@@ -17,7 +17,7 @@ PROD_COMPOSE := $(shell test -f "docker-compose.test.prod.yml" && echo "docker-c
 
 # Deps
 deps:
-	bun install --frozen-lockfile --cwd frontend
+	cd frontend && pnpm ci
 	go mod download
 
 # Clean data
@@ -31,7 +31,7 @@ clean-webui:
 
 # Build the web UI
 webui: clean-webui
-	bun run --cwd frontend build
+	cd frontend && pnpm run build
 	cp -r frontend/dist internal/assets
 
 # Build the binary

frontend/.prettierignore

@@ -1,6 +0,0 @@
-# Ignore artifacts:
-dist
-node_modules
-bun.lock
-package.json
-src/lib/i18n/locales

frontend/.prettierrc

@@ -1 +0,0 @@
-{}

frontend/Dockerfile.dev

@@ -1,11 +1,13 @@
-FROM oven/bun:1.2.16-alpine
+FROM node:26.1-alpine3.23
+
+RUN npm install -g pnpm@11.1.2
 
 WORKDIR /frontend
 
 COPY ./frontend/package.json ./
-COPY ./frontend/bun.lock ./
+COPY ./frontend/pnpm-lock.yaml ./
 
-RUN bun install --frozen-lockfile
+RUN pnpm ci
 
 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -19,4 +21,4 @@ COPY ./frontend/vite.config.ts ./
 
 EXPOSE 5173
 
-ENTRYPOINT ["bun", "run", "dev"]
+ENTRYPOINT ["pnpm", "run", "dev"]

frontend/package.json

@@ -10,6 +10,7 @@
     "preview": "vite preview",
     "tsc": "tsc -b"
   },
+  "packageManager": "pnpm@11.1.2",
   "dependencies": {
     "@hookform/resolvers": "^5.2.2",
     "@radix-ui/react-dropdown-menu": "^2.1.16",
@@ -17,44 +18,44 @@
     "@radix-ui/react-select": "^2.2.6",
     "@radix-ui/react-separator": "^1.1.8",
     "@radix-ui/react-slot": "^1.2.4",
-    "@tailwindcss/vite": "^4.3.0",
-    "@tanstack/react-query": "^5.100.10",
-    "axios": "^1.16.1",
+    "@tailwindcss/vite": "^4.2.2",
+    "@tanstack/react-query": "^5.99.0",
+    "axios": "^1.15.0",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
-    "i18next": "^26.2.0",
+    "i18next": "^26.0.4",
     "i18next-browser-languagedetector": "^8.2.1",
     "i18next-resources-to-backend": "^1.2.1",
-    "lucide-react": "^1.16.0",
+    "lucide-react": "^1.8.0",
     "next-themes": "^0.4.6",
     "radix-ui": "^1.4.3",
-    "react": "^19.2.6",
-    "react-dom": "^19.2.6",
-    "react-hook-form": "^7.75.0",
-    "react-i18next": "^17.0.8",
+    "react": "^19.2.5",
+    "react-dom": "^19.2.5",
+    "react-hook-form": "^7.72.1",
+    "react-i18next": "^17.0.2",
     "react-markdown": "^10.1.0",
-    "react-router": "^7.15.1",
+    "react-router": "^7.14.0",
     "sonner": "^2.0.7",
-    "tailwind-merge": "^3.6.0",
-    "tailwindcss": "^4.3.0",
-    "zod": "^4.4.3"
+    "tailwind-merge": "^3.5.0",
+    "tailwindcss": "^4.2.2",
+    "zod": "^4.3.6"
   },
   "devDependencies": {
     "@eslint/js": "^10.0.1",
-    "@tanstack/eslint-plugin-query": "^5.100.10",
-    "@types/node": "^25.8.0",
+    "@tanstack/eslint-plugin-query": "^5.99.0",
+    "@types/node": "^25.6.0",
     "@types/react": "^19.2.14",
     "@types/react-dom": "^19.2.3",
-    "@vitejs/plugin-react": "^6.0.2",
-    "eslint": "^10.3.0",
-    "eslint-plugin-react-hooks": "^7.1.1",
+    "@vitejs/plugin-react": "^6.0.1",
+    "eslint": "^10.2.0",
+    "eslint-plugin-react-hooks": "^7.0.1",
     "eslint-plugin-react-refresh": "^0.5.2",
-    "globals": "^17.6.0",
-    "prettier": "3.8.3",
+    "globals": "^17.5.0",
+    "prettier": "3.8.2",
     "rollup-plugin-visualizer": "^7.0.1",
     "tw-animate-css": "^1.4.0",
-    "typescript": "~6.0.3",
-    "typescript-eslint": "^8.59.3",
-    "vite": "^8.0.13"
+    "typescript": "~6.0.2",
+    "typescript-eslint": "^8.58.1",
+    "vite": "^8.0.8"
   }
 }

frontend/pnpm-workspace.yaml

@@ -0,0 +1,4 @@
+dangerouslyAllowAllBuilds: false
+blockExoticSubdeps: true
+minimumReleaseAge: 1440 # 1 day
+trustPolicy: no-downgrade

internal/bootstrap/app_bootstrap.go

@@ -34,6 +34,7 @@ type Services struct {
 	ldapService          *service.LdapService
 	oauthBrokerService   *service.OAuthBrokerService
 	oidcService          *service.OIDCService
+	policyEngine         *service.PolicyEngine
 }
 
 type BootstrapApp struct {

internal/bootstrap/router_bootstrap.go

@@ -44,7 +44,7 @@ func (app *BootstrapApp) setupRouter() error {
 	controller.NewContextController(app.log, app.config, app.runtime, apiRouter)
 	controller.NewOAuthController(app.log, app.config, app.runtime, apiRouter, app.services.authService)
 	controller.NewOIDCController(app.log, app.services.oidcService, app.runtime, apiRouter)
-	controller.NewProxyController(app.log, app.runtime, apiRouter, app.services.accessControlService, app.services.authService)
+	controller.NewProxyController(app.log, app.runtime, apiRouter, app.services.accessControlService, app.services.authService, app.services.policyEngine)
 	controller.NewUserController(app.log, app.runtime, apiRouter, app.services.authService)
 	controller.NewResourcesController(app.config, &engine.RouterGroup)
 	controller.NewHealthController(apiRouter)

internal/bootstrap/service_bootstrap.go

@@ -16,38 +16,21 @@ func (app *BootstrapApp) setupServices() error {
 
 	app.services.ldapService = ldapService
 
-	useKubernetes := app.config.LabelProvider == "kubernetes" ||
-		(app.config.LabelProvider == "auto" && os.Getenv("KUBERNETES_SERVICE_HOST") != "")
+	labelProvider, err := app.getLabelProvider()
 
-	var labelProvider service.LabelProvider
-
-	if useKubernetes {
-		app.log.App.Debug().Msg("Using Kubernetes label provider")
-
-		kubernetesService, err := service.NewKubernetesService(app.log, app.ctx, &app.wg)
-
-		if err != nil {
-			return fmt.Errorf("failed to initialize kubernetes service: %w", err)
-		}
-
-		app.services.kubernetesService = kubernetesService
-		labelProvider = kubernetesService
-	} else {
-		app.log.App.Debug().Msg("Using Docker label provider")
-
-		dockerService, err := service.NewDockerService(app.log, app.ctx, &app.wg)
-
-		if err != nil {
-			return fmt.Errorf("failed to initialize docker service: %w", err)
-		}
-
-		app.services.dockerService = dockerService
-		labelProvider = dockerService
+	if err != nil {
+		return fmt.Errorf("failed to initialize label provider: %w", err)
 	}
 
-	accessControlsService := service.NewAccessControlsService(app.log, &labelProvider, app.config.Apps)
+	accessControlsService := service.NewAccessControlsService(app.log, app.config, &labelProvider)
 	app.services.accessControlService = accessControlsService
 
+	err = app.setupPolicyEngine()
+
+	if err != nil {
+		return fmt.Errorf("failed to initialize policy engine: %w", err)
+	}
+
 	oauthBrokerService := service.NewOAuthBrokerService(app.log, app.runtime.OAuthProviders, app.ctx)
 	app.services.oauthBrokerService = oauthBrokerService
 
@@ -64,3 +47,79 @@ func (app *BootstrapApp) setupServices() error {
 
 	return nil
 }
+
+func (app *BootstrapApp) getLabelProvider() (service.LabelProvider, error) {
+	switch app.config.LabelProvider {
+	case "none", "docker", "kubernetes", "auto":
+		if app.config.LabelProvider == "none" {
+			return nil, nil
+		}
+
+		useKubernetes := app.config.LabelProvider == "kubernetes" ||
+			(app.config.LabelProvider == "auto" && os.Getenv("KUBERNETES_SERVICE_HOST") != "")
+
+		if useKubernetes {
+			app.log.App.Debug().Msg("Using Kubernetes label provider")
+
+			kubernetesService, err := service.NewKubernetesService(app.log, app.ctx, &app.wg)
+
+			if err != nil {
+				return nil, fmt.Errorf("failed to initialize kubernetes service: %w", err)
+			}
+
+			app.services.kubernetesService = kubernetesService
+			return kubernetesService, nil
+		}
+
+		app.log.App.Debug().Msg("Using Docker label provider")
+
+		dockerService, err := service.NewDockerService(app.log, app.ctx, &app.wg)
+
+		if err != nil {
+			return nil, fmt.Errorf("failed to initialize docker service: %w", err)
+		}
+
+		if dockerService == nil {
+			if app.config.LabelProvider == "docker" {
+				app.log.App.Warn().Msg("Docker label provider selected but Docker is not available, will continue without it")
+			}
+			return nil, nil
+		}
+
+		app.services.dockerService = dockerService
+		return dockerService, nil
+	default:
+		return nil, fmt.Errorf("invalid label provider: %s", app.config.LabelProvider)
+	}
+}
+
+func (app *BootstrapApp) setupPolicyEngine() error {
+	policyEngine, err := service.NewPolicyEngine(app.config, app.log)
+
+	if err != nil {
+		return fmt.Errorf("failed to initialize policy engine: %w", err)
+	}
+
+	policyEngine.RegisterRule(service.RuleUserAllowed, &service.UserAllowedRule{
+		Log: app.log,
+	})
+	policyEngine.RegisterRule(service.RuleOAuthGroup, &service.OAuthGroupRule{
+		Log: app.log,
+	})
+	policyEngine.RegisterRule(service.RuleLDAPGroup, &service.LDAPGroupRule{
+		Log: app.log,
+	})
+	policyEngine.RegisterRule(service.RuleAuthEnabled, &service.AuthEnabledRule{
+		Log: app.log,
+	})
+	policyEngine.RegisterRule(service.RuleIPAllowed, &service.IPAllowedRule{
+		Log:    app.log,
+		Config: app.config,
+	})
+	policyEngine.RegisterRule(service.RuleIPBypassed, &service.IPBypassedRule{
+		Log: app.log,
+	})
+
+	app.services.policyEngine = policyEngine
+	return nil
+}

internal/controller/oauth_controller.go

@@ -208,7 +208,12 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		name = user.Name
 	} else {
 		controller.log.App.Debug().Msg("No name from OAuth provider, generating from email")
-		name = fmt.Sprintf("%s (%s)", utils.Capitalize(strings.Split(user.Email, "@")[0]), strings.Split(user.Email, "@")[1])
+		parts := strings.SplitN(user.Email, "@", 2)
+		if len(parts) == 2 {
+			name = fmt.Sprintf("%s (%s)", utils.Capitalize(parts[0]), parts[1])
+		} else {
+			name = utils.Capitalize(user.Email)
+		}
 	}
 
 	var username string

internal/controller/oidc_controller.go

@@ -146,7 +146,7 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 	client, ok := controller.oidc.GetClient(req.ClientID)
 
 	if !ok {
-		controller.authorizeError(c, err, "Client not found", "The client ID is invalid", "", "", "")
+		controller.authorizeError(c, fmt.Errorf("client not found: %s", req.ClientID), "Client not found", "The client ID is invalid", "", "", "")
 		return
 	}
 
@@ -288,7 +288,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code), client.ClientID)
 		if err != nil {
 			if err := controller.oidc.DeleteTokenByCodeHash(c, controller.oidc.Hash(req.Code)); err != nil {
-				controller.log.App.Error().Err(err).Msg("Failed to delete code")
+				controller.log.App.Error().Err(err).Msg("Failed to revoke tokens for replayed code")
 			}
 			if errors.Is(err, service.ErrCodeNotFound) {
 				controller.log.App.Warn().Msg("Code not found")

internal/controller/proxy_controller.go

@@ -3,6 +3,7 @@ package controller
 import (
 	"errors"
 	"fmt"
+	"net"
 	"net/http"
 	"net/url"
 	"regexp"
@@ -51,10 +52,11 @@ type ProxyContext struct {
 }
 
 type ProxyController struct {
-	log     *logger.Logger
-	runtime model.RuntimeConfig
-	acls    *service.AccessControlsService
-	auth    *service.AuthService
+	log          *logger.Logger
+	runtime      model.RuntimeConfig
+	acls         *service.AccessControlsService
+	auth         *service.AuthService
+	policyEngine *service.PolicyEngine
 }
 
 func NewProxyController(
@@ -63,12 +65,14 @@ func NewProxyController(
 	router *gin.RouterGroup,
 	acls *service.AccessControlsService,
 	auth *service.AuthService,
+	policyEngine *service.PolicyEngine,
 ) *ProxyController {
 	controller := &ProxyController{
-		log:     log,
-		runtime: runtime,
-		acls:    acls,
-		auth:    auth,
+		log:          log,
+		runtime:      runtime,
+		acls:         acls,
+		auth:         auth,
+		policyEngine: policyEngine,
 	}
 
 	proxyGroup := router.Group("/auth")
@@ -101,7 +105,13 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 
 	clientIP := c.ClientIP()
 
-	if controller.auth.IsBypassedIP(clientIP, acls) {
+	aclsCtx := &service.ACLContext{
+		ACLs: acls,
+		IP:   net.ParseIP(clientIP),
+		Path: proxyCtx.Path,
+	}
+
+	if controller.policyEngine.Evaluate(service.RuleIPBypassed, aclsCtx) {
 		controller.setHeaders(c, acls)
 		c.JSON(200, gin.H{
 			"status":  200,
@@ -110,15 +120,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
-	authEnabled, err := controller.auth.IsAuthEnabled(proxyCtx.Path, acls)
-
-	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to determine if authentication is enabled for resource")
-		controller.handleError(c, proxyCtx)
-		return
-	}
-
-	if !authEnabled {
+	if controller.policyEngine.Evaluate(service.RuleAuthEnabled, aclsCtx) {
 		controller.log.App.Debug().Msg("Authentication is disabled for this resource, allowing access without authentication")
 		controller.setHeaders(c, acls)
 		c.JSON(200, gin.H{
@@ -128,7 +130,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
-	if !controller.auth.CheckIP(clientIP, acls) {
+	if !controller.policyEngine.Evaluate(service.RuleIPAllowed, aclsCtx) {
 		queries, err := query.Values(UnauthorizedQuery{
 			Resource: strings.Split(proxyCtx.Host, ".")[0],
 			IP:       clientIP,
@@ -144,9 +146,9 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 
 		if !controller.useBrowserResponse(proxyCtx) {
 			c.Header("x-tinyauth-location", redirectURL)
-			c.JSON(401, gin.H{
-				"status":  401,
-				"message": "Unauthorized",
+			c.JSON(403, gin.H{
+				"status":  403,
+				"message": "Forbidden",
 			})
 			return
 		}
@@ -164,10 +166,10 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		}
 	}
 
-	if userContext.Authenticated {
-		userAllowed := controller.auth.IsUserAllowed(c, *userContext, acls)
+	aclsCtx.UserContext = userContext
 
-		if !userAllowed {
+	if userContext.Authenticated {
+		if !controller.policyEngine.Evaluate(service.RuleUserAllowed, aclsCtx) {
 			controller.log.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User is not allowed to access resource")
 
 			queries, err := query.Values(UnauthorizedQuery{
@@ -205,9 +207,9 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 			var groupOK bool
 
 			if userContext.IsOAuth() {
-				groupOK = controller.auth.IsInOAuthGroup(c, *userContext, acls)
+				groupOK = controller.policyEngine.Evaluate(service.RuleOAuthGroup, aclsCtx)
 			} else {
-				groupOK = controller.auth.IsInLDAPGroup(c, *userContext, acls)
+				groupOK = controller.policyEngine.Evaluate(service.RuleLDAPGroup, aclsCtx)
 			}
 
 			if !groupOK {

internal/controller/proxy_controller_test.go

@@ -24,33 +24,6 @@ func TestProxyController(t *testing.T) {
 
 	cfg, runtime := test.CreateTestConfigs(t)
 
-	acls := map[string]model.App{
-		"app_path_allow": {
-			Config: model.AppConfig{
-				Domain: "path-allow.example.com",
-			},
-			Path: model.AppPath{
-				Allow: "/allowed",
-			},
-		},
-		"app_user_allow": {
-			Config: model.AppConfig{
-				Domain: "user-allow.example.com",
-			},
-			Users: model.AppUsers{
-				Allow: "testuser",
-			},
-		},
-		"ip_bypass": {
-			Config: model.AppConfig{
-				Domain: "ip-bypass.example.com",
-			},
-			IP: model.AppIP{
-				Bypass: []string{"10.10.10.10"},
-			},
-		},
-	}
-
 	const browserUserAgent = `
 	Mozilla/5.0 (Linux; Android 8.0.0; SM-G955U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Mobile Safari/537.36`
 
@@ -391,7 +364,29 @@ func TestProxyController(t *testing.T) {
 
 	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
 	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, queries, broker)
-	aclsService := service.NewAccessControlsService(log, nil, acls)
+	aclsService := service.NewAccessControlsService(log, cfg, nil)
+	policyEngine, err := service.NewPolicyEngine(cfg, log)
+	require.NoError(t, err)
+
+	policyEngine.RegisterRule(service.RuleUserAllowed, &service.UserAllowedRule{
+		Log: log,
+	})
+	policyEngine.RegisterRule(service.RuleOAuthGroup, &service.OAuthGroupRule{
+		Log: log,
+	})
+	policyEngine.RegisterRule(service.RuleLDAPGroup, &service.LDAPGroupRule{
+		Log: log,
+	})
+	policyEngine.RegisterRule(service.RuleAuthEnabled, &service.AuthEnabledRule{
+		Log: log,
+	})
+	policyEngine.RegisterRule(service.RuleIPAllowed, &service.IPAllowedRule{
+		Log:    log,
+		Config: cfg,
+	})
+	policyEngine.RegisterRule(service.RuleIPBypassed, &service.IPBypassedRule{
+		Log: log,
+	})
 
 	for _, test := range tests {
 		t.Run(test.description, func(t *testing.T) {
@@ -406,7 +401,7 @@ func TestProxyController(t *testing.T) {
 
 			recorder := httptest.NewRecorder()
 
-			controller.NewProxyController(log, runtime, group, aclsService, authService)
+			controller.NewProxyController(log, runtime, group, aclsService, authService, policyEngine)
 
 			test.run(t, router, recorder)
 		})

internal/controller/resources_controller.go

@@ -32,7 +32,7 @@ func (controller *ResourcesController) resourcesHandler(c *gin.Context) {
 	if controller.config.Resources.Path == "" {
 		c.JSON(404, gin.H{
 			"status":  404,
-			"message": "Resources not found",
+			"message": "Resource not found",
 		})
 		return
 	}

internal/model/config.go

@@ -24,6 +24,9 @@ func NewDefaultConfiguration() *Config {
 			SessionMaxLifetime: 0,     // disabled
 			LoginTimeout:       300,   // 5 minutes
 			LoginMaxRetries:    3,
+			ACLs: ACLsConfig{
+				Policy: "allow",
+			},
 		},
 		UI: UIConfig{
 			Title:                 "Tinyauth",
@@ -78,7 +81,7 @@ type Config struct {
 	UI            UIConfig           `description:"UI customization." yaml:"ui"`
 	LDAP          LDAPConfig         `description:"LDAP configuration." yaml:"ldap"`
 	Experimental  ExperimentalConfig `description:"Experimental features, use with caution." yaml:"experimental"`
-	LabelProvider string             `description:"Label provider to use for ACLs (auto, docker, or kubernetes). auto detects the environment." yaml:"labelProvider"`
+	LabelProvider string             `description:"Label provider to use for ACLs (auto, docker, kubernetes or none to disable). auto detects the environment." yaml:"labelProvider"`
 	Log           LogConfig          `description:"Logging configuration." yaml:"log"`
 }
 
@@ -114,6 +117,7 @@ type AuthConfig struct {
 	LoginTimeout       int                       `description:"Login timeout in seconds." yaml:"loginTimeout"`
 	LoginMaxRetries    int                       `description:"Maximum login retries." yaml:"loginMaxRetries"`
 	TrustedProxies     []string                  `description:"Comma-separated list of trusted proxy addresses." yaml:"trustedProxies"`
+	ACLs               ACLsConfig                `description:"ACLs configuration." yaml:"acls"`
 }
 
 type UserAttributes struct {
@@ -223,6 +227,10 @@ type OIDCClientConfig struct {
 	Name                string   `description:"Client name in UI." yaml:"name"`
 }
 
+type ACLsConfig struct {
+	Policy string `description:"ACL policy for allow-by-default or deny-by-default, available options are allow and deny, default is allow." yaml:"policy"`
+}
+
 // ACLs
 
 type Apps struct {

internal/service/access_controls_rules.go

@@ -0,0 +1,249 @@
+package service
+
+import (
+	"regexp"
+	"strings"
+
+	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/utils"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+)
+
+type RuleName string
+
+const (
+	RuleUserAllowed RuleName = "rule-user-allowed"
+	RuleOAuthGroup  RuleName = "rule-oauth-group"
+	RuleLDAPGroup   RuleName = "rule-ldap-group"
+	RuleAuthEnabled RuleName = "rule-auth-enabled"
+	RuleIPAllowed   RuleName = "rule-ip-allowed"
+	RuleIPBypassed  RuleName = "rule-ip-bypassed"
+)
+
+type UserAllowedRule struct {
+	Log *logger.Logger
+}
+
+func (rule *UserAllowedRule) Evaluate(ctx *ACLContext) Effect {
+	if ctx.ACLs == nil || ctx.UserContext == nil {
+		return EffectAbstain
+	}
+
+	if ctx.UserContext.Provider == model.ProviderOAuth {
+		rule.Log.App.Debug().Msg("User is an OAuth user, checking OAuth whitelist")
+		match, err := utils.CheckFilter(ctx.ACLs.OAuth.Whitelist, ctx.UserContext.OAuth.Email)
+		if err != nil {
+			rule.Log.App.Warn().Err(err).Str("item", ctx.UserContext.OAuth.Email).Msg("Invalid entry in OAuth whitelist")
+			return EffectAbstain
+		}
+		if match {
+			rule.Log.App.Debug().Str("email", ctx.UserContext.OAuth.Email).Msg("User is in OAuth whitelist, allowing access")
+			return EffectAllow
+		}
+		return EffectDeny
+	}
+
+	if ctx.ACLs.Users.Block != "" {
+		rule.Log.App.Debug().Msg("Checking users block list")
+		match, err := utils.CheckFilter(ctx.ACLs.Users.Block, ctx.UserContext.GetUsername())
+		if err != nil {
+			rule.Log.App.Warn().Err(err).Str("item", ctx.UserContext.GetUsername()).Msg("Invalid entry in users block list")
+			return EffectAbstain
+		}
+		if match {
+			rule.Log.App.Debug().Str("username", ctx.UserContext.GetUsername()).Msg("User is in users block list, denying access")
+			return EffectDeny
+		}
+		return EffectAllow
+	}
+
+	rule.Log.App.Debug().Msg("Checking users allow list")
+
+	match, err := utils.CheckFilter(ctx.ACLs.Users.Allow, ctx.UserContext.GetUsername())
+
+	if err != nil {
+		rule.Log.App.Warn().Err(err).Str("item", ctx.UserContext.GetUsername()).Msg("Invalid entry in users allow list")
+		return EffectAbstain
+	}
+
+	if match {
+		rule.Log.App.Debug().Str("username", ctx.UserContext.GetUsername()).Msg("User is in users allow list, allowing access")
+		return EffectAllow
+	}
+
+	rule.Log.App.Debug().Str("username", ctx.UserContext.GetUsername()).Msg("User is not in users allow list, denying access")
+	return EffectDeny
+}
+
+type OAuthGroupRule struct {
+	Log *logger.Logger
+}
+
+func (rule *OAuthGroupRule) Evaluate(ctx *ACLContext) Effect {
+	if ctx.ACLs == nil || ctx.UserContext == nil {
+		return EffectAbstain
+	}
+
+	if !ctx.UserContext.IsOAuth() {
+		rule.Log.App.Debug().Msg("User is not an OAuth user, skipping OAuth group check")
+		return EffectAbstain
+	}
+
+	if _, ok := model.OverrideProviders[ctx.UserContext.OAuth.ID]; ok {
+		rule.Log.App.Debug().Str("provider", ctx.UserContext.OAuth.ID).Msg("Provider override detected, skipping group check")
+		return EffectAllow
+	}
+
+	for _, group := range ctx.UserContext.OAuth.Groups {
+		match, err := utils.CheckFilter(ctx.ACLs.OAuth.Groups, strings.TrimSpace(group))
+		if err != nil {
+			return EffectAbstain
+		}
+		if match {
+			rule.Log.App.Trace().Str("group", group).Str("required", ctx.ACLs.OAuth.Groups).Msg("User group matched, allowing access")
+			return EffectAllow
+		}
+	}
+
+	rule.Log.App.Debug().Msg("No groups matched")
+	return EffectDeny
+}
+
+type LDAPGroupRule struct {
+	Log *logger.Logger
+}
+
+func (rule *LDAPGroupRule) Evaluate(ctx *ACLContext) Effect {
+	if ctx == nil || ctx.UserContext == nil {
+		return EffectAbstain
+	}
+
+	if !ctx.UserContext.IsLDAP() {
+		rule.Log.App.Debug().Msg("User is not an LDAP user, skipping LDAP group check")
+		return EffectAbstain
+	}
+
+	for _, group := range ctx.UserContext.LDAP.Groups {
+		match, err := utils.CheckFilter(ctx.ACLs.LDAP.Groups, strings.TrimSpace(group))
+		if err != nil {
+			return EffectAbstain
+		}
+		if match {
+			rule.Log.App.Trace().Str("group", group).Str("required", ctx.ACLs.LDAP.Groups).Msg("User group matched, allowing access")
+			return EffectAllow
+		}
+	}
+
+	rule.Log.App.Debug().Msg("No groups matched")
+	return EffectDeny
+}
+
+type AuthEnabledRule struct {
+	Log *logger.Logger
+}
+
+func (rule *AuthEnabledRule) Evaluate(ctx *ACLContext) Effect {
+	if ctx.ACLs == nil {
+		return EffectDeny
+	}
+
+	if ctx.ACLs.Path.Block != "" {
+		regex, err := regexp.Compile(ctx.ACLs.Path.Block)
+
+		if err != nil {
+			rule.Log.App.Error().Err(err).Msg("Failed to compile block regex")
+			return EffectDeny
+		}
+
+		if !regex.MatchString(ctx.Path) {
+			return EffectAllow
+		}
+	}
+
+	if ctx.ACLs.Path.Allow != "" {
+		regex, err := regexp.Compile(ctx.ACLs.Path.Allow)
+
+		if err != nil {
+			rule.Log.App.Error().Err(err).Msg("Failed to compile allow regex")
+			return EffectDeny
+		}
+
+		if regex.MatchString(ctx.Path) {
+			return EffectAllow
+		}
+	}
+
+	return EffectDeny
+}
+
+type IPAllowedRule struct {
+	Log    *logger.Logger
+	Config model.Config
+}
+
+func (rule *IPAllowedRule) Evaluate(ctx *ACLContext) Effect {
+	if ctx.ACLs == nil {
+		return EffectAbstain
+	}
+
+	// Merge the global and app IP filter
+	blockedIps := append(ctx.ACLs.IP.Block, rule.Config.Auth.IP.Block...)
+	allowedIPs := append(ctx.ACLs.IP.Allow, rule.Config.Auth.IP.Allow...)
+
+	for _, blocked := range blockedIps {
+		match, err := utils.CheckIPFilter(blocked, ctx.IP.String())
+		if err != nil {
+			rule.Log.App.Warn().Err(err).Str("item", blocked).Msg("Invalid IP/CIDR in block list")
+			continue
+		}
+		if match {
+			rule.Log.App.Debug().Str("ip", ctx.IP.String()).Str("item", blocked).Msg("IP is in block list, denying access")
+			return EffectDeny
+		}
+	}
+
+	for _, allowed := range allowedIPs {
+		match, err := utils.CheckIPFilter(allowed, ctx.IP.String())
+		if err != nil {
+			rule.Log.App.Warn().Err(err).Str("item", allowed).Msg("Invalid IP/CIDR in allow list")
+			continue
+		}
+		if match {
+			rule.Log.App.Debug().Str("ip", ctx.IP.String()).Str("item", allowed).Msg("IP is in allow list, allowing access")
+			return EffectAllow
+		}
+	}
+
+	if len(allowedIPs) > 0 {
+		rule.Log.App.Debug().Str("ip", ctx.IP.String()).Msg("IP not in allow list, denying access")
+		return EffectDeny
+	}
+
+	rule.Log.App.Debug().Str("ip", ctx.IP.String()).Msg("IP not in block or allow list, allowing access")
+	return EffectAllow
+}
+
+type IPBypassedRule struct {
+	Log *logger.Logger
+}
+
+func (rule *IPBypassedRule) Evaluate(ctx *ACLContext) Effect {
+	if ctx.ACLs == nil {
+		return EffectDeny
+	}
+
+	for _, bypassed := range ctx.ACLs.IP.Bypass {
+		match, err := utils.CheckIPFilter(bypassed, ctx.IP.String())
+		if err != nil {
+			rule.Log.App.Warn().Err(err).Str("item", bypassed).Msg("Invalid IP/CIDR in bypass list")
+			continue
+		}
+		if match {
+			rule.Log.App.Debug().Str("ip", ctx.IP.String()).Str("item", bypassed).Msg("IP is in bypass list, skipping authentication")
+			return EffectAllow
+		}
+	}
+
+	rule.Log.App.Debug().Str("ip", ctx.IP.String()).Msg("IP not in bypass list, proceeding with authentication")
+	return EffectDeny
+}

internal/service/access_controls_rules_test.go

@@ -0,0 +1,732 @@
+package service
+
+import (
+	"net"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+)
+
+func TestUserAllowedRule(t *testing.T) {
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
+
+	rule := &UserAllowedRule{Log: log}
+
+	tests := []struct {
+		name     string
+		ctx      *ACLContext
+		expected Effect
+	}{
+		{
+			name: "abstains when ACLs are nil",
+			ctx: &ACLContext{
+				ACLs: nil,
+				UserContext: &model.UserContext{
+					Provider: model.ProviderLocal,
+					Local: &model.LocalContext{
+						BaseContext: model.BaseContext{Username: "alice"},
+					},
+				},
+			},
+			expected: EffectAbstain,
+		},
+		{
+			name: "abstains when user context is nil",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					OAuth: model.AppOAuth{Whitelist: "alice"},
+				},
+				UserContext: nil,
+			},
+			expected: EffectAbstain,
+		},
+		{
+			name: "allows OAuth user when email matches whitelist",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					OAuth: model.AppOAuth{Whitelist: "allowed@example.com"},
+				},
+				UserContext: &model.UserContext{
+					Provider: model.ProviderOAuth,
+					OAuth: &model.OAuthContext{
+						BaseContext: model.BaseContext{
+							Username: "different-username",
+							Email:    "allowed@example.com",
+						},
+					},
+				},
+			},
+			expected: EffectAllow,
+		},
+		{
+			name: "denies OAuth user when email does not match whitelist",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					OAuth: model.AppOAuth{Whitelist: "allowed@example.com"},
+				},
+				UserContext: &model.UserContext{
+					Provider: model.ProviderOAuth,
+					OAuth: &model.OAuthContext{
+						BaseContext: model.BaseContext{Email: "denied@example.com"},
+					},
+				},
+			},
+			expected: EffectDeny,
+		},
+		{
+			name: "abstains for OAuth user when whitelist filter is invalid",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					OAuth: model.AppOAuth{Whitelist: "/[/"},
+				},
+				UserContext: &model.UserContext{
+					Provider: model.ProviderOAuth,
+					OAuth: &model.OAuthContext{
+						BaseContext: model.BaseContext{Email: "allowed@example.com"},
+					},
+				},
+			},
+			expected: EffectAbstain,
+		},
+		{
+			name: "denies local user when username matches block list",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					Users: model.AppUsers{Block: "alice,bob"},
+				},
+				UserContext: &model.UserContext{
+					Provider: model.ProviderLocal,
+					Local: &model.LocalContext{
+						BaseContext: model.BaseContext{Username: "alice"},
+					},
+				},
+			},
+			expected: EffectDeny,
+		},
+		{
+			name: "allows local user when username does not match block list",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					Users: model.AppUsers{Block: "alice,bob"},
+				},
+				UserContext: &model.UserContext{
+					Provider: model.ProviderLocal,
+					Local: &model.LocalContext{
+						BaseContext: model.BaseContext{Username: "charlie"},
+					},
+				},
+			},
+			expected: EffectAllow,
+		},
+		{
+			name: "abstains when block list filter is invalid",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					Users: model.AppUsers{Block: "/[/"},
+				},
+				UserContext: &model.UserContext{
+					Provider: model.ProviderLocal,
+					Local: &model.LocalContext{
+						BaseContext: model.BaseContext{Username: "alice"},
+					},
+				},
+			},
+			expected: EffectAbstain,
+		},
+		{
+			name: "allows local user when username matches allow list",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					Users: model.AppUsers{Allow: "alice,bob"},
+				},
+				UserContext: &model.UserContext{
+					Provider: model.ProviderLocal,
+					Local: &model.LocalContext{
+						BaseContext: model.BaseContext{Username: "alice"},
+					},
+				},
+			},
+			expected: EffectAllow,
+		},
+		{
+			name: "denies local user when username does not match allow list",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					Users: model.AppUsers{Allow: "alice,bob"},
+				},
+				UserContext: &model.UserContext{
+					Provider: model.ProviderLocal,
+					Local: &model.LocalContext{
+						BaseContext: model.BaseContext{Username: "charlie"},
+					},
+				},
+			},
+			expected: EffectDeny,
+		},
+		{
+			name: "abstains when allow list filter is invalid",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					Users: model.AppUsers{Allow: "/[/"},
+				},
+				UserContext: &model.UserContext{
+					Provider: model.ProviderLocal,
+					Local: &model.LocalContext{
+						BaseContext: model.BaseContext{Username: "alice"},
+					},
+				},
+			},
+			expected: EffectAbstain,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expected, rule.Evaluate(tt.ctx))
+		})
+	}
+}
+
+func TestOAuthGroupRule(t *testing.T) {
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
+
+	rule := &OAuthGroupRule{Log: log}
+
+	tests := []struct {
+		name     string
+		ctx      *ACLContext
+		expected Effect
+	}{
+		{
+			name: "abstains when ACLs are nil",
+			ctx: &ACLContext{
+				ACLs: nil,
+				UserContext: &model.UserContext{
+					Provider: model.ProviderOAuth,
+					OAuth: &model.OAuthContext{
+						Groups: []string{"admins"},
+					},
+				},
+			},
+			expected: EffectAbstain,
+		},
+		{
+			name: "abstains when user context is nil",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					OAuth: model.AppOAuth{Whitelist: "alice"},
+				},
+				UserContext: nil,
+			},
+			expected: EffectAbstain,
+		},
+		{
+			name: "abstains when user is not OAuth",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					OAuth: model.AppOAuth{Groups: "admins"},
+				},
+				UserContext: &model.UserContext{
+					Provider: model.ProviderLocal,
+					Local: &model.LocalContext{
+						BaseContext: model.BaseContext{Username: "alice"},
+					},
+				},
+			},
+			expected: EffectAbstain,
+		},
+		{
+			name: "allows when provider is an override provider regardless of groups",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					OAuth: model.AppOAuth{Groups: "admins"},
+				},
+				UserContext: &model.UserContext{
+					Provider: model.ProviderOAuth,
+					OAuth: &model.OAuthContext{
+						ID:     "google",
+						Groups: []string{"unrelated"},
+					},
+				},
+			},
+			expected: EffectAllow,
+		},
+		{
+			name: "allows OAuth user when a group matches",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					OAuth: model.AppOAuth{Groups: "admins,users"},
+				},
+				UserContext: &model.UserContext{
+					Provider: model.ProviderOAuth,
+					OAuth: &model.OAuthContext{
+						ID:     "custom",
+						Groups: []string{"users"},
+					},
+				},
+			},
+			expected: EffectAllow,
+		},
+		{
+			name: "denies OAuth user when no group matches",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					OAuth: model.AppOAuth{Groups: "admins"},
+				},
+				UserContext: &model.UserContext{
+					Provider: model.ProviderOAuth,
+					OAuth: &model.OAuthContext{
+						ID:     "custom",
+						Groups: []string{"users", "guests"},
+					},
+				},
+			},
+			expected: EffectDeny,
+		},
+		{
+			name: "denies OAuth user when user has no groups",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					OAuth: model.AppOAuth{Groups: "admins"},
+				},
+				UserContext: &model.UserContext{
+					Provider: model.ProviderOAuth,
+					OAuth: &model.OAuthContext{
+						ID:     "custom",
+						Groups: nil,
+					},
+				},
+			},
+			expected: EffectDeny,
+		},
+		{
+			name: "abstains when groups filter is invalid",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					OAuth: model.AppOAuth{Groups: "/[/"},
+				},
+				UserContext: &model.UserContext{
+					Provider: model.ProviderOAuth,
+					OAuth: &model.OAuthContext{
+						ID:     "custom",
+						Groups: []string{"admins"},
+					},
+				},
+			},
+			expected: EffectAbstain,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expected, rule.Evaluate(tt.ctx))
+		})
+	}
+}
+
+func TestLDAPGroupRule(t *testing.T) {
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
+
+	rule := &LDAPGroupRule{Log: log}
+
+	tests := []struct {
+		name     string
+		ctx      *ACLContext
+		expected Effect
+	}{
+		{
+			name:     "abstains when context is nil",
+			ctx:      nil,
+			expected: EffectAbstain,
+		},
+		{
+			name: "abstains when user context is nil",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					OAuth: model.AppOAuth{Whitelist: "alice"},
+				},
+				UserContext: nil,
+			},
+			expected: EffectAbstain,
+		},
+		{
+			name: "abstains when user is not LDAP",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					LDAP: model.AppLDAP{Groups: "admins"},
+				},
+				UserContext: &model.UserContext{
+					Provider: model.ProviderLocal,
+					Local: &model.LocalContext{
+						BaseContext: model.BaseContext{Username: "alice"},
+					},
+				},
+			},
+			expected: EffectAbstain,
+		},
+		{
+			name: "allows LDAP user when a group matches",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					LDAP: model.AppLDAP{Groups: "admins,users"},
+				},
+				UserContext: &model.UserContext{
+					Provider: model.ProviderLDAP,
+					LDAP: &model.LDAPContext{
+						Groups: []string{"users"},
+					},
+				},
+			},
+			expected: EffectAllow,
+		},
+		{
+			name: "denies LDAP user when no group matches",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					LDAP: model.AppLDAP{Groups: "admins"},
+				},
+				UserContext: &model.UserContext{
+					Provider: model.ProviderLDAP,
+					LDAP: &model.LDAPContext{
+						Groups: []string{"users", "guests"},
+					},
+				},
+			},
+			expected: EffectDeny,
+		},
+		{
+			name: "denies LDAP user when user has no groups",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					LDAP: model.AppLDAP{Groups: "admins"},
+				},
+				UserContext: &model.UserContext{
+					Provider: model.ProviderLDAP,
+					LDAP: &model.LDAPContext{
+						Groups: nil,
+					},
+				},
+			},
+			expected: EffectDeny,
+		},
+		{
+			name: "abstains when groups filter is invalid",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					LDAP: model.AppLDAP{Groups: "/[/"},
+				},
+				UserContext: &model.UserContext{
+					Provider: model.ProviderLDAP,
+					LDAP: &model.LDAPContext{
+						Groups: []string{"admins"},
+					},
+				},
+			},
+			expected: EffectAbstain,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expected, rule.Evaluate(tt.ctx))
+		})
+	}
+}
+
+func TestAuthEnabledRule(t *testing.T) {
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
+
+	rule := &AuthEnabledRule{Log: log}
+
+	tests := []struct {
+		name     string
+		ctx      *ACLContext
+		expected Effect
+	}{
+		{
+			name: "deny when ACLs are nil",
+			ctx: &ACLContext{
+				ACLs: nil,
+				Path: "/anything",
+			},
+			expected: EffectDeny,
+		},
+		{
+			name: "allows when path does not match block regex",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					Path: model.AppPath{Block: "^/admin"},
+				},
+				Path: "/public",
+			},
+			expected: EffectAllow,
+		},
+		{
+			name: "denies when path matches block regex and no allow regex",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					Path: model.AppPath{Block: "^/admin"},
+				},
+				Path: "/admin/users",
+			},
+			expected: EffectDeny,
+		},
+		{
+			name: "allows when path matches allow regex",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					Path: model.AppPath{Allow: "^/public"},
+				},
+				Path: "/public/index",
+			},
+			expected: EffectAllow,
+		},
+		{
+			name: "denies when path does not match allow regex",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					Path: model.AppPath{Allow: "^/public"},
+				},
+				Path: "/private",
+			},
+			expected: EffectDeny,
+		},
+		{
+			name: "allows when blocked path is also explicitly allowed",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					Path: model.AppPath{
+						Block: "^/admin",
+						Allow: "^/admin/public",
+					},
+				},
+				Path: "/admin/public/page",
+			},
+			expected: EffectAllow,
+		},
+		{
+			name: "denies when block regex fails to compile",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					Path: model.AppPath{Block: "[invalid"},
+				},
+				Path: "/anything",
+			},
+			expected: EffectDeny,
+		},
+		{
+			name: "denies when allow regex fails to compile",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					Path: model.AppPath{Allow: "[invalid"},
+				},
+				Path: "/anything",
+			},
+			expected: EffectDeny,
+		},
+		{
+			name: "denies when no path rules are configured",
+			ctx: &ACLContext{
+				ACLs: &model.App{},
+				Path: "/anything",
+			},
+			expected: EffectDeny,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expected, rule.Evaluate(tt.ctx))
+		})
+	}
+}
+
+func TestIPAllowedRule(t *testing.T) {
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
+
+	tests := []struct {
+		name     string
+		config   model.Config
+		ctx      *ACLContext
+		expected Effect
+	}{
+		{
+			name: "abstains when ACLs are nil",
+			ctx: &ACLContext{
+				ACLs: nil,
+				IP:   net.ParseIP("10.0.0.1"),
+			},
+			expected: EffectAbstain,
+		},
+		{
+			name: "denies when IP matches app block list",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					IP: model.AppIP{Block: []string{"10.0.0.1"}},
+				},
+				IP: net.ParseIP("10.0.0.1"),
+			},
+			expected: EffectDeny,
+		},
+		{
+			name: "denies when IP matches global block list",
+			config: model.Config{
+				Auth: model.AuthConfig{
+					IP: model.IPConfig{Block: []string{"10.0.0.0/24"}},
+				},
+			},
+			ctx: &ACLContext{
+				ACLs: &model.App{},
+				IP:   net.ParseIP("10.0.0.5"),
+			},
+			expected: EffectDeny,
+		},
+		{
+			name: "allows when IP matches app allow list",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					IP: model.AppIP{Allow: []string{"192.168.1.0/24"}},
+				},
+				IP: net.ParseIP("192.168.1.10"),
+			},
+			expected: EffectAllow,
+		},
+		{
+			name: "allows when IP matches global allow list",
+			config: model.Config{
+				Auth: model.AuthConfig{
+					IP: model.IPConfig{Allow: []string{"192.168.1.10"}},
+				},
+			},
+			ctx: &ACLContext{
+				ACLs: &model.App{},
+				IP:   net.ParseIP("192.168.1.10"),
+			},
+			expected: EffectAllow,
+		},
+		{
+			name: "denies when allow list is set and IP does not match",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					IP: model.AppIP{Allow: []string{"192.168.1.0/24"}},
+				},
+				IP: net.ParseIP("10.0.0.1"),
+			},
+			expected: EffectDeny,
+		},
+		{
+			name: "allows when no block or allow lists are configured",
+			ctx: &ACLContext{
+				ACLs: &model.App{},
+				IP:   net.ParseIP("10.0.0.1"),
+			},
+			expected: EffectAllow,
+		},
+		{
+			name: "block list takes precedence over allow list",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					IP: model.AppIP{
+						Block: []string{"10.0.0.1"},
+						Allow: []string{"10.0.0.1"},
+					},
+				},
+				IP: net.ParseIP("10.0.0.1"),
+			},
+			expected: EffectDeny,
+		},
+		{
+			name: "skips invalid block entries and continues evaluation",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					IP: model.AppIP{
+						Block: []string{"not-an-ip"},
+						Allow: []string{"10.0.0.1"},
+					},
+				},
+				IP: net.ParseIP("10.0.0.1"),
+			},
+			expected: EffectAllow,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			rule := &IPAllowedRule{Log: log, Config: tt.config}
+			assert.Equal(t, tt.expected, rule.Evaluate(tt.ctx))
+		})
+	}
+}
+
+func TestIPBypassedRule(t *testing.T) {
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
+
+	rule := &IPBypassedRule{Log: log}
+
+	tests := []struct {
+		name     string
+		ctx      *ACLContext
+		expected Effect
+	}{
+		{
+			name: "deny when ACLs are nil",
+			ctx: &ACLContext{
+				ACLs: nil,
+				IP:   net.ParseIP("10.0.0.1"),
+			},
+			expected: EffectDeny,
+		},
+		{
+			name: "allows when IP matches bypass list",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					IP: model.AppIP{Bypass: []string{"10.0.0.0/24"}},
+				},
+				IP: net.ParseIP("10.0.0.5"),
+			},
+			expected: EffectAllow,
+		},
+		{
+			name: "denies when IP does not match bypass list",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					IP: model.AppIP{Bypass: []string{"10.0.0.0/24"}},
+				},
+				IP: net.ParseIP("192.168.1.1"),
+			},
+			expected: EffectDeny,
+		},
+		{
+			name: "denies when bypass list is empty",
+			ctx: &ACLContext{
+				ACLs: &model.App{},
+				IP:   net.ParseIP("10.0.0.1"),
+			},
+			expected: EffectDeny,
+		},
+		{
+			name: "skips invalid bypass entries and allows on later match",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					IP: model.AppIP{Bypass: []string{"not-an-ip", "10.0.0.1"}},
+				},
+				IP: net.ParseIP("10.0.0.1"),
+			},
+			expected: EffectAllow,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expected, rule.Evaluate(tt.ctx))
+		})
+	}
+}

internal/service/access_controls_service.go

@@ -13,51 +13,52 @@ type LabelProvider interface {
 
 type AccessControlsService struct {
 	log           *logger.Logger
+	config        model.Config
 	labelProvider *LabelProvider
-	static        map[string]model.App
 }
 
 func NewAccessControlsService(
 	log *logger.Logger,
-	labelProvider *LabelProvider,
-	static map[string]model.App) *AccessControlsService {
+	config model.Config,
+	labelProvider *LabelProvider) *AccessControlsService {
+
 	return &AccessControlsService{
 		log:           log,
+		config:        config,
 		labelProvider: labelProvider,
-		static:        static,
 	}
 }
 
-func (acls *AccessControlsService) lookupStaticACLs(domain string) *model.App {
-	var appAcls *model.App
-	for app, config := range acls.static {
+func (service *AccessControlsService) lookupStaticACLs(domain string) *model.App {
+	var nameMatch *model.App
+
+	// First try to find a matching app by domain, then fallback to matching by app name (subdomain)
+	for app, config := range service.config.Apps {
 		if config.Config.Domain == domain {
-			acls.log.App.Debug().Str("name", app).Msg("Found matching container by domain")
-			appAcls = &config
-			break // If we find a match by domain, we can stop searching
+			service.log.App.Debug().Str("name", app).Msg("Found matching container by domain")
+			return &config
 		}
-
 		if strings.SplitN(domain, ".", 2)[0] == app {
-			acls.log.App.Debug().Str("name", app).Msg("Found matching container by app name")
-			appAcls = &config
-			break // If we find a match by app name, we can stop searching
+			service.log.App.Debug().Str("name", app).Msg("Found matching container by app name")
+			nameMatch = &config
 		}
 	}
-	return appAcls
+
+	return nameMatch
 }
 
-func (acls *AccessControlsService) GetAccessControls(domain string) (*model.App, error) {
+func (service *AccessControlsService) GetAccessControls(domain string) (*model.App, error) {
 	// First check in the static config
-	app := acls.lookupStaticACLs(domain)
+	app := service.lookupStaticACLs(domain)
 
 	if app != nil {
-		acls.log.App.Debug().Msg("Using static ACLs for app")
+		service.log.App.Debug().Msg("Using static ACLs for app")
 		return app, nil
 	}
 
 	// If we have a label provider configured, try to get ACLs from it
-	if acls.labelProvider != nil {
-		return (*acls.labelProvider).GetLabels(domain)
+	if service.labelProvider != nil && *service.labelProvider != nil {
+		return (*service.labelProvider).GetLabels(domain)
 	}
 
 	// no labels

internal/service/access_controls_service_test.go

@@ -0,0 +1,199 @@
+package service
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+)
+
+type mockLabelProvider struct {
+	getLabelsFn func(appDomain string) (*model.App, error)
+	calledWith  string
+	callCount   int
+}
+
+func (m *mockLabelProvider) GetLabels(appDomain string) (*model.App, error) {
+	m.calledWith = appDomain
+	m.callCount++
+	if m.getLabelsFn != nil {
+		return m.getLabelsFn(appDomain)
+	}
+	return nil, nil
+}
+
+func TestLookupStaticACLs(t *testing.T) {
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
+
+	tests := []struct {
+		name           string
+		apps           map[string]model.App
+		domain         string
+		expectNil      bool
+		expectedDomain string
+	}{
+		{
+			name:      "returns nil when no apps are configured",
+			apps:      nil,
+			domain:    "foo.example.com",
+			expectNil: true,
+		},
+		{
+			name: "returns nil when no app matches",
+			apps: map[string]model.App{
+				"foo": {Config: model.AppConfig{Domain: "foo.example.com"}},
+			},
+			domain:    "bar.example.com",
+			expectNil: true,
+		},
+		{
+			name: "matches by exact domain",
+			apps: map[string]model.App{
+				"foo": {Config: model.AppConfig{Domain: "foo.example.com"}},
+			},
+			domain:         "foo.example.com",
+			expectedDomain: "foo.example.com",
+		},
+		{
+			name: "matches by app name when domain does not match any app",
+			apps: map[string]model.App{
+				"foo": {Config: model.AppConfig{Domain: "configured.example.com"}},
+			},
+			domain:         "foo.example.com",
+			expectedDomain: "configured.example.com",
+		},
+		{
+			name: "matches by app name for nested subdomains",
+			apps: map[string]model.App{
+				"foo": {Config: model.AppConfig{Domain: "configured.example.com"}},
+			},
+			domain:         "foo.sub.example.com",
+			expectedDomain: "configured.example.com",
+		},
+		{
+			name: "selects the app matching by domain among multiple apps",
+			apps: map[string]model.App{
+				"unrelated": {Config: model.AppConfig{Domain: "other.example.com"}},
+				"target":    {Config: model.AppConfig{Domain: "foo.example.com"}},
+			},
+			domain:         "foo.example.com",
+			expectedDomain: "foo.example.com",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			svc := NewAccessControlsService(log, model.Config{Apps: tt.apps}, nil)
+			got := svc.lookupStaticACLs(tt.domain)
+			if tt.expectNil {
+				assert.Nil(t, got)
+				return
+			}
+			require.NotNil(t, got)
+			assert.Equal(t, tt.expectedDomain, got.Config.Domain)
+		})
+	}
+}
+
+func TestGetAccessControls(t *testing.T) {
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
+
+	t.Run("returns static ACLs when domain matches", func(t *testing.T) {
+		config := model.Config{
+			Apps: map[string]model.App{
+				"foo": {
+					Config: model.AppConfig{Domain: "foo.example.com"},
+					Users:  model.AppUsers{Allow: "alice"},
+				},
+			},
+		}
+		svc := NewAccessControlsService(log, config, nil)
+
+		got, err := svc.GetAccessControls("foo.example.com")
+
+		require.NoError(t, err)
+		require.NotNil(t, got)
+		assert.Equal(t, "foo.example.com", got.Config.Domain)
+		assert.Equal(t, "alice", got.Users.Allow)
+	})
+
+	t.Run("returns nil when no static match and no label provider", func(t *testing.T) {
+		svc := NewAccessControlsService(log, model.Config{}, nil)
+
+		got, err := svc.GetAccessControls("unknown.example.com")
+
+		require.NoError(t, err)
+		assert.Nil(t, got)
+	})
+
+	t.Run("returns nil when label provider pointer wraps a nil interface", func(t *testing.T) {
+		var provider LabelProvider
+		svc := NewAccessControlsService(log, model.Config{}, &provider)
+
+		got, err := svc.GetAccessControls("unknown.example.com")
+
+		require.NoError(t, err)
+		assert.Nil(t, got)
+	})
+
+	t.Run("falls back to label provider when no static match", func(t *testing.T) {
+		expected := &model.App{
+			Config: model.AppConfig{Domain: "dynamic.example.com"},
+			Users:  model.AppUsers{Allow: "bob"},
+		}
+		mock := &mockLabelProvider{
+			getLabelsFn: func(appDomain string) (*model.App, error) {
+				return expected, nil
+			},
+		}
+		var provider LabelProvider = mock
+		svc := NewAccessControlsService(log, model.Config{}, &provider)
+
+		got, err := svc.GetAccessControls("dynamic.example.com")
+
+		require.NoError(t, err)
+		assert.Same(t, expected, got)
+		assert.Equal(t, "dynamic.example.com", mock.calledWith)
+		assert.Equal(t, 1, mock.callCount)
+	})
+
+	t.Run("does not call label provider when static match found", func(t *testing.T) {
+		mock := &mockLabelProvider{}
+		var provider LabelProvider = mock
+		config := model.Config{
+			Apps: map[string]model.App{
+				"foo": {Config: model.AppConfig{Domain: "foo.example.com"}},
+			},
+		}
+		svc := NewAccessControlsService(log, config, &provider)
+
+		got, err := svc.GetAccessControls("foo.example.com")
+
+		require.NoError(t, err)
+		require.NotNil(t, got)
+		assert.Equal(t, "foo.example.com", got.Config.Domain)
+		assert.Equal(t, 0, mock.callCount)
+	})
+
+	t.Run("propagates label provider errors", func(t *testing.T) {
+		providerErr := errors.New("provider boom")
+		mock := &mockLabelProvider{
+			getLabelsFn: func(appDomain string) (*model.App, error) {
+				return nil, providerErr
+			},
+		}
+		var provider LabelProvider = mock
+		svc := NewAccessControlsService(log, model.Config{}, &provider)
+
+		got, err := svc.GetAccessControls("dynamic.example.com")
+
+		assert.Nil(t, got)
+		assert.ErrorIs(t, err, providerErr)
+		assert.Equal(t, 1, mock.callCount)
+	})
+}

internal/service/auth_service.go

@@ -6,7 +6,6 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
-	"regexp"
 	"strings"
 	"sync"
 	"time"
@@ -18,7 +17,6 @@ import (
 
 	"slices"
 
-	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 	"golang.org/x/crypto/bcrypt"
 	"golang.org/x/oauth2"
@@ -286,7 +284,12 @@ func (auth *AuthService) RecordLoginAttempt(identifier string, success bool) {
 }
 
 func (auth *AuthService) IsEmailWhitelisted(email string) bool {
-	return utils.CheckFilter(strings.Join(auth.runtime.OAuthWhitelist, ","), email)
+	match, err := utils.CheckFilter(strings.Join(auth.runtime.OAuthWhitelist, ","), email)
+	if err != nil {
+		auth.log.App.Warn().Err(err).Str("email", email).Msg("Invalid email filter pattern")
+		return false
+	}
+	return match
 }
 
 func (auth *AuthService) CreateSession(ctx context.Context, data repository.Session) (*http.Cookie, error) {
@@ -454,171 +457,6 @@ func (auth *AuthService) LDAPAuthConfigured() bool {
 	return auth.ldap != nil
 }
 
-func (auth *AuthService) IsUserAllowed(c *gin.Context, context model.UserContext, acls *model.App) bool {
-	if acls == nil {
-		return true
-	}
-
-	if context.Provider == model.ProviderOAuth {
-		auth.log.App.Debug().Msg("User is an OAuth user, checking OAuth whitelist")
-		return utils.CheckFilter(acls.OAuth.Whitelist, context.OAuth.Email)
-	}
-
-	if acls.Users.Block != "" {
-		auth.log.App.Debug().Msg("Checking users block list")
-		if utils.CheckFilter(acls.Users.Block, context.GetUsername()) {
-			return false
-		}
-	}
-
-	auth.log.App.Debug().Msg("Checking users allow list")
-	return utils.CheckFilter(acls.Users.Allow, context.GetUsername())
-}
-
-func (auth *AuthService) IsInOAuthGroup(c *gin.Context, context model.UserContext, acls *model.App) bool {
-	if acls == nil {
-		return true
-	}
-
-	if !context.IsOAuth() {
-		auth.log.App.Debug().Msg("User is not an OAuth user, skipping OAuth group check")
-		return false
-	}
-
-	if _, ok := model.OverrideProviders[context.OAuth.ID]; ok {
-		auth.log.App.Debug().Str("provider", context.OAuth.ID).Msg("Provider override detected, skipping group check")
-		return true
-	}
-
-	for _, userGroup := range context.OAuth.Groups {
-		if utils.CheckFilter(acls.OAuth.Groups, strings.TrimSpace(userGroup)) {
-			auth.log.App.Trace().Str("group", userGroup).Str("required", acls.OAuth.Groups).Msg("User group matched")
-			return true
-		}
-	}
-
-	auth.log.App.Debug().Msg("No groups matched")
-	return false
-}
-
-func (auth *AuthService) IsInLDAPGroup(c *gin.Context, context model.UserContext, acls *model.App) bool {
-	if acls == nil {
-		return true
-	}
-
-	if !context.IsLDAP() {
-		auth.log.App.Debug().Msg("User is not an LDAP user, skipping LDAP group check")
-		return false
-	}
-
-	for _, userGroup := range context.LDAP.Groups {
-		if utils.CheckFilter(acls.LDAP.Groups, strings.TrimSpace(userGroup)) {
-			auth.log.App.Trace().Str("group", userGroup).Str("required", acls.LDAP.Groups).Msg("User group matched")
-			return true
-		}
-	}
-
-	auth.log.App.Debug().Msg("No groups matched")
-	return false
-}
-
-func (auth *AuthService) IsAuthEnabled(uri string, acls *model.App) (bool, error) {
-	if acls == nil {
-		return true, nil
-	}
-
-	// Check for block list
-	if acls.Path.Block != "" {
-		regex, err := regexp.Compile(acls.Path.Block)
-
-		if err != nil {
-			return true, err
-		}
-
-		if !regex.MatchString(uri) {
-			return false, nil
-		}
-	}
-
-	// Check for allow list
-	if acls.Path.Allow != "" {
-		regex, err := regexp.Compile(acls.Path.Allow)
-
-		if err != nil {
-			return true, err
-		}
-
-		if regex.MatchString(uri) {
-			return false, nil
-		}
-	}
-
-	return true, nil
-}
-
-func (auth *AuthService) CheckIP(ip string, acls *model.App) bool {
-	if acls == nil {
-		return true
-	}
-
-	// Merge the global and app IP filter
-	blockedIps := append(auth.config.Auth.IP.Block, acls.IP.Block...)
-	allowedIPs := append(auth.config.Auth.IP.Allow, acls.IP.Allow...)
-
-	for _, blocked := range blockedIps {
-		res, err := utils.FilterIP(blocked, ip)
-		if err != nil {
-			auth.log.App.Warn().Err(err).Str("item", blocked).Msg("Invalid IP/CIDR in block list")
-			continue
-		}
-		if res {
-			auth.log.App.Debug().Str("ip", ip).Str("item", blocked).Msg("IP is in block list, denying access")
-			return false
-		}
-	}
-
-	for _, allowed := range allowedIPs {
-		res, err := utils.FilterIP(allowed, ip)
-		if err != nil {
-			auth.log.App.Warn().Err(err).Str("item", allowed).Msg("Invalid IP/CIDR in allow list")
-			continue
-		}
-		if res {
-			auth.log.App.Debug().Str("ip", ip).Str("item", allowed).Msg("IP is in allow list, allowing access")
-			return true
-		}
-	}
-
-	if len(allowedIPs) > 0 {
-		auth.log.App.Debug().Str("ip", ip).Msg("IP not in allow list, denying access")
-		return false
-	}
-
-	auth.log.App.Debug().Str("ip", ip).Msg("IP not in any block or allow list, allowing access by default")
-	return true
-}
-
-func (auth *AuthService) IsBypassedIP(ip string, acls *model.App) bool {
-	if acls == nil {
-		return false
-	}
-
-	for _, bypassed := range acls.IP.Bypass {
-		res, err := utils.FilterIP(bypassed, ip)
-		if err != nil {
-			auth.log.App.Warn().Err(err).Str("item", bypassed).Msg("Invalid IP/CIDR in bypass list")
-			continue
-		}
-		if res {
-			auth.log.App.Debug().Str("ip", ip).Str("item", bypassed).Msg("IP is in bypass list, skipping authentication")
-			return true
-		}
-	}
-
-	auth.log.App.Debug().Str("ip", ip).Msg("IP not in bypass list, proceeding with authentication")
-	return false
-}
-
 func (auth *AuthService) NewOAuthSession(serviceName string, params OAuthURLParams) (string, OAuthPendingSession, error) {
 	auth.ensureOAuthSessionLimit()
 
@@ -773,46 +611,49 @@ func (auth *AuthService) ensureOAuthSessionLimit() {
 	auth.oauthMutex.Lock()
 	defer auth.oauthMutex.Unlock()
 
-	if len(auth.oauthPendingSessions) >= MaxOAuthPendingSessions {
+	if len(auth.oauthPendingSessions) <= MaxOAuthPendingSessions {
+		return
+	}
 
-		cleanupIds := make([]string, 0, OAuthCleanupCount)
+	type entry struct {
+		id        string
+		expiresAt int64
+	}
 
-		for range OAuthCleanupCount {
-			oldestId := ""
-			oldestTime := int64(0)
+	entries := make([]entry, 0, len(auth.oauthPendingSessions))
+	for id, session := range auth.oauthPendingSessions {
+		entries = append(entries, entry{id, session.ExpiresAt.Unix()})
+	}
 
-			for id, session := range auth.oauthPendingSessions {
-				if oldestTime == 0 {
-					oldestId = id
-					oldestTime = session.ExpiresAt.Unix()
-					continue
-				}
-				if slices.Contains(cleanupIds, id) {
-					continue
-				}
-				if session.ExpiresAt.Unix() < oldestTime {
-					oldestId = id
-					oldestTime = session.ExpiresAt.Unix()
-				}
-			}
-
-			cleanupIds = append(cleanupIds, oldestId)
+	slices.SortFunc(entries, func(a, b entry) int {
+		if a.expiresAt < b.expiresAt {
+			return -1
 		}
-
-		for _, id := range cleanupIds {
-			delete(auth.oauthPendingSessions, id)
+		if a.expiresAt > b.expiresAt {
+			return 1
 		}
+		return 0
+	})
+
+	for _, e := range entries[:OAuthCleanupCount] {
+		delete(auth.oauthPendingSessions, e.id)
 	}
 }
 
 func (auth *AuthService) lockdownMode() {
 	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-	auth.lockdownCtx = ctx
-	auth.lockdownCancelFunc = cancel
 
 	auth.loginMutex.Lock()
 
+	if auth.lockdown != nil && auth.lockdown.Active {
+		auth.loginMutex.Unlock()
+		cancel()
+		return
+	}
+
+	auth.lockdownCtx = ctx
+	auth.lockdownCancelFunc = cancel
+
 	auth.log.App.Warn().Msg("Too many failed login attempts, entering lockdown mode")
 
 	auth.lockdown = &Lockdown{
@@ -825,10 +666,12 @@ func (auth *AuthService) lockdownMode() {
 	auth.loginAttempts = make(map[string]*LoginAttempt)
 
 	timer := time.NewTimer(time.Until(auth.lockdown.ActiveUntil))
-	defer timer.Stop()
 
 	auth.loginMutex.Unlock()
 
+	defer cancel()
+	defer timer.Stop()
+
 	select {
 	case <-timer.C:
 		// Timer expired, end lockdown

internal/service/docker_service.go

@@ -85,17 +85,23 @@ func (docker *DockerService) GetLabels(appDomain string) (*model.App, error) {
 			return nil, err
 		}
 
+		var nameMatch *model.App
+
+		// First try to find a matching app by domain, then fallback to matching by app name (subdomain)
 		for appName, appLabels := range labels.Apps {
 			if appLabels.Config.Domain == appDomain {
 				docker.log.App.Debug().Str("id", inspect.ID).Str("name", inspect.Name).Msg("Found matching container by domain")
 				return &appLabels, nil
 			}
-
 			if strings.SplitN(appDomain, ".", 2)[0] == appName {
 				docker.log.App.Debug().Str("id", inspect.ID).Str("name", inspect.Name).Msg("Found matching container by app name")
-				return &appLabels, nil
+				nameMatch = &appLabels
 			}
 		}
+
+		if nameMatch != nil {
+			return nameMatch, nil
+		}
 	}
 
 	docker.log.App.Debug().Str("domain", appDomain).Msg("No matching container found for domain")

internal/service/oauth_service.go

@@ -26,6 +26,7 @@ func NewOAuthService(config model.OAuthServiceConfig, id string, ctx context.Con
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{
 				InsecureSkipVerify: config.Insecure,
+				MinVersion:         tls.VersionTLS12,
 			},
 		},
 	}

internal/service/oidc_service.go

@@ -121,7 +121,7 @@ type OIDCService struct {
 
 	clients    map[string]model.OIDCClientConfig
 	privateKey *rsa.PrivateKey
-	publicKey  crypto.PublicKey
+	publicKey  *rsa.PublicKey
 	issuer     string
 }
 
@@ -239,6 +239,16 @@ func NewOIDCService(
 		}
 	}
 
+	rPublicKey, ok := publicKey.(*rsa.PublicKey)
+
+	if !ok {
+		return nil, fmt.Errorf("public key is not an rsa public key")
+	}
+
+	if rPublicKey.N.Cmp(privateKey.N) != 0 || rPublicKey.E != privateKey.E {
+		return nil, fmt.Errorf("public key does not pair with private key")
+	}
+
 	// We will reorganize the client into a map with the client ID as the key
 	clients := make(map[string]model.OIDCClientConfig)
 
@@ -271,7 +281,7 @@ func NewOIDCService(
 
 		clients:    clients,
 		privateKey: privateKey,
-		publicKey:  publicKey,
+		publicKey:  rPublicKey,
 		issuer:     issuer,
 	}
 
@@ -296,7 +306,7 @@ func (service *OIDCService) ValidateAuthorizeParams(req AuthorizeRequest) error
 	if !ok {
 		return errors.New("access_denied")
 	}
-	
+
 	// Redirect URI to verify that it's trusted
 	if !slices.Contains(client.TrustedRedirectURIs, req.RedirectURI) {
 		return errors.New("invalid_request_uri")
@@ -455,7 +465,7 @@ func (service *OIDCService) generateIDToken(client model.OIDCClientConfig, user
 
 	hasher := sha256.New()
 
-	der := x509.MarshalPKCS1PublicKey(&service.privateKey.PublicKey)
+	der := x509.MarshalPKCS1PublicKey(service.publicKey)
 
 	if der == nil {
 		return "", errors.New("failed to marshal public key")
@@ -813,7 +823,7 @@ func (service *OIDCService) cleanupRoutine() {
 func (service *OIDCService) GetJWK() ([]byte, error) {
 	hasher := sha256.New()
 
-	der := x509.MarshalPKCS1PublicKey(&service.privateKey.PublicKey)
+	der := x509.MarshalPKCS1PublicKey(service.publicKey)
 
 	if der == nil {
 		return nil, errors.New("failed to marshal public key")
@@ -822,13 +832,13 @@ func (service *OIDCService) GetJWK() ([]byte, error) {
 	hasher.Write(der)
 
 	jwk := jose.JSONWebKey{
-		Key:       service.privateKey,
+		Key:       service.publicKey,
 		Algorithm: string(jose.RS256),
 		Use:       "sig",
 		KeyID:     base64.URLEncoding.EncodeToString(hasher.Sum(nil)),
 	}
 
-	return jwk.Public().MarshalJSON()
+	return jwk.MarshalJSON()
 }
 
 func (service *OIDCService) ValidatePKCE(codeChallenge string, codeVerifier string) bool {

internal/service/policy_engine.go

@@ -0,0 +1,110 @@
+package service
+
+import (
+	"fmt"
+	"net"
+
+	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+)
+
+type Policy string
+
+const (
+	PolicyAllow Policy = "allow"
+	PolicyDeny  Policy = "deny"
+)
+
+type Effect int
+
+const (
+	EffectAbstain Effect = iota
+	EffectAllow
+	EffectDeny
+)
+
+type Rule interface {
+	Evaluate(ctx *ACLContext) Effect
+}
+
+type ACLContext struct {
+	ACLs        *model.App
+	UserContext *model.UserContext
+	IP          net.IP
+	Path        string
+}
+
+type PolicyEngine struct {
+	log    *logger.Logger
+	rules  map[RuleName]Rule
+	policy Policy
+}
+
+func NewPolicyEngine(config model.Config, log *logger.Logger) (*PolicyEngine, error) {
+	engine := PolicyEngine{
+		log:   log,
+		rules: make(map[RuleName]Rule),
+	}
+
+	switch config.Auth.ACLs.Policy {
+	case string(PolicyAllow):
+		log.App.Debug().Msg("Using 'allow' ACL policy: access to apps will be allowed by default unless explicitly blocked")
+		engine.policy = PolicyAllow
+	case string(PolicyDeny):
+		log.App.Debug().Msg("Using 'deny' ACL policy: access to apps will be blocked by default unless explicitly allowed")
+		engine.policy = PolicyDeny
+	default:
+		return nil, fmt.Errorf("invalid acl policy: %s", config.Auth.ACLs.Policy)
+	}
+
+	return &engine, nil
+}
+
+func (engine *PolicyEngine) RegisterRule(name RuleName, rule Rule) {
+	engine.log.App.Debug().Str("rule", string(name)).Msg("Registering ACL rule in policy engine")
+	engine.rules[name] = rule
+}
+
+func (engine *PolicyEngine) evaluateRuleByName(name RuleName, ctx *ACLContext) Effect {
+	rule, exists := engine.rules[name]
+
+	if !exists {
+		engine.log.App.Warn().Str("rule", string(name)).Msg("Rule not found in policy engine, defaulting to deny")
+		return EffectDeny
+	}
+
+	return rule.Evaluate(ctx)
+}
+
+func (engine *PolicyEngine) effectToAccess(effect Effect) bool {
+	switch effect {
+	case EffectAllow:
+		return true
+	case EffectDeny:
+		return false
+	default:
+		// If the effect is abstain, we fall back to the default policy
+		return engine.policy == PolicyAllow
+	}
+}
+
+func (engine *PolicyEngine) Evaluate(name RuleName, ctx *ACLContext) bool {
+	effect := engine.evaluateRuleByName(name, ctx)
+	access := engine.effectToAccess(effect)
+
+	engine.log.App.Debug().
+		Str("rule", string(name)).
+		Int("effect", int(effect)).
+		Bool("access", access).
+		Msg("Evaluated ACL rule")
+
+	return access
+}
+
+func (engine *PolicyEngine) Policy() Policy {
+	return engine.policy
+}
+
+func (engine *PolicyEngine) Rules() map[RuleName]Rule {
+	return engine.rules
+}

internal/service/policy_engine_test.go

@@ -0,0 +1,93 @@
+package service_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/tinyauthapp/tinyauth/internal/service"
+	"github.com/tinyauthapp/tinyauth/internal/test"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+)
+
+// Create test rule
+type TestRule struct{}
+
+func (rule *TestRule) Evaluate(ctx *service.ACLContext) service.Effect {
+	switch ctx.Path {
+	case "/allowed":
+		return service.EffectAllow
+	case "/denied":
+		return service.EffectDeny
+	default:
+		return service.EffectAbstain
+	}
+}
+
+func TestPolicyEngine(t *testing.T) {
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
+
+	cfg, _ := test.CreateTestConfigs(t)
+
+	testRule := &TestRule{}
+
+	// Engine should fail with invalid policy
+	cfg.Auth.ACLs.Policy = "invalid_policy"
+	_, err := service.NewPolicyEngine(cfg, log)
+	assert.Error(t, err)
+
+	// Engine should initialize with 'allow' policy
+	cfg.Auth.ACLs.Policy = string(service.PolicyAllow)
+	engine, err := service.NewPolicyEngine(cfg, log)
+	assert.NoError(t, err)
+	assert.Equal(t, service.PolicyAllow, engine.Policy())
+
+	// Engine should initialize with 'deny' policy
+	cfg.Auth.ACLs.Policy = string(service.PolicyDeny)
+	engine, err = service.NewPolicyEngine(cfg, log)
+	assert.NoError(t, err)
+	assert.Equal(t, service.PolicyDeny, engine.Policy())
+
+	// Engine should allow adding rules
+	engine, err = service.NewPolicyEngine(cfg, log)
+	assert.NoError(t, err)
+	engine.RegisterRule("test-rule", testRule)
+	_, ok := engine.Rules()["test-rule"]
+	assert.True(t, ok)
+
+	// Begin allow policy tests
+	cfg.Auth.ACLs.Policy = string(service.PolicyAllow)
+	engine, err = service.NewPolicyEngine(cfg, log)
+	assert.NoError(t, err)
+	engine.RegisterRule("test-rule", testRule)
+
+	// With allow policy, if rule allows, access should be allowed
+	ctx := &service.ACLContext{Path: "/allowed"}
+	assert.Equal(t, true, engine.Evaluate("test-rule", ctx))
+
+	// With allow policy, if rule denies, access should be denied
+	ctx.Path = "/denied"
+	assert.Equal(t, false, engine.Evaluate("test-rule", ctx))
+
+	// With allow policy, if rule abstains, access should be allowed (default)
+	ctx.Path = "/abstain"
+	assert.Equal(t, true, engine.Evaluate("test-rule", ctx))
+
+	// Begin deny policy tests
+	cfg.Auth.ACLs.Policy = string(service.PolicyDeny)
+	engine, err = service.NewPolicyEngine(cfg, log)
+	assert.NoError(t, err)
+	engine.RegisterRule("test-rule", testRule)
+
+	// With deny policy, if rule allows, access should be allowed
+	ctx.Path = "/allowed"
+	assert.Equal(t, true, engine.Evaluate("test-rule", ctx))
+
+	// With deny policy, if rule denies, access should be denied
+	ctx.Path = "/denied"
+	assert.Equal(t, false, engine.Evaluate("test-rule", ctx))
+
+	// With deny policy, if rule abstains, access should be denied (default)
+	ctx.Path = "/abstain"
+	assert.Equal(t, false, engine.Evaluate("test-rule", ctx))
+}

internal/test/test.go

@@ -40,6 +40,9 @@ func CreateTestConfigs(t *testing.T) (model.Config, model.RuntimeConfig) {
 			SessionExpiry:   10,
 			LoginTimeout:    10,
 			LoginMaxRetries: 3,
+			ACLs: model.ACLsConfig{
+				Policy: "allow",
+			},
 		},
 		Database: model.DatabaseConfig{
 			Path: filepath.Join(tempDir, "test.db"),
@@ -48,6 +51,32 @@ func CreateTestConfigs(t *testing.T) (model.Config, model.RuntimeConfig) {
 			Enabled: true,
 			Path:    filepath.Join(tempDir, "resources"),
 		},
+		Apps: map[string]model.App{
+			"app_path_allow": {
+				Config: model.AppConfig{
+					Domain: "path-allow.example.com",
+				},
+				Path: model.AppPath{
+					Allow: "/allowed",
+				},
+			},
+			"app_user_allow": {
+				Config: model.AppConfig{
+					Domain: "user-allow.example.com",
+				},
+				Users: model.AppUsers{
+					Allow: "testuser",
+				},
+			},
+			"ip_bypass": {
+				Config: model.AppConfig{
+					Domain: "ip-bypass.example.com",
+				},
+				IP: model.AppIP{
+					Bypass: []string{"10.10.10.10"},
+				},
+			},
+		},
 	}
 
 	passwd, err := bcrypt.GenerateFromPassword([]byte("password"), bcrypt.DefaultCost)

internal/utils/security_utils.go

@@ -3,7 +3,7 @@ package utils
 import (
 	"crypto/rand"
 	"encoding/base64"
-	"errors"
+	"fmt"
 	"net"
 	"regexp"
 	"strings"
@@ -46,26 +46,27 @@ func EncodeBasicAuth(username string, password string) string {
 	return base64.StdEncoding.EncodeToString([]byte(auth))
 }
 
-func FilterIP(filter string, ip string) (bool, error) {
+func CheckIPFilter(filter string, ip string) (bool, error) {
 	ipAddr := net.ParseIP(ip)
 
 	if ipAddr == nil {
-		return false, errors.New("invalid IP address")
+		return false, fmt.Errorf("invalid ip address")
 	}
 
-	filter = strings.Replace(filter, "-", "/", -1)
+	filter = strings.ReplaceAll(filter, "-", "/")
 
 	if strings.Contains(filter, "/") {
 		_, cidr, err := net.ParseCIDR(filter)
 		if err != nil {
-			return false, err
+			return false, fmt.Errorf("invalid cidr notation: %w", err)
 		}
 		return cidr.Contains(ipAddr), nil
 	}
 
 	ipFilter := net.ParseIP(filter)
+
 	if ipFilter == nil {
-		return false, errors.New("invalid IP address in filter")
+		return false, fmt.Errorf("invalid ip address")
 	}
 
 	if ipFilter.Equal(ipAddr) {
@@ -75,31 +76,29 @@ func FilterIP(filter string, ip string) (bool, error) {
 	return false, nil
 }
 
-func CheckFilter(filter string, str string) bool {
+func CheckFilter(filter string, input string) (bool, error) {
 	if len(strings.TrimSpace(filter)) == 0 {
-		return true
+		return false, fmt.Errorf("filter is empty")
 	}
 
 	if strings.HasPrefix(filter, "/") && strings.HasSuffix(filter, "/") {
 		re, err := regexp.Compile(filter[1 : len(filter)-1])
 		if err != nil {
-			return false
+			return false, fmt.Errorf("invalid regex filter: %w", err)
 		}
 
-		if re.MatchString(strings.TrimSpace(str)) {
-			return true
+		if re.MatchString(input) {
+			return true, nil
 		}
 	}
 
-	filterSplit := strings.Split(filter, ",")
-
-	for _, item := range filterSplit {
-		if strings.TrimSpace(item) == strings.TrimSpace(str) {
-			return true
+	for item := range strings.SplitSeq(filter, ",") {
+		if strings.TrimSpace(item) == input {
+			return true, nil
 		}
 	}
 
-	return false
+	return false, nil
 }
 
 func GenerateUUID(str string) string {

internal/utils/security_utils_test.go

@@ -75,66 +75,77 @@ func TestEncodeBasicAuth(t *testing.T) {
 	assert.Equal(t, expected, utils.EncodeBasicAuth(username, password))
 }
 
-func TestFilterIP(t *testing.T) {
+func TestCheckIPFilter(t *testing.T) {
 	// Exact match IPv4
-	ok, err := utils.FilterIP("10.10.0.1", "10.10.0.1")
+	ok, err := utils.CheckIPFilter("10.10.0.1", "10.10.0.1")
 	assert.NoError(t, err)
 	assert.Equal(t, true, ok)
 
 	// Non-match IPv4
-	ok, err = utils.FilterIP("10.10.0.1", "10.10.0.2")
+	ok, err = utils.CheckIPFilter("10.10.0.1", "10.10.0.2")
 	assert.NoError(t, err)
 	assert.Equal(t, false, ok)
 
 	// CIDR match IPv4
-	ok, err = utils.FilterIP("10.10.0.0/24", "10.10.0.2")
+	ok, err = utils.CheckIPFilter("10.10.0.0/24", "10.10.0.2")
 	assert.NoError(t, err)
 	assert.Equal(t, true, ok)
 
 	// CIDR match IPv4 with '-' instead of '/'
-	ok, err = utils.FilterIP("10.10.10.0-24", "10.10.10.5")
+	ok, err = utils.CheckIPFilter("10.10.10.0-24", "10.10.10.5")
 	assert.NoError(t, err)
 	assert.Equal(t, true, ok)
 
 	// CIDR non-match IPv4
-	ok, err = utils.FilterIP("10.10.0.0/24", "10.5.0.1")
+	ok, err = utils.CheckIPFilter("10.10.0.0/24", "10.5.0.1")
 	assert.NoError(t, err)
 	assert.Equal(t, false, ok)
 
 	// Invalid CIDR
-	ok, err = utils.FilterIP("10.10.0.0/222", "10.0.0.1")
-	assert.ErrorContains(t, err, "invalid CIDR address")
+	ok, err = utils.CheckIPFilter("10.10.0.0/222", "10.0.0.1")
+	assert.ErrorContains(t, err, "invalid cidr notation: invalid CIDR address: 10.10.0.0/222")
 	assert.Equal(t, false, ok)
 
 	// Invalid IP in filter
-	ok, err = utils.FilterIP("invalid_ip", "10.5.5.5")
-	assert.ErrorContains(t, err, "invalid IP address in filter")
+	ok, err = utils.CheckIPFilter("invalid_ip", "10.5.5.5")
+	assert.ErrorContains(t, err, "invalid ip address")
 	assert.Equal(t, false, ok)
 
 	// Invalid IP to check
-	ok, err = utils.FilterIP("10.10.10.10", "invalid_ip")
-	assert.ErrorContains(t, err, "invalid IP address")
+	ok, err = utils.CheckIPFilter("10.10.10.10", "invalid_ip")
+	assert.ErrorContains(t, err, "invalid ip address")
 	assert.Equal(t, false, ok)
 }
 
 func TestCheckFilter(t *testing.T) {
 	// Empty filter
-	assert.Equal(t, true, utils.CheckFilter("", "anystring"))
+	_, err := utils.CheckFilter("", "anystring")
+	assert.ErrorContains(t, err, "filter is empty")
 
 	// Exact match
-	assert.Equal(t, true, utils.CheckFilter("hello", "hello"))
+	ok, err := utils.CheckFilter("hello", "hello")
+	assert.NoError(t, err)
+	assert.Equal(t, true, ok)
 
 	// Regex match
-	assert.Equal(t, true, utils.CheckFilter("/^h.*o$/", "hello"))
+	ok, err = utils.CheckFilter("/^h.*o$/", "hello")
+	assert.NoError(t, err)
+	assert.Equal(t, true, ok)
 
 	// Invalid regex
-	assert.Equal(t, false, utils.CheckFilter("/[unclosed", "test"))
+	ok, err = utils.CheckFilter("/[unclosed/", "test")
+	assert.ErrorContains(t, err, "invalid regex")
+	assert.Equal(t, false, ok)
 
 	// Comma-separated values
-	assert.Equal(t, true, utils.CheckFilter("apple, banana, cherry", "banana"))
+	ok, err = utils.CheckFilter("apple, banana, cherry", "banana")
+	assert.NoError(t, err)
+	assert.Equal(t, true, ok)
 
 	// No match
-	assert.Equal(t, false, utils.CheckFilter("apple, banana, cherry", "grape"))
+	ok, err = utils.CheckFilter("apple, banana, cherry", "grape")
+	assert.NoError(t, err)
+	assert.Equal(t, false, ok)
 }
 
 func TestGenerateUUID(t *testing.T) {