feat: add option to disable dynamic acls

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,38 +0,0 @@
----
-name: Bug report
-about: Create a report to help improve Tinyauth
-title: "[BUG]"
-labels: bug
-assignees:
-  - steveiliop56
-
----
-
-**Describe the bug**
-A clear and concise description of what the bug is.
-
-**To Reproduce**
-Steps to reproduce the behavior:
-1. Go to '...'
-2. Click on '....'
-3. Scroll down to '....'
-4. See error
-
-**Expected behavior**
-A clear and concise description of what you expected to happen.
-
-**Screenshots**
-If applicable, add screenshots to help explain your problem.
-
-**Logs**
-Please include the Tinyauth logs below, make sure to not include sensitive info.
-
-**Device (please complete the following information):**
- - OS: [e.g. iOS]
- - Browser [e.g. chrome, safari]
- - Tinyauth [e.g. v2.1.1]
- - Docker [e.g. 27.3.1]
-
-**
-**Additional context**
-Add any other context about the problem here.

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,89 @@
+name: Bug Report
+description: Create a report to help us improve this project
+title: "[BUG]"
+labels: bug
+assignees:
+  - steveiliop56
+
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for reporting a bug! Please provide detailed information below.
+
+  - type: textarea
+    id: description
+    attributes:
+      label: Describe the Bug
+      description: "A clear and concise description of what the bug is."
+    validations:
+      required: true
+
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: How to Reproduce
+      description: Steps to reproduce the behavior.
+      value: |
+        1. Go to '...'
+        2. Click on '....'
+        3. Scroll down to '....'
+        4. See error
+    validations:
+      required: false
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected Behavior
+      description: "A clear and concise description of what you expected to happen."
+    validations:
+      required: true
+
+  - type: textarea
+    id: context
+    attributes:
+      label: "Additional Context"
+      description: "If applicable add screenshots to help explain your problem."
+    validations:
+      required: false
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: "Logs"
+      description: "Please include the Tinyauth logs, make sure to not include sensitive info."
+    validations:
+      required: false
+
+  - type: input
+    id: os
+    attributes:
+      label: Operating System
+      placeholder: "e.g. iOS, Android, Windows, Linux, etc"
+
+  - type: input
+    id: browser
+    attributes:
+      label: Browser
+      placeholder: "e.g. Chrome, Firefox, Safari, Edge, etc"
+
+  - type: input
+    id: tinyauth
+    attributes:
+      label: Tinyauth Version
+      placeholder: "e.g. v5.0.0"
+
+  - type: input
+    id: docker
+    attributes:
+      label: Docker Version (if applicable)
+      placeholder: "e.g. 27.3.1"
+
+  - type: checkboxes
+    id: not-llm
+    attributes:
+      label: Human Written Confirmation
+      options:
+        - label: I confirm this issue was written by me and not generated by an LLM or AI assistant.
+          required: true

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: true
+contact_links:
+  - name: Tinyauth Community Support on Discord
+    url: https://discord.gg/eHzVaCzRRd
+    about: Please ask and answer questions here.
+  - name: Tinyauth Documentation
+    url: https://tinyauth.app/docs/getting-started/
+    about: Please check the documentation here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,21 +0,0 @@
----
-name: Feature request
-about: Suggest an idea for this project
-title: "[FEATURE]"
-labels: enhancement
-assignees:
-  - steveiliop56
-
----
-
-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Describe alternatives you've considered**
-A clear and concise description of any alternative solutions or features you've considered.
-
-**Additional context**
-Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,52 @@
+name: Feature request
+description: Suggest an idea for this project
+title: "[FEATURE]"
+labels: enhancement
+assignees:
+  - steveiliop56
+
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for suggesting a feature! Please provide detailed information below.
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: Is your feature request related to a problem? Please describe.
+      description: "A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]"
+    validations:
+      required: false
+
+  - type: textarea
+    id: solution
+    attributes:
+      label: Describe the solution you'd like.
+      description: "A clear and concise description of what you want to happen."
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Describe alternatives you've considered.
+      description: "A clear and concise description of any alternative solutions or features you've considered."
+    validations:
+      required: false
+
+  - type: textarea
+    id: context
+    attributes:
+      label: Additional context
+      description: "Add any other context or screenshots about the feature request here."
+    validations:
+      required: false
+
+  - type: checkboxes
+    id: not-llm
+    attributes:
+      label: Human Written Confirmation
+      options:
+        - label: I confirm this request was written by me and not generated by an LLM or AI assistant.
+          required: true

.github/workflows/scorecard.yml

@@ -38,6 +38,6 @@ jobs:
           retention-days: 5
 
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4
+        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
         with:
           sarif_file: results.sarif

internal/bootstrap/service_bootstrap.go

@@ -16,36 +16,13 @@ func (app *BootstrapApp) setupServices() error {
 
 	app.services.ldapService = ldapService
 
-	useKubernetes := app.config.LabelProvider == "kubernetes" ||
-		(app.config.LabelProvider == "auto" && os.Getenv("KUBERNETES_SERVICE_HOST") != "")
-
-	var labelProvider service.LabelProvider
-
-	if useKubernetes {
-		app.log.App.Debug().Msg("Using Kubernetes label provider")
-
-		kubernetesService, err := service.NewKubernetesService(app.log, app.ctx, &app.wg)
+	labelProvider, err := app.getLabelProvider()
 
 	if err != nil {
-			return fmt.Errorf("failed to initialize kubernetes service: %w", err)
+		return fmt.Errorf("failed to initialize label provider: %w", err)
 	}
 
-		app.services.kubernetesService = kubernetesService
-		labelProvider = kubernetesService
-	} else {
-		app.log.App.Debug().Msg("Using Docker label provider")
-
-		dockerService, err := service.NewDockerService(app.log, app.ctx, &app.wg)
-
-		if err != nil {
-			return fmt.Errorf("failed to initialize docker service: %w", err)
-		}
-
-		app.services.dockerService = dockerService
-		labelProvider = dockerService
-	}
-
-	accessControlsService := service.NewAccessControlsService(app.log, &labelProvider, app.config.Apps)
+	accessControlsService := service.NewAccessControlsService(app.log, app.config, &labelProvider)
 	app.services.accessControlService = accessControlsService
 
 	oauthBrokerService := service.NewOAuthBrokerService(app.log, app.runtime.OAuthProviders, app.ctx)
@@ -64,3 +41,36 @@ func (app *BootstrapApp) setupServices() error {
 
 	return nil
 }
+
+func (app *BootstrapApp) getLabelProvider() (service.LabelProvider, error) {
+	if app.config.LabelProvider == "none" {
+		return nil, nil
+	}
+
+	useKubernetes := app.config.LabelProvider == "kubernetes" ||
+		(app.config.LabelProvider == "auto" && os.Getenv("KUBERNETES_SERVICE_HOST") != "")
+
+	if useKubernetes {
+		app.log.App.Debug().Msg("Using Kubernetes label provider")
+
+		kubernetesService, err := service.NewKubernetesService(app.log, app.ctx, &app.wg)
+
+		if err != nil {
+			return nil, fmt.Errorf("failed to initialize kubernetes service: %w", err)
+		}
+
+		app.services.kubernetesService = kubernetesService
+		return kubernetesService, nil
+	}
+
+	app.log.App.Debug().Msg("Using Docker label provider")
+
+	dockerService, err := service.NewDockerService(app.log, app.ctx, &app.wg)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize docker service: %w", err)
+	}
+
+	app.services.dockerService = dockerService
+	return dockerService, nil
+}

internal/controller/oauth_controller.go

@@ -208,7 +208,12 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		name = user.Name
 	} else {
 		controller.log.App.Debug().Msg("No name from OAuth provider, generating from email")
-		name = fmt.Sprintf("%s (%s)", utils.Capitalize(strings.Split(user.Email, "@")[0]), strings.Split(user.Email, "@")[1])
+		parts := strings.SplitN(user.Email, "@", 2)
+		if len(parts) == 2 {
+			name = fmt.Sprintf("%s (%s)", utils.Capitalize(parts[0]), parts[1])
+		} else {
+			name = utils.Capitalize(user.Email)
+		}
 	}
 
 	var username string

internal/controller/oidc_controller.go

@@ -146,7 +146,7 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 	client, ok := controller.oidc.GetClient(req.ClientID)
 
 	if !ok {
-		controller.authorizeError(c, err, "Client not found", "The client ID is invalid", "", "", "")
+		controller.authorizeError(c, fmt.Errorf("client not found: %s", req.ClientID), "Client not found", "The client ID is invalid", "", "", "")
 		return
 	}
 
@@ -288,7 +288,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code), client.ClientID)
 		if err != nil {
 			if err := controller.oidc.DeleteTokenByCodeHash(c, controller.oidc.Hash(req.Code)); err != nil {
-				controller.log.App.Error().Err(err).Msg("Failed to delete code")
+				controller.log.App.Error().Err(err).Msg("Failed to revoke tokens for replayed code")
 			}
 			if errors.Is(err, service.ErrCodeNotFound) {
 				controller.log.App.Warn().Msg("Code not found")

internal/controller/proxy_controller.go

@@ -101,7 +101,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 
 	clientIP := c.ClientIP()
 
-	if controller.auth.IsBypassedIP(clientIP, acls) {
+	if controller.acls.IsIPBypassed(clientIP, acls) {
 		controller.setHeaders(c, acls)
 		c.JSON(200, gin.H{
 			"status":  200,
@@ -110,13 +110,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
-	authEnabled, err := controller.auth.IsAuthEnabled(proxyCtx.Path, acls)
-
-	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to determine if authentication is enabled for resource")
-		controller.handleError(c, proxyCtx)
-		return
-	}
+	authEnabled := controller.acls.IsAuthEnabled(proxyCtx.Path, acls)
 
 	if !authEnabled {
 		controller.log.App.Debug().Msg("Authentication is disabled for this resource, allowing access without authentication")
@@ -128,7 +122,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
-	if !controller.auth.CheckIP(clientIP, acls) {
+	if !controller.acls.IsIPAllowed(clientIP, acls) {
 		queries, err := query.Values(UnauthorizedQuery{
 			Resource: strings.Split(proxyCtx.Host, ".")[0],
 			IP:       clientIP,
@@ -144,9 +138,9 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 
 		if !controller.useBrowserResponse(proxyCtx) {
 			c.Header("x-tinyauth-location", redirectURL)
-			c.JSON(401, gin.H{
-				"status":  401,
-				"message": "Unauthorized",
+			c.JSON(403, gin.H{
+				"status":  403,
+				"message": "Forbidden",
 			})
 			return
 		}
@@ -165,7 +159,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	}
 
 	if userContext.Authenticated {
-		userAllowed := controller.auth.IsUserAllowed(c, *userContext, acls)
+		userAllowed := controller.acls.IsUserAllowed(*userContext, acls)
 
 		if !userAllowed {
 			controller.log.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User is not allowed to access resource")
@@ -205,9 +199,9 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 			var groupOK bool
 
 			if userContext.IsOAuth() {
-				groupOK = controller.auth.IsInOAuthGroup(c, *userContext, acls)
+				groupOK = controller.acls.IsInOAuthGroup(*userContext, acls)
 			} else {
-				groupOK = controller.auth.IsInLDAPGroup(c, *userContext, acls)
+				groupOK = controller.acls.IsInLDAPGroup(*userContext, acls)
 			}
 
 			if !groupOK {

internal/controller/proxy_controller_test.go

@@ -24,33 +24,6 @@ func TestProxyController(t *testing.T) {
 
 	cfg, runtime := test.CreateTestConfigs(t)
 
-	acls := map[string]model.App{
-		"app_path_allow": {
-			Config: model.AppConfig{
-				Domain: "path-allow.example.com",
-			},
-			Path: model.AppPath{
-				Allow: "/allowed",
-			},
-		},
-		"app_user_allow": {
-			Config: model.AppConfig{
-				Domain: "user-allow.example.com",
-			},
-			Users: model.AppUsers{
-				Allow: "testuser",
-			},
-		},
-		"ip_bypass": {
-			Config: model.AppConfig{
-				Domain: "ip-bypass.example.com",
-			},
-			IP: model.AppIP{
-				Bypass: []string{"10.10.10.10"},
-			},
-		},
-	}
-
 	const browserUserAgent = `
 	Mozilla/5.0 (Linux; Android 8.0.0; SM-G955U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Mobile Safari/537.36`
 
@@ -391,7 +364,7 @@ func TestProxyController(t *testing.T) {
 
 	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
 	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, queries, broker)
-	aclsService := service.NewAccessControlsService(log, nil, acls)
+	aclsService := service.NewAccessControlsService(log, cfg, nil)
 
 	for _, test := range tests {
 		t.Run(test.description, func(t *testing.T) {

internal/controller/resources_controller.go

@@ -32,7 +32,7 @@ func (controller *ResourcesController) resourcesHandler(c *gin.Context) {
 	if controller.config.Resources.Path == "" {
 		c.JSON(404, gin.H{
 			"status":  404,
-			"message": "Resources not found",
+			"message": "Resource not found",
 		})
 		return
 	}

internal/model/config.go

@@ -24,6 +24,9 @@ func NewDefaultConfiguration() *Config {
 			SessionMaxLifetime: 0,     // disabled
 			LoginTimeout:       300,   // 5 minutes
 			LoginMaxRetries:    3,
+			ACLs: ACLsConfig{
+				Policy: "allow",
+			},
 		},
 		UI: UIConfig{
 			Title:                 "Tinyauth",
@@ -78,7 +81,7 @@ type Config struct {
 	UI            UIConfig           `description:"UI customization." yaml:"ui"`
 	LDAP          LDAPConfig         `description:"LDAP configuration." yaml:"ldap"`
 	Experimental  ExperimentalConfig `description:"Experimental features, use with caution." yaml:"experimental"`
-	LabelProvider string             `description:"Label provider to use for ACLs (auto, docker, or kubernetes). auto detects the environment." yaml:"labelProvider"`
+	LabelProvider string             `description:"Label provider to use for ACLs (auto, docker, kubernetes or none to disable). auto detects the environment." yaml:"labelProvider"`
 	Log           LogConfig          `description:"Logging configuration." yaml:"log"`
 }
 
@@ -114,6 +117,7 @@ type AuthConfig struct {
 	LoginTimeout       int                       `description:"Login timeout in seconds." yaml:"loginTimeout"`
 	LoginMaxRetries    int                       `description:"Maximum login retries." yaml:"loginMaxRetries"`
 	TrustedProxies     []string                  `description:"Comma-separated list of trusted proxy addresses." yaml:"trustedProxies"`
+	ACLs               ACLsConfig                `description:"ACLs configuration." yaml:"acls"`
 }
 
 type UserAttributes struct {
@@ -223,6 +227,10 @@ type OIDCClientConfig struct {
 	Name                string   `description:"Client name in UI." yaml:"name"`
 }
 
+type ACLsConfig struct {
+	Policy string `description:"ACL policy for allow-by-default or deny-by-default, available options are allow and deny, default is allow." yaml:"policy"`
+}
+
 // ACLs
 
 type Apps struct {

internal/service/access_controls_service.go

@@ -1,44 +1,82 @@
 package service
 
 import (
+	"regexp"
 	"strings"
 
 	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
+type AccessControlPolicy string
+
+const (
+	PolicyAllow AccessControlPolicy = "allow"
+	PolicyDeny  AccessControlPolicy = "deny"
+)
+
+func accessControlPolicyFromString(s string) (AccessControlPolicy, bool) {
+	switch strings.ToLower(s) {
+	case "allow":
+		return PolicyAllow, true
+	case "deny":
+		return PolicyDeny, true
+	default:
+		return PolicyAllow, false
+	}
+}
+
 type LabelProvider interface {
 	GetLabels(appDomain string) (*model.App, error)
 }
 
 type AccessControlsService struct {
 	log           *logger.Logger
+	config        model.Config
 	labelProvider *LabelProvider
-	static        map[string]model.App
+	policy        AccessControlPolicy
 }
 
 func NewAccessControlsService(
 	log *logger.Logger,
-	labelProvider *LabelProvider,
-	static map[string]model.App) *AccessControlsService {
-	return &AccessControlsService{
+	config model.Config,
+	labelProvider *LabelProvider) *AccessControlsService {
+
+	service := AccessControlsService{
 		log:           log,
+		config:        config,
 		labelProvider: labelProvider,
-		static:        static,
-	}
 	}
 
-func (acls *AccessControlsService) lookupStaticACLs(domain string) *model.App {
+	policy, ok := accessControlPolicyFromString(config.Auth.ACLs.Policy)
+
+	if !ok {
+		log.App.Warn().Str("policy", config.Auth.ACLs.Policy).Msg("Invalid ACL policy in config, defaulting to 'allow'")
+	}
+
+	if policy == PolicyAllow {
+		log.App.Debug().Msg("Using 'allow' ACL policy: access to apps will be allowed by default unless explicitly blocked")
+	} else {
+		log.App.Debug().Msg("Using 'deny' ACL policy: access to apps will be blocked by default unless explicitly allowed")
+	}
+
+	service.policy = policy
+
+	return &service
+}
+
+func (service *AccessControlsService) lookupStaticACLs(domain string) *model.App {
 	var appAcls *model.App
-	for app, config := range acls.static {
+	for app, config := range service.config.Apps {
 		if config.Config.Domain == domain {
-			acls.log.App.Debug().Str("name", app).Msg("Found matching container by domain")
+			service.log.App.Debug().Str("name", app).Msg("Found matching container by domain")
 			appAcls = &config
 			break // If we find a match by domain, we can stop searching
 		}
 
 		if strings.SplitN(domain, ".", 2)[0] == app {
-			acls.log.App.Debug().Str("name", app).Msg("Found matching container by app name")
+			service.log.App.Debug().Str("name", app).Msg("Found matching container by app name")
 			appAcls = &config
 			break // If we find a match by app name, we can stop searching
 		}
@@ -46,20 +84,193 @@ func (acls *AccessControlsService) lookupStaticACLs(domain string) *model.App {
 	return appAcls
 }
 
-func (acls *AccessControlsService) GetAccessControls(domain string) (*model.App, error) {
+func (service *AccessControlsService) GetAccessControls(domain string) (*model.App, error) {
 	// First check in the static config
-	app := acls.lookupStaticACLs(domain)
+	app := service.lookupStaticACLs(domain)
 
 	if app != nil {
-		acls.log.App.Debug().Msg("Using static ACLs for app")
+		service.log.App.Debug().Msg("Using static ACLs for app")
 		return app, nil
 	}
 
 	// If we have a label provider configured, try to get ACLs from it
-	if acls.labelProvider != nil {
-		return (*acls.labelProvider).GetLabels(domain)
+	if service.labelProvider != nil {
+		return (*service.labelProvider).GetLabels(domain)
 	}
 
 	// no labels
 	return nil, nil
 }
+
+func (service *AccessControlsService) IsUserAllowed(context model.UserContext, acls *model.App) bool {
+	if acls == nil {
+		return service.policyResult(true)
+	}
+
+	if context.Provider == model.ProviderOAuth {
+		service.log.App.Debug().Msg("User is an OAuth user, checking OAuth whitelist")
+		return utils.CheckFilter(acls.OAuth.Whitelist, context.OAuth.Email)
+	}
+
+	if acls.Users.Block != "" {
+		service.log.App.Debug().Msg("Checking users block list")
+		if utils.CheckFilter(acls.Users.Block, context.GetUsername()) {
+			return false
+		}
+	}
+
+	service.log.App.Debug().Msg("Checking users allow list")
+	return service.policyResult(utils.CheckFilter(acls.Users.Allow, context.GetUsername()))
+}
+
+func (service *AccessControlsService) IsInOAuthGroup(context model.UserContext, acls *model.App) bool {
+	if acls == nil {
+		return true
+	}
+
+	if !context.IsOAuth() {
+		service.log.App.Debug().Msg("User is not an OAuth user, skipping OAuth group check")
+		return false
+	}
+
+	if _, ok := model.OverrideProviders[context.OAuth.ID]; ok {
+		service.log.App.Debug().Str("provider", context.OAuth.ID).Msg("Provider override detected, skipping group check")
+		return true
+	}
+
+	for _, userGroup := range context.OAuth.Groups {
+		if utils.CheckFilter(acls.OAuth.Groups, strings.TrimSpace(userGroup)) {
+			service.log.App.Trace().Str("group", userGroup).Str("required", acls.OAuth.Groups).Msg("User group matched")
+			return true
+		}
+	}
+
+	service.log.App.Debug().Msg("No groups matched")
+	return false
+}
+
+func (service *AccessControlsService) IsInLDAPGroup(context model.UserContext, acls *model.App) bool {
+	if acls == nil {
+		return true
+	}
+
+	if !context.IsLDAP() {
+		service.log.App.Debug().Msg("User is not an LDAP user, skipping LDAP group check")
+		return false
+	}
+
+	for _, userGroup := range context.LDAP.Groups {
+		if utils.CheckFilter(acls.LDAP.Groups, strings.TrimSpace(userGroup)) {
+			service.log.App.Trace().Str("group", userGroup).Str("required", acls.LDAP.Groups).Msg("User group matched")
+			return true
+		}
+	}
+
+	service.log.App.Debug().Msg("No groups matched")
+	return false
+}
+
+func (service *AccessControlsService) IsAuthEnabled(uri string, acls *model.App) bool {
+	if acls == nil {
+		return true
+	}
+
+	if acls.Path.Block != "" {
+		regex, err := regexp.Compile(acls.Path.Block)
+
+		if err != nil {
+			service.log.App.Error().Err(err).Msg("Failed to compile block regex")
+			return true
+		}
+
+		if !regex.MatchString(uri) {
+			return false
+		}
+	}
+
+	if acls.Path.Allow != "" {
+		regex, err := regexp.Compile(acls.Path.Allow)
+
+		if err != nil {
+			service.log.App.Error().Err(err).Msg("Failed to compile allow regex")
+			return true
+		}
+
+		if regex.MatchString(uri) {
+			return false
+		}
+	}
+
+	return true
+}
+
+func (service *AccessControlsService) IsIPAllowed(ip string, acls *model.App) bool {
+	if acls == nil {
+		return service.policyResult(true)
+	}
+
+	// Merge the global and app IP filter
+	blockedIps := append(acls.IP.Block, service.config.Auth.IP.Block...)
+	allowedIPs := append(acls.IP.Allow, service.config.Auth.IP.Allow...)
+
+	for _, blocked := range blockedIps {
+		res, err := utils.FilterIP(blocked, ip)
+		if err != nil {
+			service.log.App.Warn().Err(err).Str("item", blocked).Msg("Invalid IP/CIDR in block list")
+			continue
+		}
+		if res {
+			service.log.App.Debug().Str("ip", ip).Str("item", blocked).Msg("IP is in block list, denying access")
+			return false
+		}
+	}
+
+	for _, allowed := range allowedIPs {
+		res, err := utils.FilterIP(allowed, ip)
+		if err != nil {
+			service.log.App.Warn().Err(err).Str("item", allowed).Msg("Invalid IP/CIDR in allow list")
+			continue
+		}
+		if res {
+			service.log.App.Debug().Str("ip", ip).Str("item", allowed).Msg("IP is in allow list, allowing access")
+			return true
+		}
+	}
+
+	if len(allowedIPs) > 0 {
+		service.log.App.Debug().Str("ip", ip).Msg("IP not in allow list, denying access")
+		return false
+	}
+
+	service.log.App.Debug().Str("ip", ip).Msg("IP not in block or allow list, allowing access")
+	return service.policyResult(true)
+}
+
+func (service *AccessControlsService) IsIPBypassed(ip string, acls *model.App) bool {
+	if acls == nil {
+		return false
+	}
+
+	for _, bypassed := range acls.IP.Bypass {
+		res, err := utils.FilterIP(bypassed, ip)
+		if err != nil {
+			service.log.App.Warn().Err(err).Str("item", bypassed).Msg("Invalid IP/CIDR in bypass list")
+			continue
+		}
+		if res {
+			service.log.App.Debug().Str("ip", ip).Str("item", bypassed).Msg("IP is in bypass list, skipping authentication")
+			return true
+		}
+	}
+
+	service.log.App.Debug().Str("ip", ip).Msg("IP not in bypass list, proceeding with authentication")
+	return false
+}
+
+func (service *AccessControlsService) policyResult(result bool) bool {
+	if service.policy == PolicyAllow {
+		return result
+	} else {
+		return !result
+	}
+}

internal/service/auth_service.go

@@ -6,7 +6,6 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
-	"regexp"
 	"strings"
 	"sync"
 	"time"
@@ -18,7 +17,6 @@ import (
 
 	"slices"
 
-	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 	"golang.org/x/crypto/bcrypt"
 	"golang.org/x/oauth2"
@@ -454,171 +452,6 @@ func (auth *AuthService) LDAPAuthConfigured() bool {
 	return auth.ldap != nil
 }
 
-func (auth *AuthService) IsUserAllowed(c *gin.Context, context model.UserContext, acls *model.App) bool {
-	if acls == nil {
-		return true
-	}
-
-	if context.Provider == model.ProviderOAuth {
-		auth.log.App.Debug().Msg("User is an OAuth user, checking OAuth whitelist")
-		return utils.CheckFilter(acls.OAuth.Whitelist, context.OAuth.Email)
-	}
-
-	if acls.Users.Block != "" {
-		auth.log.App.Debug().Msg("Checking users block list")
-		if utils.CheckFilter(acls.Users.Block, context.GetUsername()) {
-			return false
-		}
-	}
-
-	auth.log.App.Debug().Msg("Checking users allow list")
-	return utils.CheckFilter(acls.Users.Allow, context.GetUsername())
-}
-
-func (auth *AuthService) IsInOAuthGroup(c *gin.Context, context model.UserContext, acls *model.App) bool {
-	if acls == nil {
-		return true
-	}
-
-	if !context.IsOAuth() {
-		auth.log.App.Debug().Msg("User is not an OAuth user, skipping OAuth group check")
-		return false
-	}
-
-	if _, ok := model.OverrideProviders[context.OAuth.ID]; ok {
-		auth.log.App.Debug().Str("provider", context.OAuth.ID).Msg("Provider override detected, skipping group check")
-		return true
-	}
-
-	for _, userGroup := range context.OAuth.Groups {
-		if utils.CheckFilter(acls.OAuth.Groups, strings.TrimSpace(userGroup)) {
-			auth.log.App.Trace().Str("group", userGroup).Str("required", acls.OAuth.Groups).Msg("User group matched")
-			return true
-		}
-	}
-
-	auth.log.App.Debug().Msg("No groups matched")
-	return false
-}
-
-func (auth *AuthService) IsInLDAPGroup(c *gin.Context, context model.UserContext, acls *model.App) bool {
-	if acls == nil {
-		return true
-	}
-
-	if !context.IsLDAP() {
-		auth.log.App.Debug().Msg("User is not an LDAP user, skipping LDAP group check")
-		return false
-	}
-
-	for _, userGroup := range context.LDAP.Groups {
-		if utils.CheckFilter(acls.LDAP.Groups, strings.TrimSpace(userGroup)) {
-			auth.log.App.Trace().Str("group", userGroup).Str("required", acls.LDAP.Groups).Msg("User group matched")
-			return true
-		}
-	}
-
-	auth.log.App.Debug().Msg("No groups matched")
-	return false
-}
-
-func (auth *AuthService) IsAuthEnabled(uri string, acls *model.App) (bool, error) {
-	if acls == nil {
-		return true, nil
-	}
-
-	// Check for block list
-	if acls.Path.Block != "" {
-		regex, err := regexp.Compile(acls.Path.Block)
-
-		if err != nil {
-			return true, err
-		}
-
-		if !regex.MatchString(uri) {
-			return false, nil
-		}
-	}
-
-	// Check for allow list
-	if acls.Path.Allow != "" {
-		regex, err := regexp.Compile(acls.Path.Allow)
-
-		if err != nil {
-			return true, err
-		}
-
-		if regex.MatchString(uri) {
-			return false, nil
-		}
-	}
-
-	return true, nil
-}
-
-func (auth *AuthService) CheckIP(ip string, acls *model.App) bool {
-	if acls == nil {
-		return true
-	}
-
-	// Merge the global and app IP filter
-	blockedIps := append(auth.config.Auth.IP.Block, acls.IP.Block...)
-	allowedIPs := append(auth.config.Auth.IP.Allow, acls.IP.Allow...)
-
-	for _, blocked := range blockedIps {
-		res, err := utils.FilterIP(blocked, ip)
-		if err != nil {
-			auth.log.App.Warn().Err(err).Str("item", blocked).Msg("Invalid IP/CIDR in block list")
-			continue
-		}
-		if res {
-			auth.log.App.Debug().Str("ip", ip).Str("item", blocked).Msg("IP is in block list, denying access")
-			return false
-		}
-	}
-
-	for _, allowed := range allowedIPs {
-		res, err := utils.FilterIP(allowed, ip)
-		if err != nil {
-			auth.log.App.Warn().Err(err).Str("item", allowed).Msg("Invalid IP/CIDR in allow list")
-			continue
-		}
-		if res {
-			auth.log.App.Debug().Str("ip", ip).Str("item", allowed).Msg("IP is in allow list, allowing access")
-			return true
-		}
-	}
-
-	if len(allowedIPs) > 0 {
-		auth.log.App.Debug().Str("ip", ip).Msg("IP not in allow list, denying access")
-		return false
-	}
-
-	auth.log.App.Debug().Str("ip", ip).Msg("IP not in any block or allow list, allowing access by default")
-	return true
-}
-
-func (auth *AuthService) IsBypassedIP(ip string, acls *model.App) bool {
-	if acls == nil {
-		return false
-	}
-
-	for _, bypassed := range acls.IP.Bypass {
-		res, err := utils.FilterIP(bypassed, ip)
-		if err != nil {
-			auth.log.App.Warn().Err(err).Str("item", bypassed).Msg("Invalid IP/CIDR in bypass list")
-			continue
-		}
-		if res {
-			auth.log.App.Debug().Str("ip", ip).Str("item", bypassed).Msg("IP is in bypass list, skipping authentication")
-			return true
-		}
-	}
-
-	auth.log.App.Debug().Str("ip", ip).Msg("IP not in bypass list, proceeding with authentication")
-	return false
-}
-
 func (auth *AuthService) NewOAuthSession(serviceName string, params OAuthURLParams) (string, OAuthPendingSession, error) {
 	auth.ensureOAuthSessionLimit()
 
@@ -773,46 +606,49 @@ func (auth *AuthService) ensureOAuthSessionLimit() {
 	auth.oauthMutex.Lock()
 	defer auth.oauthMutex.Unlock()
 
-	if len(auth.oauthPendingSessions) >= MaxOAuthPendingSessions {
+	if len(auth.oauthPendingSessions) <= MaxOAuthPendingSessions {
+		return
+	}
 
-		cleanupIds := make([]string, 0, OAuthCleanupCount)
-
-		for range OAuthCleanupCount {
-			oldestId := ""
-			oldestTime := int64(0)
+	type entry struct {
+		id        string
+		expiresAt int64
+	}
 
+	entries := make([]entry, 0, len(auth.oauthPendingSessions))
 	for id, session := range auth.oauthPendingSessions {
-				if oldestTime == 0 {
-					oldestId = id
-					oldestTime = session.ExpiresAt.Unix()
-					continue
-				}
-				if slices.Contains(cleanupIds, id) {
-					continue
-				}
-				if session.ExpiresAt.Unix() < oldestTime {
-					oldestId = id
-					oldestTime = session.ExpiresAt.Unix()
-				}
+		entries = append(entries, entry{id, session.ExpiresAt.Unix()})
 	}
 
-			cleanupIds = append(cleanupIds, oldestId)
+	slices.SortFunc(entries, func(a, b entry) int {
+		if a.expiresAt < b.expiresAt {
+			return -1
 		}
+		if a.expiresAt > b.expiresAt {
+			return 1
+		}
+		return 0
+	})
 
-		for _, id := range cleanupIds {
-			delete(auth.oauthPendingSessions, id)
-		}
+	for _, e := range entries[:OAuthCleanupCount] {
+		delete(auth.oauthPendingSessions, e.id)
 	}
 }
 
 func (auth *AuthService) lockdownMode() {
 	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-	auth.lockdownCtx = ctx
-	auth.lockdownCancelFunc = cancel
 
 	auth.loginMutex.Lock()
 
+	if auth.lockdown != nil && auth.lockdown.Active {
+		auth.loginMutex.Unlock()
+		cancel()
+		return
+	}
+
+	auth.lockdownCtx = ctx
+	auth.lockdownCancelFunc = cancel
+
 	auth.log.App.Warn().Msg("Too many failed login attempts, entering lockdown mode")
 
 	auth.lockdown = &Lockdown{
@@ -825,10 +661,12 @@ func (auth *AuthService) lockdownMode() {
 	auth.loginAttempts = make(map[string]*LoginAttempt)
 
 	timer := time.NewTimer(time.Until(auth.lockdown.ActiveUntil))
-	defer timer.Stop()
 
 	auth.loginMutex.Unlock()
 
+	defer cancel()
+	defer timer.Stop()
+
 	select {
 	case <-timer.C:
 		// Timer expired, end lockdown

internal/service/oauth_service.go

@@ -26,6 +26,7 @@ func NewOAuthService(config model.OAuthServiceConfig, id string, ctx context.Con
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{
 				InsecureSkipVerify: config.Insecure,
+				MinVersion:         tls.VersionTLS12,
 			},
 		},
 	}

internal/service/oidc_service.go

@@ -121,7 +121,7 @@ type OIDCService struct {
 
 	clients    map[string]model.OIDCClientConfig
 	privateKey *rsa.PrivateKey
-	publicKey  crypto.PublicKey
+	publicKey  *rsa.PublicKey
 	issuer     string
 }
 
@@ -239,6 +239,16 @@ func NewOIDCService(
 		}
 	}
 
+	rPublicKey, ok := publicKey.(*rsa.PublicKey)
+
+	if !ok {
+		return nil, fmt.Errorf("public key is not an rsa public key")
+	}
+
+	if rPublicKey.N.Cmp(privateKey.N) != 0 || rPublicKey.E != privateKey.E {
+		return nil, fmt.Errorf("public key does not pair with private key")
+	}
+
 	// We will reorganize the client into a map with the client ID as the key
 	clients := make(map[string]model.OIDCClientConfig)
 
@@ -271,7 +281,7 @@ func NewOIDCService(
 
 		clients:    clients,
 		privateKey: privateKey,
-		publicKey:  publicKey,
+		publicKey:  rPublicKey,
 		issuer:     issuer,
 	}
 
@@ -455,7 +465,7 @@ func (service *OIDCService) generateIDToken(client model.OIDCClientConfig, user
 
 	hasher := sha256.New()
 
-	der := x509.MarshalPKCS1PublicKey(&service.privateKey.PublicKey)
+	der := x509.MarshalPKCS1PublicKey(service.publicKey)
 
 	if der == nil {
 		return "", errors.New("failed to marshal public key")
@@ -813,7 +823,7 @@ func (service *OIDCService) cleanupRoutine() {
 func (service *OIDCService) GetJWK() ([]byte, error) {
 	hasher := sha256.New()
 
-	der := x509.MarshalPKCS1PublicKey(&service.privateKey.PublicKey)
+	der := x509.MarshalPKCS1PublicKey(service.publicKey)
 
 	if der == nil {
 		return nil, errors.New("failed to marshal public key")
@@ -822,13 +832,13 @@ func (service *OIDCService) GetJWK() ([]byte, error) {
 	hasher.Write(der)
 
 	jwk := jose.JSONWebKey{
-		Key:       service.privateKey,
+		Key:       service.publicKey,
 		Algorithm: string(jose.RS256),
 		Use:       "sig",
 		KeyID:     base64.URLEncoding.EncodeToString(hasher.Sum(nil)),
 	}
 
-	return jwk.Public().MarshalJSON()
+	return jwk.MarshalJSON()
 }
 
 func (service *OIDCService) ValidatePKCE(codeChallenge string, codeVerifier string) bool {

internal/test/test.go

@@ -40,6 +40,9 @@ func CreateTestConfigs(t *testing.T) (model.Config, model.RuntimeConfig) {
 			SessionExpiry:   10,
 			LoginTimeout:    10,
 			LoginMaxRetries: 3,
+			ACLs: model.ACLsConfig{
+				Policy: "allow",
+			},
 		},
 		Database: model.DatabaseConfig{
 			Path: filepath.Join(tempDir, "test.db"),
@@ -48,6 +51,32 @@ func CreateTestConfigs(t *testing.T) (model.Config, model.RuntimeConfig) {
 			Enabled: true,
 			Path:    filepath.Join(tempDir, "resources"),
 		},
+		Apps: map[string]model.App{
+			"app_path_allow": {
+				Config: model.AppConfig{
+					Domain: "path-allow.example.com",
+				},
+				Path: model.AppPath{
+					Allow: "/allowed",
+				},
+			},
+			"app_user_allow": {
+				Config: model.AppConfig{
+					Domain: "user-allow.example.com",
+				},
+				Users: model.AppUsers{
+					Allow: "testuser",
+				},
+			},
+			"ip_bypass": {
+				Config: model.AppConfig{
+					Domain: "ip-bypass.example.com",
+				},
+				IP: model.AppIP{
+					Bypass: []string{"10.10.10.10"},
+				},
+			},
+		},
 	}
 
 	passwd, err := bcrypt.GenerateFromPassword([]byte("password"), bcrypt.DefaultCost)