fix: review comments

feat: add support for deny by default access controls
2026-05-16 17:20:14 +00:00 · 2026-05-12 18:17:01 +03:00 · 2026-05-12 17:21:45 +03:00
35 changed files with 1562 additions and 5628 deletions
@@ -0,0 +1,38 @@
+---
+name: Bug report
+about: Create a report to help improve Tinyauth
+title: "[BUG]"
+labels: bug
+assignees:
+  - steveiliop56
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Logs**
+Please include the Tinyauth logs below, make sure to not include sensitive info.
+
+**Device (please complete the following information):**
+ - OS: [e.g. iOS]
+ - Browser [e.g. chrome, safari]
+ - Tinyauth [e.g. v2.1.1]
+ - Docker [e.g. 27.3.1]
+
+**
+**Additional context**
+Add any other context about the problem here.
@@ -1,89 +0,0 @@
-name: Bug Report
-description: Create a report to help us improve this project
-title: "[BUG]"
-labels: bug
-assignees:
- steveiliop56
-
-body:
- type: markdown
-  attributes:
-    value: |
-      Thanks for reporting a bug! Please provide detailed information below.
-
- type: textarea
-  id: description
-  attributes:
-    label: Describe the Bug
-    description: "A clear and concise description of what the bug is."
-  validations:
-    required: true
-
- type: textarea
-  id: reproduce
-  attributes:
-    label: How to Reproduce
-    description: Steps to reproduce the behavior.
-    value: |
-      1. Go to '...'
-      2. Click on '....'
-      3. Scroll down to '....'
-      4. See error
-  validations:
-    required: false
-
- type: textarea
-  id: expected
-  attributes:
-    label: Expected Behavior
-    description: "A clear and concise description of what you expected to happen."
-  validations:
-    required: true
-
- type: textarea
-  id: context
-  attributes:
-    label: "Additional Context"
-    description: "If applicable add screenshots to help explain your problem."
-  validations:
-    required: false
-
- type: textarea
-  id: logs
-  attributes:
-    label: "Logs"
-    description: "Please include the Tinyauth logs, make sure to not include sensitive info."
-  validations:
-    required: false
-
- type: input
-  id: os
-  attributes:
-    label: Operating System
-    placeholder: "e.g. iOS, android, windows, linux, etc"
-
- type: input
-  id: browser
-  attributes:
-    label: Browser
-    placeholder: "e.g. chrome, firefox, safari, edge, etc"
-
- type: input
-  id: tinyauth
-  attributes:
-    label: Tinyauth Version
-    placeholder: "e.g. v5.0.0"
-
- type: input
-  id: docker
-  attributes:
-    label: Docker Version (if applicable)
-    placeholder: "e.g. 27.3.1"
-
- type: checkboxes
-  id: not-llm
-  attributes:
-    label: Human Written Confirmation
-    options:
-      - label: I confirm this issue was written by me and not generated by an LLM or AI assistant.
-        required: true
@@ -1,8 +0,0 @@
-blank_issues_enabled: false
-contact_links:
-  - name: Tinyauth Community Support on Discord
-    url: https://discord.gg/eHzVaCzRRd
-    about: Please ask and answer questions here.
-  - name: Tinyauth Documentation
-    url: https://tinyauth.app/docs/getting-started/
-    about: Please check the documentation here.
@@ -0,0 +1,21 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: "[FEATURE]"
+labels: enhancement
+assignees:
+  - steveiliop56
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.
@@ -1,52 +0,0 @@
-name: Feature request
-about: Suggest an idea for this project
-title: "[FEATURE]"
-labels: enhancement
-assignees:
- steveiliop56
-
-body:
- type: markdown
-  attributes:
-    value: |
-      Thanks for suggesting a feature! Please provide detailed information below.
-
- type: textarea
-  id: problem
-  attributes:
-    label: Is your feature request related to a problem? Please describe.
-    description: "A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]"
-  validations:
-    required: false
-
- type: textarea
-  id: solution
-  attributes:
-    label: Describe the solution you'd like.
-    description: "A clear and concise description of what you want to happen."
-  validations:
-    required: true
-
- type: textarea
-  id: alternatives
-  attributes:
-    label: Describe alternatives you've considered.
-    description: "A clear and concise description of any alternative solutions or features you've considered."
-  validations:
-    required: false
-
- type: textarea
-  id: context
-  attributes:
-    label: Additional context
-    description: "Add any other context or screenshots about the feature request here."
-  validations:
-    required: false
-
- type: checkboxes
-  id: not-llm
-  attributes:
-    label: Human Written Confirmation
-    options:
-      - label: I confirm this request was written by me and not generated by an LLM or AI assistant.
-        required: true
@@ -1,6 +1,6 @@
 version: 2
 updates:
-  - package-ecosystem: "npm"
+  - package-ecosystem: "bun"
    directory: "/frontend"
    groups:
      minor-patch:
@@ -15,10 +15,8 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

-      - name: Setup pnpm
-        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
-        with:
-          package_json_file: ./frontend/package.json
+      - name: Setup bun
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2

      - name: Setup go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -29,22 +27,27 @@ jobs:
        run: go mod download

      - name: Install frontend dependencies
-        working-directory: ./frontend
-        run: pnpm ci
+        run: |
+          cd frontend
+          bun install --frozen-lockfile

      - name: Set version
-        run: echo testing > internal/assets/version
+        run: |
+          echo testing > internal/assets/version

      - name: Lint frontend
-        working-directory: ./frontend
-        run: pnpm run lint
+        run: |
+          cd frontend
+          bun run lint

      - name: Build frontend
-        working-directory: ./frontend
-        run: pnpm run build
+        run: |
+          cd frontend
+          bun run build

      - name: Copy frontend
-        run: cp -r frontend/dist internal/assets/dist
+        run: |
+          cp -r frontend/dist internal/assets/dist

      - name: Run tests
        run: go test -coverprofile=coverage.txt -v ./...
@@ -59,10 +59,8 @@ jobs:
        with:
          ref: nightly

-      - name: Setup pnpm
-        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
-        with:
-          package_json_file: ./frontend/package.json
+      - name: Install bun
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2

      - name: Install go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -70,15 +68,18 @@ jobs:
          go-version: "^1.26.0"

      - name: Install frontend dependencies
-        working-directory: ./frontend
-        run: pnpm ci
+        run: |
+          cd frontend
+          bun install --frozen-lockfile

      - name: Install backend dependencies
-        run: go mod download
+        run: |
+          go mod download

      - name: Build frontend
-        working-directory: ./frontend
-        run: pnpm run build
+        run: |
+          cd frontend
+          bun run build

      - name: Build
        run: |
@@ -104,10 +105,8 @@ jobs:
        with:
          ref: nightly

-      - name: Setup pnpm
-        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
-        with:
-          package_json_file: ./frontend/package.json
+      - name: Install bun
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2

      - name: Install go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -115,15 +114,18 @@ jobs:
          go-version: "^1.26.0"

      - name: Install frontend dependencies
-        working-directory: ./frontend
-        run: pnpm ci
+        run: |
+          cd frontend
+          bun install --frozen-lockfile

      - name: Install backend dependencies
-        run: go mod download
+        run: |
+          go mod download

      - name: Build frontend
-        working-directory: ./frontend
-        run: pnpm run build
+        run: |
+          cd frontend
+          bun run build

      - name: Build
        run: |
@@ -35,10 +35,8 @@ jobs:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

-      - name: Setup pnpm
-        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
-        with:
-          package_json_file: ./frontend/package.json
+      - name: Install bun
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2

      - name: Install go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -46,15 +44,18 @@ jobs:
          go-version: "^1.26.0"

      - name: Install frontend dependencies
-        working-directory: ./frontend
-        run: pnpm ci
+        run: |
+          cd frontend
+          bun install --frozen-lockfile

      - name: Install backend dependencies
-        run: go mod download
+        run: |
+          go mod download

      - name: Build frontend
-        working-directory: ./frontend
-        run: pnpm run build
+        run: |
+          cd frontend
+          bun run build

      - name: Build
        run: |
@@ -77,10 +78,8 @@ jobs:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

-      - name: Setup pnpm
-        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
-        with:
-          package_json_file: ./frontend/package.json
+      - name: Install bun
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2

      - name: Install go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -88,15 +87,18 @@ jobs:
          go-version: "^1.26.0"

      - name: Install frontend dependencies
-        working-directory: ./frontend
-        run: pnpm ci
+        run: |
+          cd frontend
+          bun install --frozen-lockfile

      - name: Install backend dependencies
-        run: go mod download
+        run: |
+          go mod download

      - name: Build frontend
-        working-directory: ./frontend
-        run: pnpm run build
+        run: |
+          cd frontend
+          bun run build

      - name: Build
        run: |
@@ -48,6 +48,3 @@ __debug_*

 # testing config
 config.certify.yml
-
-# deepsec
-/.deepsec
@@ -7,7 +7,7 @@ Contributing to Tinyauth is straightforward. Follow the steps below to set up a

 ## Requirements

- pnpm
+- Bun
 - Golang v1.24.0 or later
 - Git
 - Docker
@@ -34,7 +34,7 @@ Frontend dependencies can be installed as follows:

 ```sh
 cd frontend/
-pnpm ci
+bun install
 ```

 ## Create the `.env` file
@@ -1,14 +1,12 @@
 # Site builder
-FROM node:26.1-alpine3.23 AS frontend-builder
+FROM oven/bun:1.3.13-alpine AS frontend-builder

 WORKDIR /frontend

-RUN npm install -g pnpm@11.1.2
-
 COPY ./frontend/package.json ./
-COPY ./frontend/pnpm-lock.yaml ./
+COPY ./frontend/bun.lock ./

-RUN pnpm ci
+RUN bun install --frozen-lockfile

 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -19,7 +17,7 @@ COPY ./frontend/tsconfig.app.json ./
 COPY ./frontend/tsconfig.node.json ./
 COPY ./frontend/vite.config.ts ./

-RUN pnpm run build
+RUN bun run build

 # Builder
 FROM golang:1.26-alpine3.23 AS builder
@@ -8,7 +8,7 @@ COPY go.sum ./
 RUN go mod download

 RUN go install github.com/air-verse/air@v1.61.7
-RUN go install github.com/go-delve/delve/cmd/dlv@v1.26.3
+RUN go install github.com/go-delve/delve/cmd/dlv@latest

 COPY ./cmd ./cmd
 COPY ./internal ./internal
@@ -1,14 +1,12 @@
 # Site builder
-FROM node:26.1-alpine3.23 AS frontend-builder
+FROM oven/bun:1.3.13-alpine AS frontend-builder

 WORKDIR /frontend

-RUN npm install -g pnpm@11.1.2
-
 COPY ./frontend/package.json ./
-COPY ./frontend/pnpm-lock.yaml ./
+COPY ./frontend/bun.lock ./

-RUN pnpm ci
+RUN bun install --frozen-lockfile

 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -19,7 +17,7 @@ COPY ./frontend/tsconfig.app.json ./
 COPY ./frontend/tsconfig.node.json ./
 COPY ./frontend/vite.config.ts ./

-RUN pnpm run build
+RUN bun run build

 # Builder
 FROM golang:1.26-alpine3.23 AS builder
@@ -17,7 +17,7 @@ PROD_COMPOSE := $(shell test -f "docker-compose.test.prod.yml" && echo "docker-c

 # Deps
 deps:
-	cd frontend && pnpm ci
+	bun install --frozen-lockfile --cwd frontend
 	go mod download

 # Clean data
@@ -31,7 +31,7 @@ clean-webui:

 # Build the web UI
 webui: clean-webui
-	cd frontend && pnpm run build
+	bun run --cwd frontend build
 	cp -r frontend/dist internal/assets

 # Build the binary
@@ -2,56 +2,8 @@

 ## Supported Versions

-It is recommended to use the [latest](https://github.com/tinyauthapp/tinyauth/releases/latest) available version of Tinyauth. This is because it includes security fixes, new features and dependency updates. Older versions, especially major ones, are not supported and won't receive security or patch updates.
+It is recommended to use the [latest](https://github.com/tinyauthapp/tinyauth/releases/latest) available version of tinyauth. This is because it includes security fixes, new features and dependency updates. Older versions, especially major ones, are not supported and won't receive security or patch updates.

 ## Reporting a Vulnerability

-Please **do not** report security vulnerabilities through public GitHub issues, discussions, or pull requests as I won't be able to patch them in time and they may get exploited by malicious actors.
-
-Instead, report them privately using [GitHub's Private Vulnerability Reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) via the **Security** tab of this repository.
-
-Or send us an email at <security@tinyauth.app>.
-
-### A note on AI-assisted reports
-
-If AI tooling (LLMs, automated scanners, agentic assistants, etc.) helped you discover, analyse, or write up this issue, please say so in your report. This isn't a judgement - AI-assisted findings are welcome - but disclosing it up front helps maintainers calibrate how much additional verification a report needs, and tends to make the report itself clearer.
-
-When submitting a report, please use the structure below so it can be triaged quickly.
-
---
-
-### 1. Summary
-
-A short, one-paragraph description of the vulnerability and its impact (e.g. what an attacker can achieve, who is affected, and under what conditions).
-
-### 2. Steps to Reproduce / Proof of Concept
-
-Provide a minimal, reliable reproduction:
-
-1. Step one
-2. Step two
-3. Step three
-
-Include any required input, payloads, configuration, or code snippets. Attach a PoC script or screenshots where helpful.
-
-### 3. Expected vs. Actual Behaviour
-
- **Expected:** what *should* happen
- **Actual:** what *does* happen, and why it's a security issue
-
-### 4. Suggested Fix or Mitigation *(optional)*
-
-If you have an idea for how to address the issue, describe it here. A private gist link is welcome but not required.
-
- **Have you tested this fix?** Yes / No
- **If yes,** briefly describe how it was tested and what was verified.
-
---
-
-## What to Expect
-
- **Acknowledgement** within a reasonable timeframe after receiving your report
- **Updates** as the issue is investigated and addressed
- **Public credit** in the resulting advisory, along with any **CVE assigned**, unless you'd prefer to stay anonymous
-
-We follow a **90-day coordinated disclosure** window: please allow up to 90 days from the date of your report for the issue to be investigated and patched before publicly disclosing it. The publication date - whether earlier if a fix lands sooner, or later if more time is genuinely needed - will be agreed with you in advance.
+Due to the nature of this app, it needs to be secure. If you discover any security issues or vulnerabilities in the app please contact me as soon as possible at <security@tinyauth.app>. Please do not use the issues section to report security issues as I won't be able to patch them in time and they may get exploited by malicious actors.
@@ -0,0 +1,6 @@
+# Ignore artifacts:
+dist
+node_modules
+bun.lock
+package.json
+src/lib/i18n/locales
@@ -0,0 +1 @@
+{}
@@ -1,13 +1,11 @@
-FROM node:26.1-alpine3.23
-
-RUN npm install -g pnpm@11.1.2
+FROM oven/bun:1.2.16-alpine

 WORKDIR /frontend

 COPY ./frontend/package.json ./
-COPY ./frontend/pnpm-lock.yaml ./
+COPY ./frontend/bun.lock ./

-RUN pnpm ci
+RUN bun install --frozen-lockfile

 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -21,4 +19,4 @@ COPY ./frontend/vite.config.ts ./

 EXPOSE 5173

-ENTRYPOINT ["pnpm", "run", "dev"]
+ENTRYPOINT ["bun", "run", "dev"]
@@ -10,7 +10,6 @@
    "preview": "vite preview",
    "tsc": "tsc -b"
  },
-  "packageManager": "pnpm@11.1.2",
  "dependencies": {
    "@hookform/resolvers": "^5.2.2",
    "@radix-ui/react-dropdown-menu": "^2.1.16",
@@ -1,4 +0,0 @@
-dangerouslyAllowAllBuilds: false
-blockExoticSubdeps: true
-minimumReleaseAge: 1440 # 1 day
-trustPolicy: no-downgrade
@@ -45,7 +45,7 @@ func (app *BootstrapApp) setupServices() error {
 		labelProvider = dockerService
 	}

-	accessControlsService := service.NewAccessControlsService(app.log, &labelProvider, app.config.Apps)
+	accessControlsService := service.NewAccessControlsService(app.log, app.config, &labelProvider)
 	app.services.accessControlService = accessControlsService

 	oauthBrokerService := service.NewOAuthBrokerService(app.log, app.runtime.OAuthProviders, app.ctx)
@@ -208,12 +208,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		name = user.Name
 	} else {
 		controller.log.App.Debug().Msg("No name from OAuth provider, generating from email")
-		parts := strings.SplitN(user.Email, "@", 2)
-		if len(parts) == 2 {
-			name = fmt.Sprintf("%s (%s)", utils.Capitalize(parts[0]), parts[1])
-		} else {
-			name = utils.Capitalize(user.Email)
-		}
+		name = fmt.Sprintf("%s (%s)", utils.Capitalize(strings.Split(user.Email, "@")[0]), strings.Split(user.Email, "@")[1])
 	}

 	var username string
@@ -146,7 +146,7 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 	client, ok := controller.oidc.GetClient(req.ClientID)

 	if !ok {
-		controller.authorizeError(c, fmt.Errorf("client not found: %s", req.ClientID), "Client not found", "The client ID is invalid", "", "", "")
+		controller.authorizeError(c, err, "Client not found", "The client ID is invalid", "", "", "")
 		return
 	}

@@ -288,7 +288,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code), client.ClientID)
 		if err != nil {
 			if err := controller.oidc.DeleteTokenByCodeHash(c, controller.oidc.Hash(req.Code)); err != nil {
-				controller.log.App.Error().Err(err).Msg("Failed to revoke tokens for replayed code")
+				controller.log.App.Error().Err(err).Msg("Failed to delete code")
 			}
 			if errors.Is(err, service.ErrCodeNotFound) {
 				controller.log.App.Warn().Msg("Code not found")
@@ -101,7 +101,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {

 	clientIP := c.ClientIP()

-	if controller.auth.IsBypassedIP(clientIP, acls) {
+	if controller.acls.IsIPBypassed(clientIP, acls) {
 		controller.setHeaders(c, acls)
 		c.JSON(200, gin.H{
 			"status":  200,
@@ -110,13 +110,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}

-	authEnabled, err := controller.auth.IsAuthEnabled(proxyCtx.Path, acls)
-
-	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to determine if authentication is enabled for resource")
-		controller.handleError(c, proxyCtx)
-		return
-	}
+	authEnabled := controller.acls.IsAuthEnabled(proxyCtx.Path, acls)

 	if !authEnabled {
 		controller.log.App.Debug().Msg("Authentication is disabled for this resource, allowing access without authentication")
@@ -128,7 +122,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}

-	if !controller.auth.CheckIP(clientIP, acls) {
+	if !controller.acls.IsIPAllowed(clientIP, acls) {
 		queries, err := query.Values(UnauthorizedQuery{
 			Resource: strings.Split(proxyCtx.Host, ".")[0],
 			IP:       clientIP,
@@ -144,9 +138,9 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {

 		if !controller.useBrowserResponse(proxyCtx) {
 			c.Header("x-tinyauth-location", redirectURL)
-			c.JSON(403, gin.H{
-				"status":  403,
-				"message": "Forbidden",
+			c.JSON(401, gin.H{
+				"status":  401,
+				"message": "Unauthorized",
 			})
 			return
 		}
@@ -165,7 +159,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	}

 	if userContext.Authenticated {
-		userAllowed := controller.auth.IsUserAllowed(c, *userContext, acls)
+		userAllowed := controller.acls.IsUserAllowed(*userContext, acls)

 		if !userAllowed {
 			controller.log.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User is not allowed to access resource")
@@ -205,9 +199,9 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 			var groupOK bool

 			if userContext.IsOAuth() {
-				groupOK = controller.auth.IsInOAuthGroup(c, *userContext, acls)
+				groupOK = controller.acls.IsInOAuthGroup(*userContext, acls)
 			} else {
-				groupOK = controller.auth.IsInLDAPGroup(c, *userContext, acls)
+				groupOK = controller.acls.IsInLDAPGroup(*userContext, acls)
 			}

 			if !groupOK {
@@ -24,33 +24,6 @@ func TestProxyController(t *testing.T) {

 	cfg, runtime := test.CreateTestConfigs(t)

-	acls := map[string]model.App{
-		"app_path_allow": {
-			Config: model.AppConfig{
-				Domain: "path-allow.example.com",
-			},
-			Path: model.AppPath{
-				Allow: "/allowed",
-			},
-		},
-		"app_user_allow": {
-			Config: model.AppConfig{
-				Domain: "user-allow.example.com",
-			},
-			Users: model.AppUsers{
-				Allow: "testuser",
-			},
-		},
-		"ip_bypass": {
-			Config: model.AppConfig{
-				Domain: "ip-bypass.example.com",
-			},
-			IP: model.AppIP{
-				Bypass: []string{"10.10.10.10"},
-			},
-		},
-	}
-
 	const browserUserAgent = `
 	Mozilla/5.0 (Linux; Android 8.0.0; SM-G955U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Mobile Safari/537.36`

@@ -391,7 +364,7 @@ func TestProxyController(t *testing.T) {

 	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
 	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, queries, broker)
-	aclsService := service.NewAccessControlsService(log, nil, acls)
+	aclsService := service.NewAccessControlsService(log, cfg, nil)

 	for _, test := range tests {
 		t.Run(test.description, func(t *testing.T) {
@@ -32,7 +32,7 @@ func (controller *ResourcesController) resourcesHandler(c *gin.Context) {
 	if controller.config.Resources.Path == "" {
 		c.JSON(404, gin.H{
 			"status":  404,
-			"message": "Resource not found",
+			"message": "Resources not found",
 		})
 		return
 	}
@@ -24,6 +24,9 @@ func NewDefaultConfiguration() *Config {
 			SessionMaxLifetime: 0,     // disabled
 			LoginTimeout:       300,   // 5 minutes
 			LoginMaxRetries:    3,
+			ACLs: ACLsConfig{
+				Policy: "allow",
+			},
 		},
 		UI: UIConfig{
 			Title:                 "Tinyauth",
@@ -114,6 +117,7 @@ type AuthConfig struct {
 	LoginTimeout       int                       `description:"Login timeout in seconds." yaml:"loginTimeout"`
 	LoginMaxRetries    int                       `description:"Maximum login retries." yaml:"loginMaxRetries"`
 	TrustedProxies     []string                  `description:"Comma-separated list of trusted proxy addresses." yaml:"trustedProxies"`
+	ACLs               ACLsConfig                `description:"ACLs configuration." yaml:"acls"`
 }

 type UserAttributes struct {
@@ -223,6 +227,10 @@ type OIDCClientConfig struct {
 	Name                string   `description:"Client name in UI." yaml:"name"`
 }

+type ACLsConfig struct {
+	Policy string `description:"ACL policy for allow-by-default or deny-by-default, available options are allow and deny, default is allow." yaml:"policy"`
+}
+
 // ACLs

 type Apps struct {
@@ -1,44 +1,82 @@
 package service

 import (
+	"regexp"
 	"strings"

 	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )

+type AccessControlPolicy string
+
+const (
+	PolicyAllow AccessControlPolicy = "allow"
+	PolicyDeny  AccessControlPolicy = "deny"
+)
+
+func accessControlPolicyFromString(s string) (AccessControlPolicy, bool) {
+	switch strings.ToLower(s) {
+	case "allow":
+		return PolicyAllow, true
+	case "deny":
+		return PolicyDeny, true
+	default:
+		return PolicyAllow, false
+	}
+}
+
 type LabelProvider interface {
 	GetLabels(appDomain string) (*model.App, error)
 }

 type AccessControlsService struct {
 	log           *logger.Logger
+	config        model.Config
 	labelProvider *LabelProvider
-	static        map[string]model.App
+	policy        AccessControlPolicy
 }

 func NewAccessControlsService(
 	log *logger.Logger,
-	labelProvider *LabelProvider,
-	static map[string]model.App) *AccessControlsService {
-	return &AccessControlsService{
+	config model.Config,
+	labelProvider *LabelProvider) *AccessControlsService {
+
+	service := AccessControlsService{
 		log:           log,
+		config:        config,
 		labelProvider: labelProvider,
-		static:        static,
 	}
+
+	policy, ok := accessControlPolicyFromString(config.Auth.ACLs.Policy)
+
+	if !ok {
+		log.App.Warn().Str("policy", config.Auth.ACLs.Policy).Msg("Invalid ACL policy in config, defaulting to 'allow'")
+	}
+
+	if policy == PolicyAllow {
+		log.App.Debug().Msg("Using 'allow' ACL policy: access to apps will be allowed by default unless explicitly blocked")
+	} else {
+		log.App.Debug().Msg("Using 'deny' ACL policy: access to apps will be blocked by default unless explicitly allowed")
+	}
+
+	service.policy = policy
+
+	return &service
 }

-func (acls *AccessControlsService) lookupStaticACLs(domain string) *model.App {
+func (service *AccessControlsService) lookupStaticACLs(domain string) *model.App {
 	var appAcls *model.App
-	for app, config := range acls.static {
+	for app, config := range service.config.Apps {
 		if config.Config.Domain == domain {
-			acls.log.App.Debug().Str("name", app).Msg("Found matching container by domain")
+			service.log.App.Debug().Str("name", app).Msg("Found matching container by domain")
 			appAcls = &config
 			break // If we find a match by domain, we can stop searching
 		}

 		if strings.SplitN(domain, ".", 2)[0] == app {
-			acls.log.App.Debug().Str("name", app).Msg("Found matching container by app name")
+			service.log.App.Debug().Str("name", app).Msg("Found matching container by app name")
 			appAcls = &config
 			break // If we find a match by app name, we can stop searching
 		}
@@ -46,20 +84,193 @@ func (acls *AccessControlsService) lookupStaticACLs(domain string) *model.App {
 	return appAcls
 }

-func (acls *AccessControlsService) GetAccessControls(domain string) (*model.App, error) {
+func (service *AccessControlsService) GetAccessControls(domain string) (*model.App, error) {
 	// First check in the static config
-	app := acls.lookupStaticACLs(domain)
+	app := service.lookupStaticACLs(domain)

 	if app != nil {
-		acls.log.App.Debug().Msg("Using static ACLs for app")
+		service.log.App.Debug().Msg("Using static ACLs for app")
 		return app, nil
 	}

 	// If we have a label provider configured, try to get ACLs from it
-	if acls.labelProvider != nil {
-		return (*acls.labelProvider).GetLabels(domain)
+	if service.labelProvider != nil {
+		return (*service.labelProvider).GetLabels(domain)
 	}

 	// no labels
 	return nil, nil
 }
+
+func (service *AccessControlsService) IsUserAllowed(context model.UserContext, acls *model.App) bool {
+	if acls == nil {
+		return service.policyResult(true)
+	}
+
+	if context.Provider == model.ProviderOAuth {
+		service.log.App.Debug().Msg("User is an OAuth user, checking OAuth whitelist")
+		return utils.CheckFilter(acls.OAuth.Whitelist, context.OAuth.Email)
+	}
+
+	if acls.Users.Block != "" {
+		service.log.App.Debug().Msg("Checking users block list")
+		if utils.CheckFilter(acls.Users.Block, context.GetUsername()) {
+			return false
+		}
+	}
+
+	service.log.App.Debug().Msg("Checking users allow list")
+	return service.policyResult(utils.CheckFilter(acls.Users.Allow, context.GetUsername()))
+}
+
+func (service *AccessControlsService) IsInOAuthGroup(context model.UserContext, acls *model.App) bool {
+	if acls == nil {
+		return true
+	}
+
+	if !context.IsOAuth() {
+		service.log.App.Debug().Msg("User is not an OAuth user, skipping OAuth group check")
+		return false
+	}
+
+	if _, ok := model.OverrideProviders[context.OAuth.ID]; ok {
+		service.log.App.Debug().Str("provider", context.OAuth.ID).Msg("Provider override detected, skipping group check")
+		return true
+	}
+
+	for _, userGroup := range context.OAuth.Groups {
+		if utils.CheckFilter(acls.OAuth.Groups, strings.TrimSpace(userGroup)) {
+			service.log.App.Trace().Str("group", userGroup).Str("required", acls.OAuth.Groups).Msg("User group matched")
+			return true
+		}
+	}
+
+	service.log.App.Debug().Msg("No groups matched")
+	return false
+}
+
+func (service *AccessControlsService) IsInLDAPGroup(context model.UserContext, acls *model.App) bool {
+	if acls == nil {
+		return true
+	}
+
+	if !context.IsLDAP() {
+		service.log.App.Debug().Msg("User is not an LDAP user, skipping LDAP group check")
+		return false
+	}
+
+	for _, userGroup := range context.LDAP.Groups {
+		if utils.CheckFilter(acls.LDAP.Groups, strings.TrimSpace(userGroup)) {
+			service.log.App.Trace().Str("group", userGroup).Str("required", acls.LDAP.Groups).Msg("User group matched")
+			return true
+		}
+	}
+
+	service.log.App.Debug().Msg("No groups matched")
+	return false
+}
+
+func (service *AccessControlsService) IsAuthEnabled(uri string, acls *model.App) bool {
+	if acls == nil {
+		return true
+	}
+
+	if acls.Path.Block != "" {
+		regex, err := regexp.Compile(acls.Path.Block)
+
+		if err != nil {
+			service.log.App.Error().Err(err).Msg("Failed to compile block regex")
+			return true
+		}
+
+		if !regex.MatchString(uri) {
+			return false
+		}
+	}
+
+	if acls.Path.Allow != "" {
+		regex, err := regexp.Compile(acls.Path.Allow)
+
+		if err != nil {
+			service.log.App.Error().Err(err).Msg("Failed to compile allow regex")
+			return true
+		}
+
+		if regex.MatchString(uri) {
+			return false
+		}
+	}
+
+	return true
+}
+
+func (service *AccessControlsService) IsIPAllowed(ip string, acls *model.App) bool {
+	if acls == nil {
+		return service.policyResult(true)
+	}
+
+	// Merge the global and app IP filter
+	blockedIps := append(acls.IP.Block, service.config.Auth.IP.Block...)
+	allowedIPs := append(acls.IP.Allow, service.config.Auth.IP.Allow...)
+
+	for _, blocked := range blockedIps {
+		res, err := utils.FilterIP(blocked, ip)
+		if err != nil {
+			service.log.App.Warn().Err(err).Str("item", blocked).Msg("Invalid IP/CIDR in block list")
+			continue
+		}
+		if res {
+			service.log.App.Debug().Str("ip", ip).Str("item", blocked).Msg("IP is in block list, denying access")
+			return false
+		}
+	}
+
+	for _, allowed := range allowedIPs {
+		res, err := utils.FilterIP(allowed, ip)
+		if err != nil {
+			service.log.App.Warn().Err(err).Str("item", allowed).Msg("Invalid IP/CIDR in allow list")
+			continue
+		}
+		if res {
+			service.log.App.Debug().Str("ip", ip).Str("item", allowed).Msg("IP is in allow list, allowing access")
+			return true
+		}
+	}
+
+	if len(allowedIPs) > 0 {
+		service.log.App.Debug().Str("ip", ip).Msg("IP not in allow list, denying access")
+		return false
+	}
+
+	service.log.App.Debug().Str("ip", ip).Msg("IP not in block or allow list, allowing access")
+	return service.policyResult(true)
+}
+
+func (service *AccessControlsService) IsIPBypassed(ip string, acls *model.App) bool {
+	if acls == nil {
+		return false
+	}
+
+	for _, bypassed := range acls.IP.Bypass {
+		res, err := utils.FilterIP(bypassed, ip)
+		if err != nil {
+			service.log.App.Warn().Err(err).Str("item", bypassed).Msg("Invalid IP/CIDR in bypass list")
+			continue
+		}
+		if res {
+			service.log.App.Debug().Str("ip", ip).Str("item", bypassed).Msg("IP is in bypass list, skipping authentication")
+			return true
+		}
+	}
+
+	service.log.App.Debug().Str("ip", ip).Msg("IP not in bypass list, proceeding with authentication")
+	return false
+}
+
+func (service *AccessControlsService) policyResult(result bool) bool {
+	if service.policy == PolicyAllow {
+		return result
+	} else {
+		return !result
+	}
+}
@@ -6,7 +6,6 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
-	"regexp"
 	"strings"
 	"sync"
 	"time"
@@ -18,7 +17,6 @@ import (

 	"slices"

-	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 	"golang.org/x/crypto/bcrypt"
 	"golang.org/x/oauth2"
@@ -454,171 +452,6 @@ func (auth *AuthService) LDAPAuthConfigured() bool {
 	return auth.ldap != nil
 }

-func (auth *AuthService) IsUserAllowed(c *gin.Context, context model.UserContext, acls *model.App) bool {
-	if acls == nil {
-		return true
-	}
-
-	if context.Provider == model.ProviderOAuth {
-		auth.log.App.Debug().Msg("User is an OAuth user, checking OAuth whitelist")
-		return utils.CheckFilter(acls.OAuth.Whitelist, context.OAuth.Email)
-	}
-
-	if acls.Users.Block != "" {
-		auth.log.App.Debug().Msg("Checking users block list")
-		if utils.CheckFilter(acls.Users.Block, context.GetUsername()) {
-			return false
-		}
-	}
-
-	auth.log.App.Debug().Msg("Checking users allow list")
-	return utils.CheckFilter(acls.Users.Allow, context.GetUsername())
-}
-
-func (auth *AuthService) IsInOAuthGroup(c *gin.Context, context model.UserContext, acls *model.App) bool {
-	if acls == nil {
-		return true
-	}
-
-	if !context.IsOAuth() {
-		auth.log.App.Debug().Msg("User is not an OAuth user, skipping OAuth group check")
-		return false
-	}
-
-	if _, ok := model.OverrideProviders[context.OAuth.ID]; ok {
-		auth.log.App.Debug().Str("provider", context.OAuth.ID).Msg("Provider override detected, skipping group check")
-		return true
-	}
-
-	for _, userGroup := range context.OAuth.Groups {
-		if utils.CheckFilter(acls.OAuth.Groups, strings.TrimSpace(userGroup)) {
-			auth.log.App.Trace().Str("group", userGroup).Str("required", acls.OAuth.Groups).Msg("User group matched")
-			return true
-		}
-	}
-
-	auth.log.App.Debug().Msg("No groups matched")
-	return false
-}
-
-func (auth *AuthService) IsInLDAPGroup(c *gin.Context, context model.UserContext, acls *model.App) bool {
-	if acls == nil {
-		return true
-	}
-
-	if !context.IsLDAP() {
-		auth.log.App.Debug().Msg("User is not an LDAP user, skipping LDAP group check")
-		return false
-	}
-
-	for _, userGroup := range context.LDAP.Groups {
-		if utils.CheckFilter(acls.LDAP.Groups, strings.TrimSpace(userGroup)) {
-			auth.log.App.Trace().Str("group", userGroup).Str("required", acls.LDAP.Groups).Msg("User group matched")
-			return true
-		}
-	}
-
-	auth.log.App.Debug().Msg("No groups matched")
-	return false
-}
-
-func (auth *AuthService) IsAuthEnabled(uri string, acls *model.App) (bool, error) {
-	if acls == nil {
-		return true, nil
-	}
-
-	// Check for block list
-	if acls.Path.Block != "" {
-		regex, err := regexp.Compile(acls.Path.Block)
-
-		if err != nil {
-			return true, err
-		}
-
-		if !regex.MatchString(uri) {
-			return false, nil
-		}
-	}
-
-	// Check for allow list
-	if acls.Path.Allow != "" {
-		regex, err := regexp.Compile(acls.Path.Allow)
-
-		if err != nil {
-			return true, err
-		}
-
-		if regex.MatchString(uri) {
-			return false, nil
-		}
-	}
-
-	return true, nil
-}
-
-func (auth *AuthService) CheckIP(ip string, acls *model.App) bool {
-	if acls == nil {
-		return true
-	}
-
-	// Merge the global and app IP filter
-	blockedIps := append(auth.config.Auth.IP.Block, acls.IP.Block...)
-	allowedIPs := append(auth.config.Auth.IP.Allow, acls.IP.Allow...)
-
-	for _, blocked := range blockedIps {
-		res, err := utils.FilterIP(blocked, ip)
-		if err != nil {
-			auth.log.App.Warn().Err(err).Str("item", blocked).Msg("Invalid IP/CIDR in block list")
-			continue
-		}
-		if res {
-			auth.log.App.Debug().Str("ip", ip).Str("item", blocked).Msg("IP is in block list, denying access")
-			return false
-		}
-	}
-
-	for _, allowed := range allowedIPs {
-		res, err := utils.FilterIP(allowed, ip)
-		if err != nil {
-			auth.log.App.Warn().Err(err).Str("item", allowed).Msg("Invalid IP/CIDR in allow list")
-			continue
-		}
-		if res {
-			auth.log.App.Debug().Str("ip", ip).Str("item", allowed).Msg("IP is in allow list, allowing access")
-			return true
-		}
-	}
-
-	if len(allowedIPs) > 0 {
-		auth.log.App.Debug().Str("ip", ip).Msg("IP not in allow list, denying access")
-		return false
-	}
-
-	auth.log.App.Debug().Str("ip", ip).Msg("IP not in any block or allow list, allowing access by default")
-	return true
-}
-
-func (auth *AuthService) IsBypassedIP(ip string, acls *model.App) bool {
-	if acls == nil {
-		return false
-	}
-
-	for _, bypassed := range acls.IP.Bypass {
-		res, err := utils.FilterIP(bypassed, ip)
-		if err != nil {
-			auth.log.App.Warn().Err(err).Str("item", bypassed).Msg("Invalid IP/CIDR in bypass list")
-			continue
-		}
-		if res {
-			auth.log.App.Debug().Str("ip", ip).Str("item", bypassed).Msg("IP is in bypass list, skipping authentication")
-			return true
-		}
-	}
-
-	auth.log.App.Debug().Str("ip", ip).Msg("IP not in bypass list, proceeding with authentication")
-	return false
-}
-
 func (auth *AuthService) NewOAuthSession(serviceName string, params OAuthURLParams) (string, OAuthPendingSession, error) {
 	auth.ensureOAuthSessionLimit()

@@ -773,49 +606,46 @@ func (auth *AuthService) ensureOAuthSessionLimit() {
 	auth.oauthMutex.Lock()
 	defer auth.oauthMutex.Unlock()

-	if len(auth.oauthPendingSessions) <= MaxOAuthPendingSessions {
-		return
-	}
+	if len(auth.oauthPendingSessions) >= MaxOAuthPendingSessions {

-	type entry struct {
-		id        string
-		expiresAt int64
-	}
+		cleanupIds := make([]string, 0, OAuthCleanupCount)

-	entries := make([]entry, 0, len(auth.oauthPendingSessions))
-	for id, session := range auth.oauthPendingSessions {
-		entries = append(entries, entry{id, session.ExpiresAt.Unix()})
-	}
+		for range OAuthCleanupCount {
+			oldestId := ""
+			oldestTime := int64(0)

-	slices.SortFunc(entries, func(a, b entry) int {
-		if a.expiresAt < b.expiresAt {
-			return -1
+			for id, session := range auth.oauthPendingSessions {
+				if oldestTime == 0 {
+					oldestId = id
+					oldestTime = session.ExpiresAt.Unix()
+					continue
+				}
+				if slices.Contains(cleanupIds, id) {
+					continue
+				}
+				if session.ExpiresAt.Unix() < oldestTime {
+					oldestId = id
+					oldestTime = session.ExpiresAt.Unix()
+				}
+			}
+
+			cleanupIds = append(cleanupIds, oldestId)
 		}
-		if a.expiresAt > b.expiresAt {
-			return 1
-		}
-		return 0
-	})

-	for _, e := range entries[:OAuthCleanupCount] {
-		delete(auth.oauthPendingSessions, e.id)
+		for _, id := range cleanupIds {
+			delete(auth.oauthPendingSessions, id)
+		}
 	}
 }

 func (auth *AuthService) lockdownMode() {
 	ctx, cancel := context.WithCancel(context.Background())
-
-	auth.loginMutex.Lock()
-
-	if auth.lockdown != nil && auth.lockdown.Active {
-		auth.loginMutex.Unlock()
-		cancel()
-		return
-	}
-
+	defer cancel()
 	auth.lockdownCtx = ctx
 	auth.lockdownCancelFunc = cancel

+	auth.loginMutex.Lock()
+
 	auth.log.App.Warn().Msg("Too many failed login attempts, entering lockdown mode")

 	auth.lockdown = &Lockdown{
@@ -828,12 +658,10 @@ func (auth *AuthService) lockdownMode() {
 	auth.loginAttempts = make(map[string]*LoginAttempt)

 	timer := time.NewTimer(time.Until(auth.lockdown.ActiveUntil))
+	defer timer.Stop()

 	auth.loginMutex.Unlock()

-	defer cancel()
-	defer timer.Stop()
-
 	select {
 	case <-timer.C:
 		// Timer expired, end lockdown
@@ -26,7 +26,6 @@ func NewOAuthService(config model.OAuthServiceConfig, id string, ctx context.Con
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{
 				InsecureSkipVerify: config.Insecure,
-				MinVersion:         tls.VersionTLS12,
 			},
 		},
 	}
@@ -121,7 +121,7 @@ type OIDCService struct {

 	clients    map[string]model.OIDCClientConfig
 	privateKey *rsa.PrivateKey
-	publicKey  *rsa.PublicKey
+	publicKey  crypto.PublicKey
 	issuer     string
 }

@@ -271,7 +271,7 @@ func NewOIDCService(

 		clients:    clients,
 		privateKey: privateKey,
-		publicKey:  publicKey.(*rsa.PublicKey),
+		publicKey:  publicKey,
 		issuer:     issuer,
 	}

@@ -297,11 +297,6 @@ func (service *OIDCService) ValidateAuthorizeParams(req AuthorizeRequest) error
 		return errors.New("access_denied")
 	}

-	// Redirect URI to verify that it's trusted
-	if !slices.Contains(client.TrustedRedirectURIs, req.RedirectURI) {
-		return errors.New("invalid_request_uri")
-	}
-
 	// Scopes
 	scopes := strings.Split(req.Scope, " ")

@@ -323,6 +318,11 @@ func (service *OIDCService) ValidateAuthorizeParams(req AuthorizeRequest) error
 		return errors.New("unsupported_response_type")
 	}

+	// Redirect URI
+	if !slices.Contains(client.TrustedRedirectURIs, req.RedirectURI) {
+		return errors.New("invalid_request_uri")
+	}
+
 	// PKCE code challenge method if set
 	if req.CodeChallenge != "" && req.CodeChallengeMethod != "" {
 		if req.CodeChallengeMethod != "S256" && req.CodeChallengeMethod != "plain" {
@@ -455,7 +455,7 @@ func (service *OIDCService) generateIDToken(client model.OIDCClientConfig, user

 	hasher := sha256.New()

-	der := x509.MarshalPKCS1PublicKey(service.publicKey)
+	der := x509.MarshalPKCS1PublicKey(&service.privateKey.PublicKey)

 	if der == nil {
 		return "", errors.New("failed to marshal public key")
@@ -813,7 +813,7 @@ func (service *OIDCService) cleanupRoutine() {
 func (service *OIDCService) GetJWK() ([]byte, error) {
 	hasher := sha256.New()

-	der := x509.MarshalPKCS1PublicKey(service.publicKey)
+	der := x509.MarshalPKCS1PublicKey(&service.privateKey.PublicKey)

 	if der == nil {
 		return nil, errors.New("failed to marshal public key")
@@ -40,6 +40,9 @@ func CreateTestConfigs(t *testing.T) (model.Config, model.RuntimeConfig) {
 			SessionExpiry:   10,
 			LoginTimeout:    10,
 			LoginMaxRetries: 3,
+			ACLs: model.ACLsConfig{
+				Policy: "allow",
+			},
 		},
 		Database: model.DatabaseConfig{
 			Path: filepath.Join(tempDir, "test.db"),
@@ -48,6 +51,32 @@ func CreateTestConfigs(t *testing.T) (model.Config, model.RuntimeConfig) {
 			Enabled: true,
 			Path:    filepath.Join(tempDir, "resources"),
 		},
+		Apps: map[string]model.App{
+			"app_path_allow": {
+				Config: model.AppConfig{
+					Domain: "path-allow.example.com",
+				},
+				Path: model.AppPath{
+					Allow: "/allowed",
+				},
+			},
+			"app_user_allow": {
+				Config: model.AppConfig{
+					Domain: "user-allow.example.com",
+				},
+				Users: model.AppUsers{
+					Allow: "testuser",
+				},
+			},
+			"ip_bypass": {
+				Config: model.AppConfig{
+					Domain: "ip-bypass.example.com",
+				},
+				IP: model.AppIP{
+					Bypass: []string{"10.10.10.10"},
+				},
+			},
+		},
 	}

 	passwd, err := bcrypt.GenerateFromPassword([]byte("password"), bcrypt.DefaultCost)
Author	SHA1	Message	Date
Stavros	b9abab2f17	fix: review comments	2026-05-12 18:17:01 +03:00
Stavros	3fd56272d2	feat: add support for deny by default access controls	2026-05-12 17:21:45 +03:00