feat(config): allow global bypass by ip

[scottmckendry]

Closes #516

New config env:

TINYAUTH_AUTH_IP_BYPASS=10.0.0.0/16,192.168.1.0/24,172.19.0.0/16

or yaml:

auth:
  ip:
    bypass:
      - 10.0.0.0/24
      - 192.168.1.50

Summary by CodeRabbit

• New Features

  • Added IP bypass configuration to allow certain IPs/CIDR ranges to bypass authentication (supports global and per-app entries).

• Bug Fixes

  • IP allow/block/bypass lists are now merged and evaluated even when per-request ACLs are absent, ensuring global rules are honored.

• Tests

  • Expanded tests to cover global and per-app IP bypass behavior and merged ACL evaluation.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: de04a539-f79f-46d6-93a2-f732a87027b9

📥 Commits

Reviewing files that changed from the base of the PR and between e6582d3 and 98e7f38.

📒 Files selected for processing (4)

• internal/bootstrap/service_bootstrap.go
• internal/model/config.go
• internal/service/access_controls_rules.go
• internal/service/access_controls_rules_test.go

---

📝 Walkthrough

Walkthrough

Adds a global IP bypass list: config gains IP.Bypass, access-control rules merge global and per-app IP lists for allow/bypass evaluation, bootstrap wires app.config into the bypass rule, and tests exercise both global and per-app bypass behavior.

Changes

Global IP Bypass Configuration

Layer / File(s)	Summary
IP Bypass config model internal/model/config.go	IPConfig now includes Bypass []string (YAML key bypass) for IP/CIDR ranges that bypass authentication.
IP allow/bypass rule evaluation internal/service/access_controls_rules.go	IPAllowedRule.Evaluate and IPBypassedRule.Evaluate build merged lists starting from global rule.Config.Auth.IP and append ctx.ACLs.IP only when ctx.ACLs is non-nil; evaluation checks the merged lists for matches to decide effects.
Bootstrap wiring internal/bootstrap/service_bootstrap.go	Registering service.RuleIPBypassed now constructs service.IPBypassedRule with both Log: app.log and Config: app.config; import block spacing adjusted.
Test coverage for global and per-app bypass internal/service/access_controls_rules_test.go	TestIPBypassedRule refactored to create distinct rule instances (default and globally-configured) and update table-driven cases to assert rule-specific evaluation; TestIPAllowedRule expectation for nil ACLs updated.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• tinyauthapp/tinyauth#852: Modifies IPBypassedRule policy-engine wiring and rule setup; this PR extends that foundation with global+per-app bypass merging.
• tinyauthapp/tinyauth#567: Similar changes merging global configured IP allow/block lists with per-request ACL IP data.

Suggested reviewers

• Rycochet

Poem

🐰 I nibble through lists both short and long,
Global bypass hums its tiny song.
CIDRs hop in, per-app joins the play,
A rabbit's wink lets the matches stay.
Hop, match, allow — a merry dev day.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding a global IP-based bypass configuration feature.
Linked Issues check	✅ Passed	The PR implements all coding requirements from issue #516: global IP bypass configuration via YAML and environment variables, supporting both CIDR ranges and specific IPs.
Out of Scope Changes check	✅ Passed	All changes directly support the global IP bypass feature with config model updates, rule evaluation logic, service registration, and comprehensive test coverage.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/globalIpBypass

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 81.81818% with 2 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
internal/bootstrap/service_bootstrap.go	0.00%	2 Missing ⚠️

📢 Thoughts on this report? Let us know!

[steveiliop56]

@scottmckendry only nitpick in #889 (comment) and we can merge.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/service/access_controls_rules.go`:
- Around line 189-192: IPAllowedRule.Evaluate is appending into slices that come
from ctx.ACLs (populated by
AccessControlsService.GetAccessControls/lookupStaticACLs) which share backing
arrays; to avoid mutating shared backing memory, copy the ACL slices before
merging: when building blockedIps and allowedIPs, create new slices from
ctx.ACLs.IP.Block and ctx.ACLs.IP.Allow (e.g. allocate a new slice or use a
slice-copy idiom) and then append the per-request entries into those new slices
so you never call append with a shared slice as the destination.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: a6720009-ca18-4999-8849-8695812ef2fa

📥 Commits

Reviewing files that changed from the base of the PR and between 69d9250 and e6582d3.

📒 Files selected for processing (4)

• internal/bootstrap/service_bootstrap.go
• internal/model/config.go
• internal/service/access_controls_rules.go
• internal/service/access_controls_rules_test.go