feat(config): allow global bypass by ip

[scottmckendry]

Closes #516

New config env:

TINYAUTH_AUTH_IP_BYPASS=10.0.0.0/16,192.168.1.0/24,172.19.0.0/16

or yaml:

auth:
  ip:
    bypass:
      - 10.0.0.0/24
      - 192.168.1.50

Summary by CodeRabbit

Release Notes

• New Features

  • Added IP bypass list configuration capability. Specified IP addresses and CIDR ranges can now be configured to bypass authentication checks at both global and request levels.

• Tests

  • Enhanced test coverage for IP bypass authentication scenarios.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 08335e13-0c25-41c3-8740-90c486e3a5b6

📥 Commits

Reviewing files that changed from the base of the PR and between 8849d7e and 1f446d5.

📒 Files selected for processing (4)

• internal/bootstrap/service_bootstrap.go
• internal/model/config.go
• internal/service/access_controls_rules.go
• internal/service/access_controls_rules_test.go

---

📝 Walkthrough

Walkthrough

IP bypass functionality extends from per-app configuration to global scope. The config model gains a Bypass field, rule evaluation merges global and per-request bypass lists, bootstrap wires the config into rule initialization, and tests validate both bypass sources.

Changes

Global IP Bypass Configuration

Layer / File(s)	Summary
IP Bypass config model internal/model/config.go	IPConfig struct extended with Bypass []string field to define IP ranges that bypass authentication globally.
IP Bypass rule evaluation internal/service/access_controls_rules.go	IPBypassedRule.Evaluate merges global bypass list from rule.Config.Auth.IP.Bypass with per-request entries in ctx.ACLs.IP.Bypass (when non-nil), returning EffectAllow if request IP matches any merged entry, otherwise EffectDeny.
Bootstrap wiring internal/bootstrap/service_bootstrap.go	IPBypassedRule initialized with both Log and Config fields; imports adjusted for consistency.
Test coverage for global and per-app bypass internal/service/access_controls_rules_test.go	TestIPBypassedRule refactored to construct two rule instances (default and globally-configured) and distinguish global bypass behavior from per-request bypass in test cases.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• tinyauthapp/tinyauth#852: Modifies IPBypassedRule policy-engine wiring and rule setup; this PR extends that foundation with global+per-app bypass merging.
• tinyauthapp/tinyauth#567: Extends IP-based access control via global Allow/Block merging in AuthService; this PR follows the same pattern for global bypass configuration.

Suggested labels

size:XL, lgtm

Suggested reviewers

• Rycochet

Poem

🐰 A bunny hops through networks wide,
Global bypasses, nowhere to hide!
IPs dance in lists, both far and near,
Authentication bows—the path is clear! 🔓

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately summarizes the main change: adding global IP bypass functionality to the authentication configuration.
Linked Issues check	✅ Passed	The PR successfully implements the requested feature from #516: global IP-based authentication bypass with environment variable and YAML config support.
Out of Scope Changes check	✅ Passed	All changes are directly related to implementing global IP bypass: config model updates, service logic implementation, bootstrap registration, and comprehensive tests.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/globalIpBypass

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 66.66667% with 2 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
internal/bootstrap/service_bootstrap.go	0.00%	2 Missing ⚠️

📢 Thoughts on this report? Let us know!