Bump node in the docker-dependencies group across 1 directory

Bumps the docker-dependencies group with 1 update in the / directory: node.


Updates `node` from 24-alpine to 26-alpine

---
updated-dependencies:
- dependency-name: node
  dependency-version: 26-alpine
  dependency-type: direct:production
  dependency-group: docker-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/dependabot.yml

@@ -1,52 +1,42 @@
 version: 2
+
 updates:
   - package-ecosystem: "npm"
     directory: "/"
     schedule:
       interval: "daily"
+    open-pull-requests-limit: 1
     groups:
-      dev-patch-updates:
+      npm-dependencies:
-        dependency-type: "development"
+        patterns:
-        update-types:
+          - "*"
-          - "patch"
+
-      dev-minor-updates:
-        dependency-type: "development"
-        update-types:
-          - "minor"
-      prod-patch-updates:
-        dependency-type: "production"
-        update-types:
-          - "patch"
-      prod-minor-updates:
-        dependency-type: "production"
-        update-types:
-          - "minor"
-          
   - package-ecosystem: "docker"
     directory: "/"
     schedule:
       interval: "daily"
+    open-pull-requests-limit: 1
     groups:
-      patch-updates:
+      docker-dependencies:
-        update-types:
+        patterns:
-          - "patch"
+          - "*"
-      minor-updates:
-        update-types:
-          - "minor"
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
+    open-pull-requests-limit: 1
+    groups:
+      github-actions-dependencies:
+        patterns:
+          - "*"
 
   - package-ecosystem: "gomod"
     directory: "/install"
     schedule:
       interval: "daily"
+    open-pull-requests-limit: 1
     groups:
-      patch-updates:
+      go-install-dependencies:
-        update-types:
+        patterns:
-          - "patch"
+          - "*"
-      minor-updates:
-        update-types:
-          - "minor"

.github/workflows/cicd.yml

@@ -62,7 +62,7 @@ jobs:
 
         steps:
             - name: Checkout code
-              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
             - name: Monitor storage space
               run: |
@@ -134,7 +134,7 @@ jobs:
 
         steps:
             - name: Checkout code
-              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
             - name: Monitor storage space
               run: |
@@ -201,7 +201,7 @@ jobs:
         timeout-minutes: 30
         steps:
             - name: Checkout code
-              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
             - name: Log in to Docker Hub
               uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
@@ -256,7 +256,7 @@ jobs:
 
         steps:
             - name: Checkout code
-              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
             - name: Extract tag name
               id: get-tag

.github/workflows/linting.yml

@@ -21,7 +21,7 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: Checkout code
-              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
             - name: Set up Node.js
               uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0

.github/workflows/test.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Install Node
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
@@ -62,7 +62,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Build Docker image sqlite
         run: make dev-build-sqlite
@@ -71,7 +71,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Build Docker image pg
         run: make dev-build-pg

Dockerfile.dev

@@ -1,4 +1,4 @@
-FROM node:24-alpine
+FROM node:26-alpine
 
 WORKDIR /app
 

install/go.mod

@@ -5,7 +5,7 @@ go 1.25.0
 require (
 	github.com/charmbracelet/huh v1.0.0
 	github.com/charmbracelet/lipgloss v1.1.0
-	golang.org/x/term v0.43.0
+	golang.org/x/term v0.44.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
@@ -33,6 +33,6 @@ require (
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	golang.org/x/sync v0.15.0 // indirect
-	golang.org/x/sys v0.44.0 // indirect
+	golang.org/x/sys v0.46.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
 )

install/go.sum

@@ -69,10 +69,10 @@ golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
 golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
+golang.org/x/sys v0.46.0 h1:noSf2Fq6F8DBgS+LysIkx7rIExoNHJsxOAtPp4rthXw=
-golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.46.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
-golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
+golang.org/x/term v0.44.0 h1:0rLvDRCtNj0gZkyIXhCyOb2OAzEhLVqc4B+hrsBhrmc=
-golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
+golang.org/x/term v0.44.0/go.mod h1:7ze4MdzUzLXpSAoFP1H0bOI9aXDqveSvatT5vKcFh2Y=
 golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
 golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=

package-lock.json

@@ -7296,6 +7296,72 @@
                 "node": ">=14.0.0"
             }
         },
+        "node_modules/@tailwindcss/oxide-wasm32-wasi/node_modules/@emnapi/core": {
+            "version": "1.10.0",
+            "dev": true,
+            "inBundle": true,
+            "license": "MIT",
+            "optional": true,
+            "dependencies": {
+                "@emnapi/wasi-threads": "1.2.1",
+                "tslib": "^2.4.0"
+            }
+        },
+        "node_modules/@tailwindcss/oxide-wasm32-wasi/node_modules/@emnapi/runtime": {
+            "version": "1.10.0",
+            "dev": true,
+            "inBundle": true,
+            "license": "MIT",
+            "optional": true,
+            "dependencies": {
+                "tslib": "^2.4.0"
+            }
+        },
+        "node_modules/@tailwindcss/oxide-wasm32-wasi/node_modules/@emnapi/wasi-threads": {
+            "version": "1.2.1",
+            "dev": true,
+            "inBundle": true,
+            "license": "MIT",
+            "optional": true,
+            "dependencies": {
+                "tslib": "^2.4.0"
+            }
+        },
+        "node_modules/@tailwindcss/oxide-wasm32-wasi/node_modules/@napi-rs/wasm-runtime": {
+            "version": "1.1.4",
+            "dev": true,
+            "inBundle": true,
+            "license": "MIT",
+            "optional": true,
+            "dependencies": {
+                "@tybys/wasm-util": "^0.10.1"
+            },
+            "funding": {
+                "type": "github",
+                "url": "https://github.com/sponsors/Brooooooklyn"
+            },
+            "peerDependencies": {
+                "@emnapi/core": "^1.7.1",
+                "@emnapi/runtime": "^1.7.1"
+            }
+        },
+        "node_modules/@tailwindcss/oxide-wasm32-wasi/node_modules/@tybys/wasm-util": {
+            "version": "0.10.1",
+            "dev": true,
+            "inBundle": true,
+            "license": "MIT",
+            "optional": true,
+            "dependencies": {
+                "tslib": "^2.4.0"
+            }
+        },
+        "node_modules/@tailwindcss/oxide-wasm32-wasi/node_modules/tslib": {
+            "version": "2.8.1",
+            "dev": true,
+            "inBundle": true,
+            "license": "0BSD",
+            "optional": true
+        },
         "node_modules/@tailwindcss/oxide-win32-arm64-msvc": {
             "version": "4.3.0",
             "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-arm64-msvc/-/oxide-win32-arm64-msvc-4.3.0.tgz",
@@ -12191,16 +12257,16 @@
             }
         },
         "node_modules/form-data": {
-            "version": "4.0.5",
+            "version": "4.0.6",
-            "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz",
+            "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.6.tgz",
-            "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==",
+            "integrity": "sha512-vKatAh4SlVfgbv+YtmhiRjhEMJsYpsG1Y2rMQtR+SVSbytsSD1YGzDIcrAJmdFec88u/+VoGmxnl+80gL1tRCQ==",
             "license": "MIT",
             "dependencies": {
                 "asynckit": "^0.4.0",
                 "combined-stream": "^1.0.8",
                 "es-set-tostringtag": "^2.1.0",
-                "hasown": "^2.0.2",
+                "hasown": "^2.0.4",
-                "mime-types": "^2.1.12"
+                "mime-types": "^2.1.35"
             },
             "engines": {
                 "node": ">= 6"
@@ -12629,9 +12695,9 @@
             }
         },
         "node_modules/hasown": {
-            "version": "2.0.3",
+            "version": "2.0.4",
-            "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.3.tgz",
+            "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.4.tgz",
-            "integrity": "sha512-ej4AhfhfL2Q2zpMmLo7U1Uv9+PyhIZpgQLGT1F9miIGmiCJIoCgSmczFdrc97mWT4kVY72KA+WnnhJ5pghSvSg==",
+            "integrity": "sha512-T2UbfbBEF32wiepXIsMlTW9+dDYC6wMh/t/vYA4tuOMKqWz/n3vr1NFSxQiyP+zk2mXsoMA/i/7qV6LKut1t1A==",
             "license": "MIT",
             "dependencies": {
                 "function-bind": "^1.1.2"

server/lib/pathMatch.ts

@@ -0,0 +1,74 @@
+const MAX_RECURSION_DEPTH = 100;
+
+const segmentRegexCache = new Map<string, RegExp>();
+
+function getSegmentRegex(patternPart: string): RegExp {
+    let regex = segmentRegexCache.get(patternPart);
+    if (!regex) {
+        const regexPattern = patternPart
+            .replace(/[.+^${}()|[\]\\]/g, "\\$&")
+            .replace(/\*/g, ".*")
+            .replace(/\?/g, ".");
+        regex = new RegExp(`^${regexPattern}$`);
+        segmentRegexCache.set(patternPart, regex);
+    }
+    return regex;
+}
+
+export function isPathAllowed(pattern: string, path: string): boolean {
+    const normalize = (p: string) => p.split("/").filter(Boolean);
+    const patternParts = normalize(pattern);
+    const pathParts = normalize(path);
+
+    function matchSegments(
+        patternIndex: number,
+        pathIndex: number,
+        depth: number = 0
+    ): boolean {
+        if (depth > MAX_RECURSION_DEPTH) {
+            return false;
+        }
+
+        const currentPatternPart = patternParts[patternIndex];
+        const currentPathPart = pathParts[pathIndex];
+
+        if (patternIndex >= patternParts.length) {
+            return pathIndex >= pathParts.length;
+        }
+
+        if (pathIndex >= pathParts.length) {
+            return patternParts.slice(patternIndex).every((p) => p === "*");
+        }
+
+        if (currentPatternPart === "*") {
+            if (matchSegments(patternIndex + 1, pathIndex, depth + 1)) {
+                return true;
+            }
+            if (matchSegments(patternIndex, pathIndex + 1, depth + 1)) {
+                return true;
+            }
+            return false;
+        }
+
+        if (currentPatternPart.includes("*")) {
+            const regex = getSegmentRegex(currentPatternPart);
+
+            if (regex.test(currentPathPart)) {
+                return matchSegments(
+                    patternIndex + 1,
+                    pathIndex + 1,
+                    depth + 1
+                );
+            }
+            return false;
+        }
+
+        if (currentPatternPart !== currentPathPart) {
+            return false;
+        }
+
+        return matchSegments(patternIndex + 1, pathIndex + 1, depth + 1);
+    }
+
+    return matchSegments(0, 0, 0);
+}

server/routers/badger/verifySession.test.ts

@@ -1,5 +1,6 @@
 import { assertEquals } from "@test/assert";
 import { REGIONS } from "@server/db/regions";
+import { isPathAllowed } from "@server/lib/pathMatch";
 
 function isIpInRegion(
     ipCountryCode: string | undefined,
@@ -33,76 +34,6 @@ function isIpInRegion(
     return false;
 }
 
-function isPathAllowed(pattern: string, path: string): boolean {
-    // Normalize and split paths into segments
-    const normalize = (p: string) => p.split("/").filter(Boolean);
-    const patternParts = normalize(pattern);
-    const pathParts = normalize(path);
-
-    // Recursive function to try different wildcard matches
-    function matchSegments(patternIndex: number, pathIndex: number): boolean {
-        const indent = "  ".repeat(pathIndex); // Indent based on recursion depth
-        const currentPatternPart = patternParts[patternIndex];
-        const currentPathPart = pathParts[pathIndex];
-
-        // If we've consumed all pattern parts, we should have consumed all path parts
-        if (patternIndex >= patternParts.length) {
-            const result = pathIndex >= pathParts.length;
-            return result;
-        }
-
-        // If we've consumed all path parts but still have pattern parts
-        if (pathIndex >= pathParts.length) {
-            // The only way this can match is if all remaining pattern parts are wildcards
-            const remainingPattern = patternParts.slice(patternIndex);
-            const result = remainingPattern.every((p) => p === "*");
-            return result;
-        }
-
-        // For full segment wildcards, try consuming different numbers of path segments
-        if (currentPatternPart === "*") {
-            // Try consuming 0 segments (skip the wildcard)
-            if (matchSegments(patternIndex + 1, pathIndex)) {
-                return true;
-            }
-
-            // Try consuming current segment and recursively try rest
-            if (matchSegments(patternIndex, pathIndex + 1)) {
-                return true;
-            }
-
-            return false;
-        }
-
-        // Check for in-segment wildcard (e.g., "prefix*" or "prefix*suffix")
-        if (currentPatternPart.includes("*")) {
-            // Convert the pattern segment to a regex pattern
-            const regexPattern = currentPatternPart
-                .replace(/\*/g, ".*") // Replace * with .* for regex wildcard
-                .replace(/\?/g, "."); // Replace ? with . for single character wildcard if needed
-
-            const regex = new RegExp(`^${regexPattern}$`);
-
-            if (regex.test(currentPathPart)) {
-                return matchSegments(patternIndex + 1, pathIndex + 1);
-            }
-
-            return false;
-        }
-
-        // For regular segments, they must match exactly
-        if (currentPatternPart !== currentPathPart) {
-            return false;
-        }
-
-        // Move to next segments in both pattern and path
-        return matchSegments(patternIndex + 1, pathIndex + 1);
-    }
-
-    const result = matchSegments(0, 0);
-    return result;
-}
-
 function runTests() {
     console.log("Running path matching tests...");
 
@@ -308,6 +239,121 @@ function runTests() {
     console.log("All path matching tests passed!");
 }
 
+function runSpecialCharacterTests() {
+    console.log("\nRunning special character tests...");
+
+    let threw = false;
+    try {
+        isPathAllowed("(api*", "anything");
+        isPathAllowed("a(b*", "a(bc");
+        isPathAllowed("c[d*", "c[de");
+        isPathAllowed("x{2}*", "x{2}y");
+        isPathAllowed("a|b*", "a|bc");
+        isPathAllowed("back\\slash*", "back\\slashed");
+    } catch (e) {
+        threw = true;
+        console.error(
+            "Patterns accepted by isValidUrlGlobPattern crashed the matcher:",
+            e instanceof Error ? e.message : e
+        );
+    }
+    assertEquals(
+        threw,
+        false,
+        "Patterns with regex metacharacters must not throw"
+    );
+
+    assertEquals(
+        isPathAllowed("(api*", "(api-v1"),
+        true,
+        "Parenthesis should be treated as a literal character"
+    );
+    assertEquals(
+        isPathAllowed("(api*", "xapi-v1"),
+        false,
+        "Parenthesis should not match other characters"
+    );
+    assertEquals(
+        isPathAllowed("a(b)*", "a(b)c"),
+        true,
+        "Parentheses pair should be treated as literal characters"
+    );
+
+    assertEquals(
+        isPathAllowed("*.png", "image.png"),
+        true,
+        "Dot should match a literal dot"
+    );
+    assertEquals(
+        isPathAllowed("*.png", "imageXpng"),
+        false,
+        "Dot should not act as a regex wildcard"
+    );
+    assertEquals(
+        isPathAllowed("v1.0*", "v1.0.1"),
+        true,
+        "Version-like literal should match itself"
+    );
+    assertEquals(
+        isPathAllowed("v1.0*", "v1x0-beta"),
+        false,
+        "Version-like literal should not match arbitrary characters"
+    );
+
+    assertEquals(
+        isPathAllowed("a+b*", "a+bc"),
+        true,
+        "Plus should be treated as a literal character"
+    );
+    assertEquals(
+        isPathAllowed("a+b*", "aaabc"),
+        false,
+        "Plus should not act as a regex quantifier"
+    );
+
+    assertEquals(
+        isPathAllowed("$ref*", "$refs"),
+        true,
+        "Dollar sign should be treated as a literal character"
+    );
+    assertEquals(
+        isPathAllowed("price$*", "price$100"),
+        true,
+        "Dollar sign mid-pattern should be treated as a literal character"
+    );
+
+    assertEquals(
+        isPathAllowed("^start*", "^started"),
+        true,
+        "Caret should be treated as a literal character"
+    );
+
+    assertEquals(
+        isPathAllowed("a|b*", "a|bc"),
+        true,
+        "Pipe should be treated as a literal character"
+    );
+    assertEquals(
+        isPathAllowed("a|b*", "a"),
+        false,
+        "Pipe should not act as regex alternation"
+    );
+
+    assertEquals(
+        isPathAllowed("file?*", "fileX"),
+        true,
+        "Question mark should still act as a single-character wildcard"
+    );
+
+    assertEquals(
+        isPathAllowed("api/*", "api/" + "x/".repeat(50)),
+        true,
+        "Deeply nested paths should still match"
+    );
+
+    console.log("All special character tests passed!");
+}
+
 function runRegionTests() {
     console.log("\nRunning isIpInRegion tests...");
 
@@ -367,6 +413,7 @@ function runRegionTests() {
 // Run all tests
 try {
     runTests();
+    runSpecialCharacterTests();
     runRegionTests();
     console.log("\n✅ All tests passed!");
 } catch (error) {

server/routers/badger/verifySession.ts

@@ -25,6 +25,7 @@ import {
 } from "@server/db";
 import config from "@server/lib/config";
 import { isIpInCidr, stripPortFromHost } from "@server/lib/ip";
+import { isPathAllowed } from "@server/lib/pathMatch";
 import { response } from "@server/lib/response";
 import logger from "@server/logger";
 import HttpCode from "@server/types/HttpCode";
@@ -1090,143 +1091,7 @@ async function checkRules(
     return;
 }
 
-export function isPathAllowed(pattern: string, path: string): boolean {
+export { isPathAllowed };
-    logger.debug(`\nMatching path "${path}" against pattern "${pattern}"`);
-
-    // Normalize and split paths into segments
-    const normalize = (p: string) => p.split("/").filter(Boolean);
-    const patternParts = normalize(pattern);
-    const pathParts = normalize(path);
-
-    logger.debug(`Normalized pattern parts: [${patternParts.join(", ")}]`);
-    logger.debug(`Normalized path parts: [${pathParts.join(", ")}]`);
-
-    // Maximum recursion depth to prevent stack overflow and memory issues
-    const MAX_RECURSION_DEPTH = 100;
-
-    // Recursive function to try different wildcard matches
-    function matchSegments(
-        patternIndex: number,
-        pathIndex: number,
-        depth: number = 0
-    ): boolean {
-        // Check recursion depth limit
-        if (depth > MAX_RECURSION_DEPTH) {
-            logger.warn(
-                `Path matching exceeded maximum recursion depth (${MAX_RECURSION_DEPTH}) for pattern "${pattern}" and path "${path}"`
-            );
-            return false;
-        }
-
-        const indent = "  ".repeat(depth); // Indent based on recursion depth
-        const currentPatternPart = patternParts[patternIndex];
-        const currentPathPart = pathParts[pathIndex];
-
-        logger.debug(
-            `${indent}Checking patternIndex=${patternIndex} (${currentPatternPart || "END"}) vs pathIndex=${pathIndex} (${currentPathPart || "END"}) [depth=${depth}]`
-        );
-
-        // If we've consumed all pattern parts, we should have consumed all path parts
-        if (patternIndex >= patternParts.length) {
-            const result = pathIndex >= pathParts.length;
-            logger.debug(
-                `${indent}Reached end of pattern, remaining path: ${pathParts.slice(pathIndex).join("/")} -> ${result}`
-            );
-            return result;
-        }
-
-        // If we've consumed all path parts but still have pattern parts
-        if (pathIndex >= pathParts.length) {
-            // The only way this can match is if all remaining pattern parts are wildcards
-            const remainingPattern = patternParts.slice(patternIndex);
-            const result = remainingPattern.every((p) => p === "*");
-            logger.debug(
-                `${indent}Reached end of path, remaining pattern: ${remainingPattern.join("/")} -> ${result}`
-            );
-            return result;
-        }
-
-        // For full segment wildcards, try consuming different numbers of path segments
-        if (currentPatternPart === "*") {
-            logger.debug(
-                `${indent}Found wildcard at pattern index ${patternIndex}`
-            );
-
-            // Try consuming 0 segments (skip the wildcard)
-            logger.debug(
-                `${indent}Trying to skip wildcard (consume 0 segments)`
-            );
-            if (matchSegments(patternIndex + 1, pathIndex, depth + 1)) {
-                logger.debug(
-                    `${indent}Successfully matched by skipping wildcard`
-                );
-                return true;
-            }
-
-            // Try consuming current segment and recursively try rest
-            logger.debug(
-                `${indent}Trying to consume segment "${currentPathPart}" for wildcard`
-            );
-            if (matchSegments(patternIndex, pathIndex + 1, depth + 1)) {
-                logger.debug(
-                    `${indent}Successfully matched by consuming segment for wildcard`
-                );
-                return true;
-            }
-
-            logger.debug(`${indent}Failed to match wildcard`);
-            return false;
-        }
-
-        // Check for in-segment wildcard (e.g., "prefix*" or "prefix*suffix")
-        if (currentPatternPart.includes("*")) {
-            logger.debug(
-                `${indent}Found in-segment wildcard in "${currentPatternPart}"`
-            );
-
-            // Convert the pattern segment to a regex pattern
-            const regexPattern = currentPatternPart
-                .replace(/\*/g, ".*") // Replace * with .* for regex wildcard
-                .replace(/\?/g, "."); // Replace ? with . for single character wildcard if needed
-
-            const regex = new RegExp(`^${regexPattern}$`);
-
-            if (regex.test(currentPathPart)) {
-                logger.debug(
-                    `${indent}Segment with wildcard matches: "${currentPatternPart}" matches "${currentPathPart}"`
-                );
-                return matchSegments(
-                    patternIndex + 1,
-                    pathIndex + 1,
-                    depth + 1
-                );
-            }
-
-            logger.debug(
-                `${indent}Segment with wildcard mismatch: "${currentPatternPart}" doesn't match "${currentPathPart}"`
-            );
-            return false;
-        }
-
-        // For regular segments, they must match exactly
-        if (currentPatternPart !== currentPathPart) {
-            logger.debug(
-                `${indent}Segment mismatch: "${currentPatternPart}" != "${currentPathPart}"`
-            );
-            return false;
-        }
-
-        logger.debug(
-            `${indent}Segments match: "${currentPatternPart}" = "${currentPathPart}"`
-        );
-        // Move to next segments in both pattern and path
-        return matchSegments(patternIndex + 1, pathIndex + 1, depth + 1);
-    }
-
-    const result = matchSegments(0, 0, 0);
-    logger.debug(`Final result: ${result}`);
-    return result;
-}
 
 async function isIpInGeoIP(
     ipCountryCode: string | undefined,

server/routers/integration.ts

@@ -17,7 +17,6 @@ import {
     verifyApiKey,
     verifyApiKeyOrgAccess,
     verifyApiKeyHasAction,
-    verifyApiKeyCanSetUserOrgRoles,
     verifyApiKeySiteAccess,
     verifyApiKeyResourceAccess,
     verifyApiKeyTargetAccess,
@@ -974,6 +973,13 @@ authenticated.get(
     idp.getIdp
 );
 
+authenticated.delete(
+    "/idp/:idpId",
+    verifyApiKeyIsRoot,
+    verifyApiKeyHasAction(ActionsEnum.deleteIdp),
+    idp.deleteIdp
+);
+
 authenticated.put(
     "/idp/:idpId/org/:orgId",
     verifyApiKeyIsRoot,

server/routers/resource/createResourceRule.ts

@@ -154,8 +154,12 @@ export async function createResourceRule(
         }
 
         // Create the new resource rule
-        if (resource.resourcePolicyId !== null) {
+        const isInlinePolicy =
-            const policyId = resource.resourcePolicyId;
+            resource.resourcePolicyId === null &&
+            resource.defaultResourcePolicyId !== null;
+
+        if (isInlinePolicy) {
+            const policyId = resource.defaultResourcePolicyId!;
             const [newRule] = await db
                 .insert(resourcePolicyRules)
                 .values({

server/routers/resource/deleteResourceRule.ts

@@ -2,7 +2,7 @@ import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
 import { resourceRules, resourcePolicyRules, resources } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -73,18 +73,14 @@ export async function deleteResourceRule(
             );
         }
 
-        if (resource.resourcePolicyId !== null) {
+        const isInlinePolicy =
+            resource.resourcePolicyId === null &&
+            resource.defaultResourcePolicyId !== null;
+
+        if (isInlinePolicy) {
             const [deletedRule] = await db
                 .delete(resourcePolicyRules)
-                .where(
+                .where(eq(resourcePolicyRules.ruleId, ruleId))
-                    and(
-                        eq(resourcePolicyRules.ruleId, ruleId),
-                        eq(
-                            resourcePolicyRules.resourcePolicyId,
-                            resource.resourcePolicyId
-                        )
-                    )
-                )
                 .returning();
 
             if (!deletedRule) {

server/routers/resource/getResource.ts

@@ -141,10 +141,16 @@ export async function getResource(
             );
         }
 
+        const isInlinePolicy =
+            resource.resourcePolicyId === null &&
+            resource.defaultResourcePolicyId !== null;
+
         let returnData = resource;
-        if (resource.resourcePolicyId !== null) {
+        if (isInlinePolicy) {
             // get the policy
-            const policy = await queryInlinePolicy(resource.resourcePolicyId);
+            const policy = await queryInlinePolicy(
+                resource.defaultResourcePolicyId!
+            );
             returnData = {
                 ...returnData,
                 sso: policy?.sso || null,

server/routers/resource/listResourceRules.ts

@@ -140,11 +140,15 @@ export async function listResourceRules(
             );
         }
 
+        const isInlinePolicy =
+            resource.resourcePolicyId === null &&
+            resource.defaultResourcePolicyId !== null;
+
         let rulesList: Awaited<ReturnType<typeof queryResourceRules>>;
         let totalCount: number;
 
-        if (resource.resourcePolicyId !== null) {
+        if (isInlinePolicy) {
-            const policyId = resource.resourcePolicyId;
+            const policyId = resource.defaultResourcePolicyId!;
             const policyRules = await queryPolicyRules(policyId)
                 .limit(limit)
                 .offset(offset);

server/routers/resource/updateResourceRule.ts

@@ -1,8 +1,8 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
-import { resourcePolicyRules, resourceRules, resources } from "@server/db";
+import { resourceRules, resources } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -37,29 +37,6 @@ const updateResourceRuleSchema = z
         error: "At least one field must be provided for update"
     });
 
-function getRuleValueValidationError(
-    match: "CIDR" | "IP" | "PATH" | "COUNTRY" | "ASN" | "REGION",
-    value: string
-): string | null {
-    if (match === "CIDR" && !isValidCIDR(value)) {
-        return "Invalid CIDR provided";
-    }
-
-    if (match === "IP" && !isValidIP(value)) {
-        return "Invalid IP provided";
-    }
-
-    if (match === "PATH" && !isValidUrlGlobPattern(value)) {
-        return "Invalid URL glob pattern provided";
-    }
-
-    if (match === "REGION" && !isValidRegionId(value)) {
-        return "Invalid region ID provided";
-    }
-
-    return null;
-}
-
 registry.registerPath({
     method: "post",
     path: "/resource/{resourceId}/rule/{ruleId}",
@@ -151,68 +128,6 @@ export async function updateResourceRule(
             );
         }
 
-        if (resource.resourcePolicyId !== null) {
-            const [existingRule] = await db
-                .select()
-                .from(resourcePolicyRules)
-                .where(
-                    and(
-                        eq(resourcePolicyRules.ruleId, ruleId),
-                        eq(
-                            resourcePolicyRules.resourcePolicyId,
-                            resource.resourcePolicyId
-                        )
-                    )
-                )
-                .limit(1);
-
-            if (!existingRule) {
-                return next(
-                    createHttpError(
-                        HttpCode.NOT_FOUND,
-                        `Resource rule with ID ${ruleId} not found`
-                    )
-                );
-            }
-
-            const match = updateData.match || existingRule.match;
-            const { value } = updateData;
-
-            if (value !== undefined) {
-                const validationError = getRuleValueValidationError(
-                    match,
-                    value
-                );
-                if (validationError) {
-                    return next(
-                        createHttpError(HttpCode.BAD_REQUEST, validationError)
-                    );
-                }
-            }
-
-            const [updatedRule] = await db
-                .update(resourcePolicyRules)
-                .set(updateData)
-                .where(
-                    and(
-                        eq(resourcePolicyRules.ruleId, ruleId),
-                        eq(
-                            resourcePolicyRules.resourcePolicyId,
-                            resource.resourcePolicyId
-                        )
-                    )
-                )
-                .returning();
-
-            return response(res, {
-                data: updatedRule,
-                success: true,
-                error: false,
-                message: "Resource rule updated successfully",
-                status: HttpCode.OK
-            });
-        }
-
         // Verify that the rule exists and belongs to the specified resource
         const [existingRule] = await db
             .select()
@@ -242,11 +157,42 @@ export async function updateResourceRule(
         const { value } = updateData;
 
         if (value !== undefined) {
-            const validationError = getRuleValueValidationError(match, value);
+            if (match === "CIDR") {
-            if (validationError) {
+                if (!isValidCIDR(value)) {
-                return next(
+                    return next(
-                    createHttpError(HttpCode.BAD_REQUEST, validationError)
+                        createHttpError(
-                );
+                            HttpCode.BAD_REQUEST,
+                            "Invalid CIDR provided"
+                        )
+                    );
+                }
+            } else if (match === "IP") {
+                if (!isValidIP(value)) {
+                    return next(
+                        createHttpError(
+                            HttpCode.BAD_REQUEST,
+                            "Invalid IP provided"
+                        )
+                    );
+                }
+            } else if (match === "PATH") {
+                if (!isValidUrlGlobPattern(value)) {
+                    return next(
+                        createHttpError(
+                            HttpCode.BAD_REQUEST,
+                            "Invalid URL glob pattern provided"
+                        )
+                    );
+                }
+            } else if (match === "REGION") {
+                if (!isValidRegionId(value)) {
+                    return next(
+                        createHttpError(
+                            HttpCode.BAD_REQUEST,
+                            "Invalid region ID provided"
+                        )
+                    );
+                }
             }
         }