authgear · tung2744 · Dec 17, 2025 · Dec 18, 2025 · Dec 19, 2025 · Dec 19, 2025
diff --git a/.make-lint-expect b/.make-lint-expect
@@ -23,6 +23,7 @@ pkg/portal/graphql/chart.go cannot import github.com/authgear/authgear-server/pk
 pkg/portal/graphql/collaborator_mutation.go cannot import github.com/authgear/authgear-server/pkg/graphqlgo/relay
 pkg/portal/graphql/domain_mutation.go cannot import github.com/authgear/authgear-server/pkg/graphqlgo/relay
 pkg/portal/graphql/hook_mutation.go cannot import github.com/authgear/authgear-server/pkg/graphqlgo/relay
+pkg/portal/graphql/ip_blocklist_mutation.go cannot import github.com/authgear/authgear-server/pkg/graphqlgo/relay
 pkg/portal/graphql/nodes.go cannot import github.com/authgear/authgear-server/pkg/graphqlgo/relay
 pkg/portal/graphql/sms_mutation.go cannot import github.com/authgear/authgear-server/pkg/graphqlgo/relay
 pkg/portal/graphql/smtp_mutation.go cannot import github.com/authgear/authgear-server/pkg/graphqlgo/relay

diff --git a/pkg/auth/routes.go b/pkg/auth/routes.go
@@ -56,7 +56,7 @@ func NewRouter(p *deps.RootProvider, configSource *configsource.ConfigSource) ht
 	projectRootChain := httproute.Chain(
 		baseChain,
 		MakeWebAppRequestMiddleware(p, configSource, newWebAppRequestMiddleware),
-		p.Middleware(newIPBlocklistMiddleware),
+		p.Middleware(newIPFilterMiddleware),
 		p.Middleware(newProjectRootDynamicCSPMiddleware),
 	)
 

diff --git a/pkg/auth/wire_gen.go b/pkg/auth/wire_gen.go
diff --git a/pkg/auth/wire_middleware.go b/pkg/auth/wire_middleware.go
@@ -262,9 +262,9 @@ func newDPoPMiddleware(p *deps.RequestProvider) httproute.Middleware {
 	))
 }
 
-func newIPBlocklistMiddleware(p *deps.RequestProvider) httproute.Middleware {
+func newIPFilterMiddleware(p *deps.RequestProvider) httproute.Middleware {
 	panic(wire.Build(
 		DependencySet,
-		wire.Bind(new(httproute.Middleware), new(*networkprotection.IPBlocklistMiddleware)),
+		wire.Bind(new(httproute.Middleware), new(*networkprotection.IPFilterMiddleware)),
 	))
 }
diff --git a/pkg/lib/config/network_protection.go b/pkg/lib/config/network_protection.go
@@ -5,12 +5,19 @@ var _ = Schema.Add("NetworkProtectionConfig", `
 	"type": "object",
 	"additionalProperties": false,
 	"properties": {
-		"ip_blocklist": { "$ref": "#/$defs/NetworkIPBlocklistConfig" }
+		"ip_filter": { "$ref": "#/$defs/IPFilterConfig" }
 	}
 }
 `)
 
-var _ = Schema.Add("NetworkIPBlocklistConfig", `
+var _ = Schema.Add("IPFilterAction", `
+{
+	"type": "string",
+	"enum": ["allow", "deny"]
+}
+`)
+
+var _ = Schema.Add("IPFilterSource", `
 {
 	"type": "object",
 	"additionalProperties": false,
@@ -19,19 +26,70 @@ var _ = Schema.Add("NetworkIPBlocklistConfig", `
 			"type": "array",
 			"items": { "type": "string", "format": "x_cidr" }
 		},
-		"country_codes": {
+		"geo_location_codes": {
+			"type": "array",
+			"items": { "type": "string" }
+		}
+	}
+}
+`)
+
+var _ = Schema.Add("IPFilterRule", `
+{
+	"type": "object",
+	"additionalProperties": false,
+	"properties": {
+		"name": { "type": "string" },
+		"action": { "$ref": "#/$defs/IPFilterAction" },
+		"source": { "$ref": "#/$defs/IPFilterSource" }
+	},
+	"required": ["action", "source"]
+}
+`)
+
+var _ = Schema.Add("IPFilterConfig", `
+{
+	"type": "object",
+	"additionalProperties": false,
+	"properties": {
+		"default_action": { "$ref": "#/$defs/IPFilterAction" },
+		"rules": {
 			"type": "array",
-			"items": { "type": "string", "minLength": 2, "maxLength": 2 }
+			"items": { "$ref": "#/$defs/IPFilterRule" }
 		}
 	}
 }
 `)
 
 type NetworkProtectionConfig struct {
-	IPBlocklist *NetworkIPBlocklistConfig `json:"ip_blocklist,omitempty"`
+	IPFilter *IPFilterConfig `json:"ip_filter,omitempty"`
+}
+
+type IPFilterConfig struct {
+	DefaultAction IPFilterAction  `json:"default_action,omitempty"`
+	Rules         []*IPFilterRule `json:"rules,omitempty"`
+}
+
+func (c *IPFilterConfig) SetDefaults() {
+	if c.DefaultAction == "" {
+		c.DefaultAction = IPFilterActionAllow
+	}
+}
+
+type IPFilterAction string
+
+const (
+	IPFilterActionAllow IPFilterAction = "allow"
+	IPFilterActionDeny  IPFilterAction = "deny"
+)
+
+type IPFilterRule struct {
+	Name   string         `json:"name"`
+	Action IPFilterAction `json:"action"`
+	Source IPFilterSource `json:"source"`
 }
 
-type NetworkIPBlocklistConfig struct {
-	CIDRs        []string `json:"cidrs,omitempty"`
-	CountryCodes []string `json:"country_codes,omitempty"`
+type IPFilterSource struct {
+	CIDRs            []string `json:"cidrs,omitempty"`
+	GeoLocationCodes []string `json:"geo_location_codes,omitempty"`
 }
diff --git a/pkg/lib/config/testdata/config_tests.yaml b/pkg/lib/config/testdata/config_tests.yaml
@@ -1542,32 +1542,76 @@ config:
         logo_uri: http://example.com/logo.png
 
 ---
-name: protection-config
+name: network-protection-config-valid
 error: null
 config:
   id: test
   http:
     public_origin: http://test
   network_protection:
-    ip_blocklist:
-      cidrs:
-        - 2.2.2.2/32
-        - 2001:db8::/32
-      country_codes:
-        - HK
-        - GB
+    ip_filter:
+      default_action: deny
+      rules:
+        - name: allow-office-us
+          action: allow
+          source:
+            cidrs: ["192.168.1.0/24", "2001:db8::/32"]
+            geo_location_codes: ["US"]
+        - name: block-countries
+          action: deny
+          source:
+            geo_location_codes: ["KP", "IR"]
 
 ---
-name: protection-config-invalid-cidr
+name: network-protection-config-invalid-cidr
 error: |-
   invalid configuration:
-  /network_protection/ip_blocklist/cidrs/0: format
+  /network_protection/ip_filter/rules/0/source/cidrs/0: format
     map[error:invalid CIDR: invalid CIDR address: 192.168.1.1 format:x_cidr]
 config:
   id: test
   http:
     public_origin: http://test
   network_protection:
-    ip_blocklist:
-      cidrs:
-        - 192.168.1.1
+    ip_filter:
+      default_action: allow
+      rules:
+        - name: invalid-cidr-rule
+          action: deny
+          source:
+            cidrs:
+              - 192.168.1.1
+---
+name: network-protection-config-invalid-action
+error: |-
+  invalid configuration:
+  /network_protection/ip_filter/rules/0/action: enum
+    map[actual:invalid expected:[allow deny]]
+config:
+  id: test
+  http:
+    public_origin: http://test
+  network_protection:
+    ip_filter:
+      default_action: allow
+      rules:
+        - name: invalid-action-rule
+          action: invalid
+          source:
+            cidrs: ["1.2.3.4/32"]
+---
+name: network-protection-config-missing-rule-fields
+error: |-
+  invalid configuration:
+  /network_protection/ip_filter/rules/0: required
+    map[actual:[name] expected:[action source] missing:[action source]]
+config:
+  id: test
+  http:
+    public_origin: http://test
+  network_protection:
+    ip_filter:
+      default_action: allow
+      rules:
+        - name: missing-fields
+
diff --git a/pkg/lib/config/testdata/default_config.yaml b/pkg/lib/config/testdata/default_config.yaml
@@ -659,7 +659,8 @@ account_migration:
 captcha: {}
 bot_protection: {}
 network_protection:
-  ip_blocklist: {}
+  ip_filter:
+    default_action: allow
 test_mode:
   oob_otp:
     enabled: false

diff --git a/pkg/lib/networkprotection/deps.go b/pkg/lib/networkprotection/deps.go
@@ -5,5 +5,5 @@ import (
 )
 
 var DependencySet = wire.NewSet(
-	wire.Struct(new(IPBlocklistMiddleware), "*"),
+	wire.Struct(new(IPFilterMiddleware), "*"),
 )
diff --git a/pkg/lib/networkprotection/ip_blocklist_middleware.go b/pkg/lib/networkprotection/ip_blocklist_middleware.go