Skip user blocking when bypassed IP

tomaisthorpe · tomaisthorpe · commit 05d971057e8c · 2026-05-08T12:06:52.000+01:00
diff --git a/aikido_zen/middleware/init_test.py b/aikido_zen/middleware/init_test.py
@@ -55,6 +55,15 @@ def test_with_context_with_cache():
     assert thread_cache.stats.rate_limited_hits == 0
 
 
+def test_bypassed_ip_skips_user_blocking():
+    test_utils.generate_and_set_context(user={"id": "123"}, ip="1.2.3.4")
+    thread_cache = get_cache()
+    thread_cache.config.blocked_uids = ["123"]
+    thread_cache.config.set_bypassed_ips(["1.2.3.4"])
+
+    assert should_block_request() == {"block": False}
+
+
 def test_cache_comms_with_endpoints():
     test_utils.generate_and_set_context(user={"id": "456"}, route="/posts/:id")
     set_rate_limit_group("my_group")
diff --git a/aikido_zen/middleware/should_block_request.py b/aikido_zen/middleware/should_block_request.py
@@ -32,6 +32,10 @@ def should_block_request():
         context.executed_middleware = True
         context.set_as_current_context()
 
+        # Bypassed IPs skip user blocking and rate limiting
+        if cache.is_bypassed_ip(context.remote_address):
+            return {"block": False}
+
         # User blocking allows customers to easily take action when attacks are coming from specific accounts
         if context.user and cache.is_user_blocked(context.user["id"]):
             return {"block": True, "type": "blocked", "trigger": "user"}
