You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Wildcard zone (`name: "*"`) so a single token can operate across all zones with record type, operation and subdomain filters still enforced (e.g. ACME DNS01 challenges)
- Multi zone shorthand (`names: [...]`) to apply one policy to a list of specific zones without repeating the rules for each
- Timing safe token comparison using `hmac.compare_digest instead` of `==` in `proxy/auth.py`
- Config example and README updated: replaced confusing localhost placeholder (for docker usage), added examples for all three zone variants (single, multi, wildcard), fixed incorrect subdomain filter comment (`^app\.` doesn't match nested subdomains), documented `names` and `*` in the zone policy options table
- new wildcard policy tests and new config expansion tests (names, mixed, validation error)
| `name` | string | required | DNS zone name (e.g. `example.com`) |
140
+
| `name` | string | - | Single DNS zone name (e.g. `example.com`), or `*` for all zones |
141
+
| `names` | list | - | Multiple DNS zone names sharing the same policy |
122
142
| `allowed_record_types` | list | `[]` (all) | Restrict to specific record types (`A`, `AAAA`, `CNAME`, `TXT`, `MX`, etc.) |
123
143
| `allowed_operations` | list | `[]` (all) | Restrict to specific operations (`get`, `add`, `update`, `delete`) |
124
144
| `subdomain_filter` | string | `null` | Regex pattern to match against the domain (case-insensitive) |
125
145
146
+
Each zone policy must have either `name` or `names` (not both). Use `names` to apply the same rules to multiple zones without repetition. Use `name: "*"` for tokens that need access across all zones (e.g. ACME DNS-01 challenges). Wildcard tokens only see explicitly listed zones in `/api/zones/list` responses.
147
+
126
148
Empty lists mean "all allowed". Omit `allowed_record_types` to allow all record types, omit `allowed_operations` to allow all operations.
0 commit comments