MikeWatch Forks of the Mike legal-AI codebase, distilled for legal-tech readers
Home · willchen96/mike · PR #73

fix: remove auth bypass dev fallback in getUserIdFromRequest

⛔ closed · #73 · willchen96/mike ← bmersereau/mike · opened 14d ago by bmersereau · closed 11d ago · +921-19 across 5 files · ↗ on GitHub

From the PR description

Summary

  • Removes the dev fallback in getUserIdFromRequest() that accepted any Bearer token verbatim as a user ID when env vars were absent
  • Missing NEXT_PUBLIC_SUPABASE_URL or SUPABASE_SECRET_KEY now throws a 500 response instead of silently bypassing authentication
  • createServerSupabase() also now throws when env vars are missing instead of silently creating a client with empty credentials
  • Removes redundant || "" fallbacks from getUserIdFromRequest for consistency
  • Adds vitest and unit tests covering missing-env-var cases for both functions

Closes #65 Closes #87 Closes #89 Closes #90

Changes

  • frontend/src/lib/supabase-server.ts - createServerSupabase throws on missing env vars; getUserIdFromRequest removes || "" fallbacks; bypass fallback replaced with throw new Response(..., { status: 500 })
  • frontend/src/lib/__tests__/supabase-server.test.ts - 10 unit tests covering both createServerSupabase and getUserIdFromRequest
  • frontend/vitest.config.ts - minimal vitest config

Test plan

  • Unit tests added and passing (10/10)
  • TypeScript clean
  • Build requires real Supabase env vars (pre-existing prerender failure without credentials)

Our analysis

Close the dev auth bypass in Supabase server helpers — read the full analysis →

Think the analysis missed something the PR description covers?

Capture this PR into my fork

Download a Markdown prompt that tells Claude how to port every commit in this PR into your working tree. Run it via claude -p < capture-pull-73.md from inside the repo you want the changes in.

⬇ Download capture-pull-73.md