hosman20 builds a local-preview escape hatch with a safety belt

A dev-mode bypass that turns off login and the paywall on a laptop - and refuses to turn them off in production.

infrastructuresecurity

Working on a paid product is awkward when every click has to go through a login screen and a subscription check. hosman20's fork adds a pair of switches that let the team skip both while running the app locally: the backend stops verifying identity tokens, the frontend pretends a fully paid-up account is signed in, and an amber banner across the top of the screen makes sure nobody forgets they're in this mode.

The interesting bit is the belt-and-braces design. The switches only work if the app knows it isn't running in production, so a flag accidentally left on in a live deploy does nothing. Both sides of the app also share the same fake user ID, so anything the app stores against a customer - subscription records, file storage - lines up cleanly between the two halves.

So what Worth a look for any legal-tech team building behind a paywall: the pattern shows how to keep developer velocity high without leaving an auth bypass that could ship to customers.

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

1 commit from hosman20/mike-2.0, oldest first. Source extracted verbatim from the harvested git log.

SHA	Subject	Author	Date
`85348e4c`	feat(dev): add NODE_ENV-gated auth + paywall bypass for local previews	z	2026-05-13	↗ GitHub
commit body Adds NEXT_PUBLIC_DEV_AUTH_BYPASS (frontend) and DEV_AUTH_BYPASS (backend) flags. Both require non-production NODE_ENV. When on: - Frontend skips Supabase auth, injects stub user + Professional-tier subscription, and shows an amber "dev mode" banner. - Backend skips JWT verification and paywall middleware. Production deployments ignore these flags by NODE_ENV check.

SHA

Subject

Author

Date

85348e4c

feat(dev): add NODE_ENV-gated auth + paywall bypass for local previews

2026-05-13

↗ GitHub

commit body

Adds NEXT_PUBLIC_DEV_AUTH_BYPASS (frontend) and DEV_AUTH_BYPASS (backend)
flags. Both require non-production NODE_ENV. When on:
- Frontend skips Supabase auth, injects stub user + Professional-tier
  subscription, and shows an amber "dev mode" banner.
- Backend skips JWT verification and paywall middleware.

Production deployments ignore these flags by NODE_ENV check.

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-408.md from inside the repo you want the changes in.