NODE_ENV-gated bypass lets local dev skip Supabase auth and Stripe paywall
hosman20 adds a dual-flag bypass for local previews, hard-blocked at `NODE_ENV === "production"`. The design is sound but carries one deployment risk worth checking before you pull it in.
Commit 85348e4 adds DEV_AUTH_BYPASS=1 on the backend and NEXT_PUBLIC_DEV_AUTH_BYPASS on the frontend. The backend flag lives in backend/src/lib/devAuth.ts as a module-level const: process.env.NODE_ENV !== "production" && process.env.DEV_AUTH_BYPASS === "1". Because it's evaluated at module load, a leaked flag on a production deploy with NODE_ENV=production is inert.
When active: requireAuth skips JWT verification and injects DEV_STUB_USER_ID = "00000000-0000-0000-0000-000000000dev" and dev@mike.local. requireActiveSubscription short-circuits to next(). On the frontend, AuthContext injects the matching stub user and UserProfileContext synthesizes a Professional-tier subscription so billing-gated UI renders. A dev-banner.tsx component shows an amber warning strip in the top chrome.
The stub UUID is the same on both sides intentionally. Anything keyed by user_id - the subscriptions row, R2 prefixes - maps to the same value across the two processes, which makes end-to-end local testing work without real credentials.
Tests cover three cases in devAuth.test.ts: bypass active in development calls next() without a DB hit; bypass active in production runs the real check and returns 402; flag unset in development also runs the real check.
The deployment risk: Vercel preview deployments and some CI runners run with NODE_ENV=development by default. If DEV_AUTH_BYPASS=1 lands in those environments' env vars, auth is disabled. Check your preview and CI configs before pulling this in.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?