NODE_ENV-gated bypass lets local dev skip Supabase auth and Stripe paywall

hosman20 adds a dual-flag bypass for local previews, hard-blocked at `NODE_ENV === "production"`. The design is sound but carries one deployment risk worth checking before you pull it in.

infrastructuresecurity

Commit 85348e4 adds DEV_AUTH_BYPASS=1 on the backend and NEXT_PUBLIC_DEV_AUTH_BYPASS on the frontend. The backend flag lives in backend/src/lib/devAuth.ts as a module-level const: process.env.NODE_ENV !== "production" && process.env.DEV_AUTH_BYPASS === "1". Because it's evaluated at module load, a leaked flag on a production deploy with NODE_ENV=production is inert.

When active: requireAuth skips JWT verification and injects DEV_STUB_USER_ID = "00000000-0000-0000-0000-000000000dev" and dev@mike.local. requireActiveSubscription short-circuits to next(). On the frontend, AuthContext injects the matching stub user and UserProfileContext synthesizes a Professional-tier subscription so billing-gated UI renders. A dev-banner.tsx component shows an amber warning strip in the top chrome.

The stub UUID is the same on both sides intentionally. Anything keyed by user_id - the subscriptions row, R2 prefixes - maps to the same value across the two processes, which makes end-to-end local testing work without real credentials.

Tests cover three cases in devAuth.test.ts: bypass active in development calls next() without a DB hit; bypass active in production runs the real check and returns 402; flag unset in development also runs the real check.

The deployment risk: Vercel preview deployments and some CI runners run with NODE_ENV=development by default. If DEV_AUTH_BYPASS=1 lands in those environments' env vars, auth is disabled. Check your preview and CI configs before pulling this in.

So what The pattern itself - NODE_ENV hard-gate as a second layer beyond the flag, matching stub UUIDs across both processes, visible amber banner - is worth borrowing even if you rewrite the implementation. Just audit `NODE_ENV` on every non-production environment before enabling the flag.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

1 commit from hosman20/mike-2.0, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
85348e4c feat(dev): add NODE_ENV-gated auth + paywall bypass for local previews z 2026-05-13 ↗ GitHub
commit body
Adds NEXT_PUBLIC_DEV_AUTH_BYPASS (frontend) and DEV_AUTH_BYPASS (backend)
flags. Both require non-production NODE_ENV. When on:
- Frontend skips Supabase auth, injects stub user + Professional-tier
  subscription, and shows an amber "dev mode" banner.
- Backend skips JWT verification and paywall middleware.

Production deployments ignore these flags by NODE_ENV check.

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-408.md from inside the repo you want the changes in.

⬇ Download capture-thread-408.md