Remove the dev auth bypass that accepted any Bearer token on misconfigured deployments
bmersereau proposed closing a fail-open auth path in the Supabase server helpers: missing env vars previously treated the deployment as a dev environment and accepted any Bearer token as a valid user ID. The PR was closed without merge, so the bypass stayed in upstream.
The original server-side Supabase helpers had a fallback: if SUPABASE_URL or the secret key were absent, the code inferred a dev environment and used the raw Bearer token string as the user ID. Any misconfigured deployment - staging, preview, a container missing its secret injection - silently collapsed auth to zero. bmersereau's PR replaced that path with an explicit 500 response and made the Supabase client constructor throw on missing credentials rather than initialise with empty strings.
The empty-string coalescing in the request-to-user-ID helper was also removed, since the throwing constructor made those defensive defaults misleading rather than protective.
Ten vitest unit tests cover the boundary: missing env vars for both helpers, the normal authenticated path, and the new error responses. This is the first dedicated test coverage for the auth module.
The PR was closed without being merged. bmersereau noted a pre-existing prerender failure that prevents a full production build without real Supabase credentials - orthogonal to the fix, but it blocked end-to-end CI validation. The bypass remained in upstream at the time.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?