feat(auth): local-dev auto-login behind DEV_AUTH flag#26
Merged
Conversation
Add ensureDevSession(), called from hooks.server.ts, that authenticates a fixed fake user (devuser) for local development so authed UI can be worked on without OAuth. Gated twice so it can never run in production: - DEV_AUTH === 'true', a flag that only lives in .dev.vars (gitignored, never deployed) - request host must be localhost / 127.0.0.1 Seeds the dev user + a default config into local D1 on first use and issues a session cookie; no-op when already authenticated. Includes a Workers-runtime test covering both gates, the leaked-flag-in-prod case, and idempotency, plus a .dev.vars.example documenting the flag. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a local-development auto-login so authed UI (dashboard, editor) can be worked on without going through OAuth.
ensureDevSession()(called fromhooks.server.ts) authenticates a fixed fake userdevuser— seeding it and a default config into the local D1 on first use and issuing a session cookie. It is a no-op when already authenticated, so it doesn't clobber a real session.Gated twice so it can never run in production:
DEV_AUTH === 'true'— a flag that only lives in.dev.vars(gitignored, never deployed), so production env never has it.localhost/127.0.0.1— so even a leaked flag can't open the gate onopenboot.dev..dev.vars.exampledocuments the flag (DEV_AUTH=truefor auto-login; setfalseto test real OAuth / logged-out UI).The JWT
exp(ms) matches the existing GitHub/Google OAuth callbacks, and the new test runs in the Workers runtime against real D1.Test plan
npm run validate(lint → check → test → build) passes.dev-auth.test.tscovers: auto-login on localhost+DEV_AUTH=true; no-op when the flag isfalse/unset; no-op when host ≠ localhost (gate holds even if the flag leaks); idempotent (no reseed when already authed).secure,httpOnly,sameSite=lax) are right for local dev.🤖 Generated with Claude Code