Skip to content

feat(auth): local-dev auto-login behind DEV_AUTH flag#26

Merged
fullstackjam merged 1 commit into
mainfrom
feat/dev-auth-autologin
Jun 27, 2026
Merged

feat(auth): local-dev auto-login behind DEV_AUTH flag#26
fullstackjam merged 1 commit into
mainfrom
feat/dev-auth-autologin

Conversation

@fullstackjam

Copy link
Copy Markdown
Member

Summary

Adds a local-development auto-login so authed UI (dashboard, editor) can be worked on without going through OAuth.

ensureDevSession() (called from hooks.server.ts) authenticates a fixed fake user devuser — seeding it and a default config into the local D1 on first use and issuing a session cookie. It is a no-op when already authenticated, so it doesn't clobber a real session.

Gated twice so it can never run in production:

  1. DEV_AUTH === 'true' — a flag that only lives in .dev.vars (gitignored, never deployed), so production env never has it.
  2. Request host must be localhost / 127.0.0.1 — so even a leaked flag can't open the gate on openboot.dev.

.dev.vars.example documents the flag (DEV_AUTH=true for auto-login; set false to test real OAuth / logged-out UI).

The JWT exp (ms) matches the existing GitHub/Google OAuth callbacks, and the new test runs in the Workers runtime against real D1.

Test plan

  • npm run validate (lint → check → test → build) passes.
  • New dev-auth.test.ts covers: auto-login on localhost+DEV_AUTH=true; no-op when the flag is false/unset; no-op when host ≠ localhost (gate holds even if the flag leaks); idempotent (no reseed when already authed).
  • Reviewer: confirm the two gates are sufficient and the cookie attributes (secure, httpOnly, sameSite=lax) are right for local dev.

🤖 Generated with Claude Code

Add ensureDevSession(), called from hooks.server.ts, that authenticates a
fixed fake user (devuser) for local development so authed UI can be worked
on without OAuth. Gated twice so it can never run in production:

- DEV_AUTH === 'true', a flag that only lives in .dev.vars (gitignored,
  never deployed)
- request host must be localhost / 127.0.0.1

Seeds the dev user + a default config into local D1 on first use and issues
a session cookie; no-op when already authenticated. Includes a
Workers-runtime test covering both gates, the leaked-flag-in-prod case, and
idempotency, plus a .dev.vars.example documenting the flag.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@codecov

codecov Bot commented Jun 27, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@fullstackjam fullstackjam merged commit 77c74e1 into main Jun 27, 2026
8 checks passed
@fullstackjam fullstackjam deleted the feat/dev-auth-autologin branch June 27, 2026 05:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant