trust host for reverse proxy in prod, general cleanup
Some checks failed
CI / update (push) Failing after 1m27s
Some checks failed
CI / update (push) Failing after 1m27s
This commit is contained in:
@@ -1,88 +0,0 @@
|
||||
# Development Authentication Bypass
|
||||
|
||||
This document explains how to safely disable authentication during development.
|
||||
|
||||
## 🔐 Security Overview
|
||||
|
||||
The authentication bypass is designed with multiple layers of security:
|
||||
|
||||
1. **Development Mode Only**: Only works when `vite dev` is running
|
||||
2. **Explicit Opt-in**: Requires setting `DEV_DISABLE_AUTH=true`
|
||||
3. **Production Protection**: Build fails if enabled in production mode
|
||||
4. **Environment Isolation**: Uses local environment files (gitignored)
|
||||
|
||||
## 🚀 Usage
|
||||
|
||||
### 1. Create Local Environment File
|
||||
|
||||
Create `.env.local` (this file is gitignored):
|
||||
|
||||
```bash
|
||||
# Copy from example
|
||||
cp .env.local.example .env.local
|
||||
```
|
||||
|
||||
### 2. Enable Development Bypass
|
||||
|
||||
Edit `.env.local` and set:
|
||||
|
||||
```env
|
||||
DEV_DISABLE_AUTH=true
|
||||
```
|
||||
|
||||
### 3. Start Development Server
|
||||
|
||||
```bash
|
||||
pnpm run dev
|
||||
```
|
||||
|
||||
You'll see a warning in the console:
|
||||
```
|
||||
🚨 AUTH DISABLED: Development mode with DEV_DISABLE_AUTH=true
|
||||
```
|
||||
|
||||
### 4. Access Protected Routes
|
||||
|
||||
Protected routes (`/rezepte/edit/*`, `/rezepte/add`) will now be accessible without authentication.
|
||||
|
||||
## 🛡️ Security Guarantees
|
||||
|
||||
### Production Safety
|
||||
- **Build-time Check**: Production builds fail if `DEV_DISABLE_AUTH=true`
|
||||
- **Runtime Check**: Double verification using `dev` flag from `$app/environment`
|
||||
- **No Environment Leakage**: Uses `process.env` (server-only) not client environment
|
||||
|
||||
### Development Isolation
|
||||
- **Gitignored Files**: `.env.local` is never committed
|
||||
- **Example Template**: `.env.local.example` shows safe defaults
|
||||
- **Clear Warnings**: Console warns when auth is disabled
|
||||
|
||||
## 🧪 Testing the Security
|
||||
|
||||
### Test Production Build Safety
|
||||
```bash
|
||||
# This should FAIL with security error
|
||||
DEV_DISABLE_AUTH=true pnpm run build
|
||||
```
|
||||
|
||||
### Test Normal Production Build
|
||||
```bash
|
||||
# This should succeed
|
||||
pnpm run build
|
||||
```
|
||||
|
||||
## 🔄 Re-enabling Authentication
|
||||
|
||||
Set in `.env.local`:
|
||||
```env
|
||||
DEV_DISABLE_AUTH=false
|
||||
```
|
||||
|
||||
Or simply delete/rename the `.env.local` file.
|
||||
|
||||
## ⚠️ Important Notes
|
||||
|
||||
- **Never** commit `.env.local` to git
|
||||
- **Never** set `DEV_DISABLE_AUTH=true` in production environment
|
||||
- The bypass provides a mock session with `rezepte_users` group access
|
||||
- All other authentication flows (signin pages, etc.) remain unchanged
|
||||
3318
package-lock.json
generated
3318
package-lock.json
generated
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "sk-recipes-test",
|
||||
"version": "0.0.1",
|
||||
"name": "homepage",
|
||||
"version": "1.0.0",
|
||||
"private": true,
|
||||
"type": "module",
|
||||
"scripts": {
|
||||
|
||||
@@ -26,4 +26,5 @@ export const { handle, signIn, signOut } = SvelteKitAuth({
|
||||
},
|
||||
|
||||
}
|
||||
trustHost: true, // needed for reverse proxy setups
|
||||
})
|
||||
|
||||
Reference in New Issue
Block a user