Alexander/homepage
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7f06717615bb4b33c3b5ea02bc73f42e29f6c059
homepage/README_DEV_AUTH.md
Alexander Bocken 4f34ff5329 Update @auth/sveltekit to latest stable version 1.10.0 
- Upgraded @auth/sveltekit from 0.14.0 to 1.10.0
- Updated session API from event.locals.getSession() to event.locals.auth()
- Fixed TypeScript definitions for new auth API in app.d.ts
- Updated layout server load functions to use LayoutServerLoad type
- Fixed session callbacks with proper token type casting
- Switched to generic OIDC provider config to resolve issuer validation issues
- All auth functionality now working with latest Auth.js version

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-31 21:45:14 +02:00

88 lines
2.2 KiB
Markdown
Raw Blame History

# Development Authentication Bypass
This document explains how to safely disable authentication during development.
## 🔐 Security Overview
The authentication bypass is designed with multiple layers of security:
1. **Development Mode Only**: Only works when `vite dev` is running
2. **Explicit Opt-in**: Requires setting `DEV_DISABLE_AUTH=true`
3. **Production Protection**: Build fails if enabled in production mode
4. **Environment Isolation**: Uses local environment files (gitignored)
## 🚀 Usage
### 1. Create Local Environment File
Create `.env.local` (this file is gitignored):
```bash
# Copy from example
cp .env.local.example .env.local
```
### 2. Enable Development Bypass
Edit `.env.local` and set:
```env
DEV_DISABLE_AUTH=true
```
### 3. Start Development Server
```bash
pnpm run dev
```
You'll see a warning in the console:
```
🚨 AUTH DISABLED: Development mode with DEV_DISABLE_AUTH=true
```
### 4. Access Protected Routes
Protected routes (`/rezepte/edit/*`, `/rezepte/add`) will now be accessible without authentication.
## 🛡️ Security Guarantees
### Production Safety
- **Build-time Check**: Production builds fail if `DEV_DISABLE_AUTH=true`
- **Runtime Check**: Double verification using `dev` flag from `$app/environment`
- **No Environment Leakage**: Uses `process.env` (server-only) not client environment
### Development Isolation
- **Gitignored Files**: `.env.local` is never committed
- **Example Template**: `.env.local.example` shows safe defaults
- **Clear Warnings**: Console warns when auth is disabled
## 🧪 Testing the Security
### Test Production Build Safety
```bash
# This should FAIL with security error
DEV_DISABLE_AUTH=true pnpm run build
```
### Test Normal Production Build
```bash
# This should succeed
pnpm run build
```
## 🔄 Re-enabling Authentication
Set in `.env.local`:
```env
DEV_DISABLE_AUTH=false
```
Or simply delete/rename the `.env.local` file.
## ⚠️ Important Notes
- **Never** commit `.env.local` to git
- **Never** set `DEV_DISABLE_AUTH=true` in production environment
- The bypass provides a mock session with `rezepte_users` group access
- All other authentication flows (signin pages, etc.) remain unchanged
Reference in New Issue View Git Blame Copy Permalink