feat: add SkipAuthHandler for local dev authentication bypass#2181
Merged
alinarublea merged 2 commits intomainfrom Apr 15, 2026
Merged
feat: add SkipAuthHandler for local dev authentication bypass#2181alinarublea merged 2 commits intomainfrom
alinarublea merged 2 commits intomainfrom
Conversation
The auth middleware chain rejected all requests in local dev because no handler recognized SKIP_AUTH=true. Add SkipAuthHandler as the first auth handler so it can inject a mock admin identity before the real handlers run. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
- Defense-in-depth: SkipAuthHandler now refuses to bypass auth when running inside Lambda (checks context.func.name and AWS_LAMBDA_FUNCTION_NAME). Even if SKIP_AUTH=true were accidentally set in a deployed environment, the handler would log a warning and fall through to real auth handlers. - Remove the duplicate inline SKIP_AUTH block from run(). It was dead code — authWrapper rejects unauthenticated requests before run() executes, so the block was unreachable. The SkipAuthHandler is now the single source of truth for local dev auth bypass. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
This PR will trigger a minor release when merged. |
solaris007
approved these changes
Apr 13, 2026
solaris007
pushed a commit
that referenced
this pull request
Apr 15, 2026
# [1.440.0](v1.439.0...v1.440.0) (2026-04-15) ### Features * add SkipAuthHandler for local dev authentication bypass ([#2181](#2181)) ([8b7e3c6](8b7e3c6))
Member
|
🎉 This PR is included in version 1.440.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
SkipAuthHandleras the first handler in the auth middleware chainSKIP_AUTH=true(local dev.env), injects a mock admin identity and short-circuits authSKIP_AUTHis absent or not'true'(all deployed environments), returnsnulland the chain falls through to the real handlers — zero production impactmake run-apiin the mysticat-workspace local dev environmentContext
The local dev environment sets
SKIP_AUTH=truein.env, but previously no auth handler recognized this variable. All four real handlers (JWT, IMS, ScopedApiKey, LegacyApiKey) would fail and return 401 because the UI sends no credentials in local dev mode.Test plan
make run-apiin mysticat-workspace local dev → API responds 200 without auth headersSKIP_AUTHis never set)🤖 Generated with Claude Code