feat(api): gate X-Dev-User bypass on ALLOW_DEV_USER_HEADER env #446
No reviewers
Labels
No labels
app/archiv
app/einkaufslisten
app/imap-client
app/wissensbasis
arch-answered
arch-question
area/api
area/auth
area/infra
area/mobile
area/shared
area/ui
area/web
portfolio-status
prio/high
prio/low
prio/medium
roadmap/public
size/l
size/m
size/s
size/xl
size/xs
status/blocked
status/needs-info
type/bug
type/chore
type/docs
type/feature
type/idea
type/refactor
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
admin-mrrm/mrrmlabapp!446
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "feat/dev-user-header-env-gate"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Why
The X-Dev-User bypass added in #445 is gated by
NODE_ENV !== production, but dev-neu runs the API withNODE_ENV=production(matching prod log/error semantics). Result: the bypass is unreachable ondev.api.mrrm.de, so the no-Keycloak mobile dev build still gets HTTP 401.What
Decouple the bypass gate from
NODE_ENV— introduce explicit opt-in env varALLOW_DEV_USER_HEADER. Operators must set it per environment; prod-alt intentionally leaves it unset.Startup logs a WARN when the flag is enabled so the bypass is visible in logs.
Tests
5/5 spec tests cover: KC unconfigured passthrough, flag=true + KC + header → bypass, flag unset + header → ignored, flag=false + header → ignored, flag=true + no header → still rejected. All 449 API tests pass.
Deploy
Paired with server-stack PR setting
ALLOW_DEV_USER_HEADER: "true"on dev-neu only — both must merge for the bypass to take effect.