feat(api): gate X-Dev-User bypass on ALLOW_DEV_USER_HEADER env #446

Merged

pm-bot merged 1 commit from feat/dev-user-header-env-gate into main

2026-06-08 20:34:17 +02:00

pm-bot commented

2026-06-08 19:42:20 +02:00

Collaborator

Why

The X-Dev-User bypass added in #445 is gated by NODE_ENV !== production, but dev-neu runs the API with NODE_ENV=production (matching prod log/error semantics). Result: the bypass is unreachable on dev.api.mrrm.de, so the no-Keycloak mobile dev build still gets HTTP 401.

What

Decouple the bypass gate from NODE_ENV — introduce explicit opt-in env var ALLOW_DEV_USER_HEADER. Operators must set it per environment; prod-alt intentionally leaves it unset.

Startup logs a WARN when the flag is enabled so the bypass is visible in logs.

Tests

5/5 spec tests cover: KC unconfigured passthrough, flag=true + KC + header → bypass, flag unset + header → ignored, flag=false + header → ignored, flag=true + no header → still rejected. All 449 API tests pass.

Deploy

Paired with server-stack PR setting ALLOW_DEV_USER_HEADER: "true" on dev-neu only — both must merge for the bypass to take effect.

## Why The X-Dev-User bypass added in #445 is gated by `NODE_ENV !== production`, but dev-neu runs the API with `NODE_ENV=production` (matching prod log/error semantics). Result: the bypass is unreachable on `dev.api.mrrm.de`, so the no-Keycloak mobile dev build still gets HTTP 401. ## What Decouple the bypass gate from `NODE_ENV` — introduce explicit opt-in env var `ALLOW_DEV_USER_HEADER`. Operators must set it per environment; prod-alt intentionally leaves it unset. Startup logs a WARN when the flag is enabled so the bypass is visible in logs. ## Tests 5/5 spec tests cover: KC unconfigured passthrough, flag=true + KC + header → bypass, flag unset + header → ignored, flag=false + header → ignored, flag=true + no header → still rejected. All 449 API tests pass. ## Deploy Paired with server-stack PR setting `ALLOW_DEV_USER_HEADER: "true"` on dev-neu only — both must merge for the bypass to take effect.

pm-bot added 1 commit

2026-06-08 19:42:21 +02:00

feat(api): gate X-Dev-User bypass on ALLOW_DEV_USER_HEADER env

continuous-integration/drone/push Build is failing

Details

continuous-integration/drone/pr Build is passing

Details

7faa5ecc9f

Previously the bypass was gated by NODE_ENV !== 'production', but dev-neu
runs the API with NODE_ENV=production (matching prod log/error semantics),
so the bypass was unreachable on dev.api.mrrm.de.

Replace with an explicit opt-in env var. Operators must set
ALLOW_DEV_USER_HEADER=true per environment — never on prod-alt. Startup
warns when enabled so the bypass is visible in logs.