fix: remove Playwright auth bypass from dashboard (GHSA-6c5j-4w43-2v8f #1)

[advikdivekar]

Problem

The dashboard page contained a cookie-based authentication bypass that could be activated in production by any visitor. Two conditions enabled it: the environment variable PLAYWRIGHT_AUTH_BYPASS=1 and a browser cookie playwright-dashboard-auth=1 that was neither server-set nor HttpOnly.

Any contributor who copied the playwright.config.mjs env block into their Vercel deployment activated this bypass. From there, anyone who knew about it could set the cookie via DevTools and access /dashboard without GitHub OAuth.

Root cause: Production code path that sets session = null and skips getServerSession, controlled by a user-settable cookie.

What changed

src/app/dashboard/page.tsx

• Removed the allowPlaywrightBypass condition and the cookies() import entirely
• Authentication is now enforced unconditionally via getServerSession(authOptions)
• E2e tests that require an authenticated session should use proper NextAuth JWT injection in the test setup rather than a production code path

How to verify

1. Deploy with PLAYWRIGHT_AUTH_BYPASS=1 set in env vars
2. Open browser DevTools → run document.cookie = "playwright-dashboard-auth=1"
3. Navigate to /dashboard — redirected to / instead of rendering the dashboard
4. Normal sign-in flow: unaffected

Regression check

• Authenticated users: dashboard loads normally
• Unauthenticated users: redirected to / as before
• No other references to PLAYWRIGHT_AUTH_BYPASS or playwright-dashboard-auth in application code

Fixes GHSA-6c5j-4w43-2v8f vulnerability #1 (Critical).

[vercel]

@advikdivekar is attempting to deploy a commit to the PRIYANSHU DOSHI's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

• level:beginner — 20 pts
• level:intermediate — 35 pts
• level:advanced — 55 pts
• level:critical — 80 pts

Quality (optional):

• quality:clean — ×1.2 multiplier
• quality:exceptional — ×1.5 multiplier

Validation (required to score):

• gssoc:approved — counts for points
• gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

[advikdivekar]

Closing — patch will be submitted through the private advisory fork (GHSA-6c5j-4w43-2v8f) to avoid public disclosure before coordinated release.