feat: add AUTH_DISABLED environment variable to disable authentication

[iamriajul]

Recreates #175 on top of latest main.

This adds AUTH_DISABLED=true support so authentication can be bypassed in private/local environments.

What changed

• Added AUTH_DISABLED to .env.example.
• Added auth-disable helpers in server auth middleware.
• Bypassed JWT/WebSocket auth checks when auth is disabled.
• Updated auth status/user endpoints to expose authDisabled state.
• Updated frontend auth flow to detect auth-disabled mode and skip setup/login gating.
• Updated protected route handling to allow direct access when auth is disabled.

Behavior when AUTH_DISABLED=true

• Protected API endpoints are accessible without a JWT token.
• WebSocket auth accepts connections without real auth tokens.
• UI bypasses setup/login flow and opens app directly.

Closes #175

Summary by CodeRabbit

• New Features
  • Added optional authentication bypass mode: New configuration option allows disabling authentication checks system-wide. When enabled, users access all features without logging in. Supports both standard API and WebSocket authentication paths. System assigns a default user when authentication is disabled, ensuring seamless operation and full functionality.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR introduces an AUTH_DISABLED environment variable feature that allows bypassing authentication checks across the API, WebSocket connections, and frontend components when enabled. A fallback user object is provided for compatibility when authentication is disabled.

Changes

Cohort / File(s)	Summary
Configuration .env.example	Added AUTH_DISABLED environment variable with default value of false, including documentation and safety warnings.
Backend Authentication server/middleware/auth.js, server/routes/auth.js	Added isAuthDisabled() check to bypass JWT validation in both token-based and WebSocket authentication paths. Updated /status and /user endpoints to return authDisabled flag in responses and provide fallback user when disabled.
Frontend Auth Context src/contexts/AuthContext.jsx	Introduced authDisabled state field to context. Added handling for auth-disabled flow when detected in status response, including compatibility token setup and automatic onboarding completion.
Frontend Components src/components/ProtectedRoute.jsx	Added early return when authDisabled is true to skip authentication checks and render protected content directly on non-platform paths.

Sequence Diagram

sequenceDiagram
    participant Client
    participant AuthMiddleware
    participant AuthContext
    participant ProtectedRoute

    rect rgba(100, 150, 200, 0.5)
    Note over Client,ProtectedRoute: AUTH_DISABLED=true Path
    Client->>AuthMiddleware: API request
    AuthMiddleware->>AuthMiddleware: Check AUTH_DISABLED flag
    AuthMiddleware->>AuthMiddleware: Assign fallback user
    AuthMiddleware->>Client: Return response with authDisabled: true
    Client->>AuthContext: Fetch status
    AuthContext->>AuthContext: Detect authDisabled in response
    AuthContext->>AuthContext: Set authDisabled state
    AuthContext->>ProtectedRoute: Provide authDisabled flag
    ProtectedRoute->>ProtectedRoute: Check authDisabled
    ProtectedRoute->>Client: Render protected content
    end

    rect rgba(200, 100, 100, 0.5)
    Note over Client,ProtectedRoute: Normal Auth Path
    Client->>AuthMiddleware: API request with token
    AuthMiddleware->>AuthMiddleware: Validate JWT token
    AuthMiddleware->>Client: Return response with authDisabled: false
    Client->>AuthContext: Fetch status
    AuthContext->>AuthContext: Normal auth processing
    AuthContext->>ProtectedRoute: authDisabled: false
    ProtectedRoute->>AuthMiddleware: Verify authentication
    ProtectedRoute->>Client: Render protected content
    end

Loading

Poem

🐰 Hops with glee
An auth flag so divine, when turned to true,
Unlocks the doors for every user crew,
No tokens needed, no logins required,
The fallback admin keeps access inspired!
With AuthDisabled, the rabbit's dreams come true! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main change: adding AUTH_DISABLED environment variable to disable authentication, which is the primary objective.
Linked Issues check	✅ Passed	All coding requirements from issue #175 are met: AUTH_DISABLED flag added to .env.example, auth middleware updated to skip checks when disabled, WebSocket auth updated, status/user endpoints expose authDisabled state, and frontend components properly detect and handle auth-disabled mode.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to implementing AUTH_DISABLED functionality across configuration, backend auth, and frontend routing with no unrelated modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

server/routes/auth.js (1)

132-139: Avoid duplicating auth-disabled fallback user construction.

Line 134 redefines a fallback user even though authenticateToken already sets req.user in auth-disabled mode. Keeping one source of truth will prevent drift.

♻️ Simplify `/user` auth-disabled response

   if (isAuthDisabled()) {
     return res.json({
-      user: req.user || {
-        id: 1,
-        username: 'admin'
-      },
+      user: req.user,
       authDisabled: true
     });
   }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/routes/auth.js` around lines 132 - 139, The /user route is
constructing a hardcoded fallback user even though authenticateToken already
sets req.user when auth is disabled; remove the duplicated object and return the
existing req.user instead (e.g., return res.json({ user: req.user, authDisabled:
true })), or if authenticateToken doesn't already set req.user in auth-disabled
mode, update authenticateToken to populate req.user and then reference req.user
here (use isAuthDisabled(), authenticateToken, and req.user to locate the
relevant code).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@server/middleware/auth.js`:
- Around line 8-10: The isAuthDisabled function in server/middleware/auth.js
currently allows auth bypass in any environment; update it to enforce a
hard-stop when running in production by checking process.env.NODE_ENV ===
'production' and, if AUTH_DISABLED is truthy, throw a descriptive Error (or call
process.exit(1)) to fail startup rather than returning true; keep the existing
case-insensitive check for AUTH_DISABLED but add the NODE_ENV guard and message
so the app cannot run with auth disabled in production.

In `@src/contexts/AuthContext.jsx`:
- Line 81: Replace the hardcoded fallback user in AuthContext.jsx — currently
setUser(statusData.user || { id: 1, username: 'admin' }) — with a non-deceptive
fallback (e.g., setUser(statusData.user ?? null) or undefined) so the client
doesn't fabricate an "admin" identity; update any downstream consumers to handle
a nullable user value. Target the setUser and statusData usage in the
AuthContext.jsx file and remove the hardcoded { id: 1, username: 'admin' }
fallback.

---

Nitpick comments:
In `@server/routes/auth.js`:
- Around line 132-139: The /user route is constructing a hardcoded fallback user
even though authenticateToken already sets req.user when auth is disabled;
remove the duplicated object and return the existing req.user instead (e.g.,
return res.json({ user: req.user, authDisabled: true })), or if
authenticateToken doesn't already set req.user in auth-disabled mode, update
authenticateToken to populate req.user and then reference req.user here (use
isAuthDisabled(), authenticateToken, and req.user to locate the relevant code).

---

ℹ️ Review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1f903ba and 79d5f56.

📒 Files selected for processing (5)

• .env.example
• server/middleware/auth.js
• server/routes/auth.js
• src/components/ProtectedRoute.jsx
• src/contexts/AuthContext.jsx

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add a production hard-stop for AUTH_DISABLED.

Line 8 currently allows full auth bypass in any environment if the env var is set. That makes accidental production exposure too easy. Please enforce a runtime guard (or startup failure) when NODE_ENV=production.

🔧 Suggested hardening

-const isAuthDisabled = () => {
-  return String(process.env.AUTH_DISABLED || '').toLowerCase() === 'true';
-};
+const isAuthDisabled = () => {
+  const requested = String(process.env.AUTH_DISABLED || '').toLowerCase() === 'true';
+  if (requested && process.env.NODE_ENV === 'production') {
+    console.error('AUTH_DISABLED is blocked in production');
+    return false;
+  }
+  return requested;
+};

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const isAuthDisabled = () => {
	return String(process.env.AUTH_DISABLED || '').toLowerCase() === 'true';
	};
	const isAuthDisabled = () => {
	const requested = String(process.env.AUTH_DISABLED || '').toLowerCase() === 'true';
	if (requested && process.env.NODE_ENV === 'production') {
	console.error('AUTH_DISABLED is blocked in production');
	return false;
	}
	return requested;
	};

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/middleware/auth.js` around lines 8 - 10, The isAuthDisabled function
in server/middleware/auth.js currently allows auth bypass in any environment;
update it to enforce a hard-stop when running in production by checking
process.env.NODE_ENV === 'production' and, if AUTH_DISABLED is truthy, throw a
descriptive Error (or call process.exit(1)) to fail startup rather than
returning true; keep the existing case-insensitive check for AUTH_DISABLED but
add the NODE_ENV guard and message so the app cannot run with auth disabled in
production.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Hardcoded fallback user can desync displayed identity.

Line 81 forces { id: 1, username: 'admin' } when statusData.user is absent. In auth-disabled mode this can show the wrong user identity versus server-side fallback resolution.

🔧 Safer client fallback flow

       if (statusData.authDisabled) {
         const compatibilityToken = 'auth-disabled-token';
         setAuthDisabled(true);
         setNeedsSetup(false);
         setToken(compatibilityToken);
         localStorage.setItem('auth-token', compatibilityToken);
-        setUser(statusData.user || { id: 1, username: 'admin' });
+        if (statusData.user) {
+          setUser(statusData.user);
+        } else {
+          const userResponse = await api.auth.user();
+          const userData = userResponse.ok ? await userResponse.json() : null;
+          setUser(userData?.user || { id: 1, username: 'admin' });
+        }
         setHasCompletedOnboarding(true);
         setIsLoading(false);
         return;
       }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/contexts/AuthContext.jsx` at line 81, Replace the hardcoded fallback user
in AuthContext.jsx — currently setUser(statusData.user || { id: 1, username:
'admin' }) — with a non-deceptive fallback (e.g., setUser(statusData.user ??
null) or undefined) so the client doesn't fabricate an "admin" identity; update
any downstream consumers to handle a nullable user value. Target the setUser and
statusData usage in the AuthContext.jsx file and remove the hardcoded { id: 1,
username: 'admin' } fallback.

[blackmammoth]

@iamriajul, this PR is awesome. Do you have any new updates?