Skip to content

feat(auth-stack): Local Auth Mode for Development #8339

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
stack72 merged 1 commit into from
Jan 26, 2026
Merged

feat(auth-stack): Local Auth Mode for Development #8339

stack72 merged 1 commit into from
Jan 26, 2026
+459 −42

Conversation

@stack72
Copy link
Contributor

@stack72 stack72 commented Jan 26, 2026

Implements a local-only authentication mode that completely bypasses Auth0 for local development. This eliminates the need for Auth0
credentials, internet connectivity, and the full onboarding flow, enabling developers to start working immediately with a single
environment variable.

Motivation

Previously, local development required:

  • Auth0 credentials (client ID, client secret, M2M credentials)
  • Internet connectivity to reach Auth0 APIs
  • Email verification via Auth0
  • Terms of Service acceptance
  • Full onboarding flow (provider selection, AI agent setup)

This created friction for:

  • Offline development scenarios
  • CI/CD pipelines
  • Quick iteration cycles

Complete Local Auth Flow

✅ Zero Auth0 interaction
✅ Auto-authentication (no login form)
✅ Auto-workspace creation
✅ Skip email verification
✅ Skip ToS acceptance
✅ Skip profile completion
✅ Skip onboarding modal
✅ Instant workspace access

Implementation

Single Configuration Variable:
LOCAL_AUTH_MODE=true # in bin/auth-api/.env.local

Hardcoded Local User:

  • Email: dev@systeminit.local
  • Name: Local Developer
  • Nickname: localdev
  • Auth0 ID: local|{base64(email)} (for uniqueness)

Auto-Provisioned Workspace:

Bypasses:

  • ✅ Auth0 OAuth flow
  • ✅ Email verification checks
  • ✅ Terms of Service acceptance
  • ✅ Onboarding flow (provider + AI agent setup)
  • ✅ Profile completion requirement

Security & Logging

Comprehensive Logging:
All local auth operations logged with 🔧 emoji and type: "local-auth":

{
"level": "warn",
"type": "local-auth",
"message": "🔧🔧🔧 LOCAL AUTH MODE ENABLED 🔧🔧🔧",
"details": "Auth0 is BYPASSED - DO NOT USE IN PRODUCTION"
}

Auto-Detection:
Frontend auto-detects local mode by attempting /auth/local-login on auth failure. Backend rejects with 403 LocalAuthDisabled if
LOCAL_AUTH_MODE != true.

Risk Assessment

🔴 CRITICAL - Security Risks

Risk: Complete authentication bypass

  • Severity: CRITICAL if enabled in production
  • Mitigation:
  • Environment variable must be explicitly set to "true" (string comparison)
  • Only works in .env.local files (not checked into git)
  • Highly visible warning logs on startup
  • Backend rejects requests if not enabled (no client-side bypass possible)

Risk: Hardcoded credentials

  • Severity: HIGH if accidentally used in production
  • Mitigation:
  • User email clearly indicates dev environment (dev@systeminit.local)
  • Workspace name "Local Development" is obvious
  • Database user has auth0Id starting with local| (easily identifiable)

🟡 MEDIUM - Operational Risks

Risk: Database pollution in shared environments

  • Severity: MEDIUM
  • Mitigation:
  • Should only be used with local development databases
  • Tiltfile runs db-reset which starts fresh
  • Local user/workspace clearly marked in database

Risk: Environment variable misconfiguration

  • Severity: MEDIUM
  • Mitigation:
  • Variable must be explicitly set (no defaults)
  • Documented as .env.local only (git-ignored)
  • Clear warning in .env files: "DO NOT USE IN PRODUCTION"

Risk: Backend/frontend version mismatch

  • Severity: LOW
  • Mitigation:
  • Frontend gracefully handles 403 from backend
  • No breaking changes to existing auth flow
  • Local mode is additive, not destructive

🟢 LOW - Compatibility Risks

Risk: JWT token format incompatibility

  • Severity: LOW
  • Mitigation:
  • Uses same JWT signing infrastructure as production
  • Same keys from config/keys/dev.jwt_signing_private_key.pem
  • Tokens validated identically by SDF

Risk: Database schema drift

  • Severity: LOW
  • Mitigation:
  • Uses standard Prisma models
  • No schema changes required
  • Local users follow same structure as production users

Production Safety Guarantees

  1. No defaults: LOCAL_AUTH_MODE defaults to undefined, not "true"
  2. String comparison: Code checks === "true" (not truthy check)
  3. Environment file isolation: Only in .env.local (git-ignored)
  4. Startup warnings: Impossible to miss in logs if accidentally enabled
  5. Backend enforcement: Frontend cannot bypass - backend rejects requests
  6. Clear identifiers: Local users/workspaces obviously marked in database

@stack72
feat(auth-stack): Local Auth Mode for Development
48efadf 
Implements a local-only authentication mode that completely bypasses Auth0 for local development. This eliminates the need for Auth0
credentials, internet connectivity, and the full onboarding flow, enabling developers to start working immediately with a single
environment variable.

### Motivation

Previously, local development required:
- Auth0 credentials (client ID, client secret, M2M credentials)
- Internet connectivity to reach Auth0 APIs
- Email verification via Auth0
- Terms of Service acceptance
- Full onboarding flow (provider selection, AI agent setup)

This created friction for:
- Offline development scenarios
- CI/CD pipelines
- Quick iteration cycles

### Complete Local Auth Flow

✅ Zero Auth0 interaction
✅ Auto-authentication (no login form)
✅ Auto-workspace creation
✅ Skip email verification
✅ Skip ToS acceptance
✅ Skip profile completion
✅ Skip onboarding modal
✅ Instant workspace access

### Implementation

Single Configuration Variable:
LOCAL_AUTH_MODE=true  # in bin/auth-api/.env.local

Hardcoded Local User:
- Email: dev@systeminit.local
- Name: Local Developer
- Nickname: localdev
- Auth0 ID: local|{base64(email)} (for uniqueness)

Auto-Provisioned Workspace:
- Name: "Local Development"
- URL: http://localhost:8080
- Type: LOCAL
- User Role: OWNER

Bypasses:
- ✅ Auth0 OAuth flow
- ✅ Email verification checks
- ✅ Terms of Service acceptance
- ✅ Onboarding flow (provider + AI agent setup)
- ✅ Profile completion requirement


### Security & Logging

Comprehensive Logging:
All local auth operations logged with 🔧 emoji and type: "local-auth":
```
{
"level": "warn",
"type": "local-auth",
"message": "🔧🔧🔧 LOCAL AUTH MODE ENABLED 🔧🔧🔧",
"details": "Auth0 is BYPASSED - DO NOT USE IN PRODUCTION"
}
```

Auto-Detection:
Frontend auto-detects local mode by attempting /auth/local-login on auth failure. Backend rejects with 403 LocalAuthDisabled if
LOCAL_AUTH_MODE != true.

### Risk Assessment

🔴 CRITICAL - Security Risks

Risk: Complete authentication bypass
- Severity: CRITICAL if enabled in production
- Mitigation:
- Environment variable must be explicitly set to "true" (string comparison)
- Only works in .env.local files (not checked into git)
- Highly visible warning logs on startup
- Backend rejects requests if not enabled (no client-side bypass possible)

Risk: Hardcoded credentials
- Severity: HIGH if accidentally used in production
- Mitigation:
- User email clearly indicates dev environment (dev@systeminit.local)
- Workspace name "Local Development" is obvious
- Database user has auth0Id starting with local| (easily identifiable)

🟡 MEDIUM - Operational Risks

Risk: Database pollution in shared environments
- Severity: MEDIUM
- Mitigation:
- Should only be used with local development databases
- Tiltfile runs db-reset which starts fresh
- Local user/workspace clearly marked in database

Risk: Environment variable misconfiguration
- Severity: MEDIUM
- Mitigation:
- Variable must be explicitly set (no defaults)
- Documented as .env.local only (git-ignored)
- Clear warning in .env files: "DO NOT USE IN PRODUCTION"

Risk: Backend/frontend version mismatch
- Severity: LOW
- Mitigation:
- Frontend gracefully handles 403 from backend
- No breaking changes to existing auth flow
- Local mode is additive, not destructive

🟢 LOW - Compatibility Risks

Risk: JWT token format incompatibility
- Severity: LOW
- Mitigation:
- Uses same JWT signing infrastructure as production
- Same keys from config/keys/dev.jwt_signing_private_key.pem
- Tokens validated identically by SDF

Risk: Database schema drift
- Severity: LOW
- Mitigation:
- Uses standard Prisma models
- No schema changes required
- Local users follow same structure as production users

### Production Safety Guarantees

1. No defaults: LOCAL_AUTH_MODE defaults to undefined, not "true"
2. String comparison: Code checks === "true" (not truthy check)
3. Environment file isolation: Only in .env.local (git-ignored)
4. Startup warnings: Impossible to miss in logs if accidentally enabled
5. Backend enforcement: Frontend cannot bypass - backend rejects requests
6. Clear identifiers: Local users/workspaces obviously marked in database
@stack72 stack72 deployed to build-only January 26, 2026 21:51 — with GitHub Actions Active
@github-actions
Copy link

github-actions bot commented Jan 26, 2026

Dependency Review

✅ No vulnerabilities or OpenSSF Scorecard issues found.

Scanned Files

None

@johnrwatson johnrwatson self-requested a review January 26, 2026 22:40
@stack72 stack72 merged commit 59c7489 into main Jan 26, 2026
5 of 6 checks passed
@stack72 stack72 deleted the local-dev-without-auth0 branch January 26, 2026 22:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@johnrwatson johnrwatson johnrwatson approved these changes

Assignees

No one assigned

Labels

A-auth A-web

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@stack72 @johnrwatson