No dev-only auth bypass patterns
Why it matters
Auth bypass patterns collapse the entire authentication model to a single HTTP header, query parameter, or magic email suffix. Any client that knows the bypass — or that fuzzes common header names — gains admin privileges with no credentials. This is CWE-489 (Active Debug Code) combined with OWASP A07:2021 (Identification and Authentication Failures) and CWE-287 (Improper Authentication): code that was added for local convenience becomes a permanent privilege escalation vector. Unlike other patterns, even a NODE_ENV === 'development' guard does not neutralize the risk — environment variables are routinely misconfigured in staging and CI.
Severity rationale
High because any request crafted to match the bypass condition — a header, query string, or email suffix — immediately grants admin access with no other credential required.
Remediation
Delete the bypass entirely. There is no safe way to keep it in non-test code. In src/middleware.ts (or wherever the pattern lives), remove the conditional and replace it with a standard session check:
// Remove this:
if (req.headers['x-bypass-auth']) {
return { user: { role: 'admin' } }
}
// Keep only this:
const session = await getSession(req)
if (!session?.user) {
return Response.json({ error: 'Unauthorized' }, { status: 401 })
}
For local development testing, create a proper seed user in your database with a known password and log in through the real auth flow. Use test-specific accounts in *.test.ts files — never bypass logic in production source paths.
Detection
-
ID:
dev-only-auth-bypass -
Severity:
high -
What to look for: Walk all source files for auth-bypass patterns. Count all occurrences of these exact patterns:
if (email === 'admin') return true,if (password === 'admin') ...,if (X === 'bypass') ...,if (X === 'skip-auth') ...,if (req.headers['x-bypass-auth']) ...,if (req.query.admin === 'true') ...,if (email.endsWith('@internal.com')) return true,if (ip === '127.0.0.1') return { isAdmin: true }. Also count any function namedbypassAuth,skipAuth,fakeLogin,mockLogin,debugAuth,devAuth. EXCLUDE matches inside files named*.test.*,*.spec.*, or under__tests__/. -
Pass criteria: 0 auth-bypass patterns in non-test source files. Report: "Scanned X source files, 0 auth bypasses found."
-
Fail criteria: At least 1 source file contains an auth-bypass pattern.
-
Do NOT pass when: The bypass is inside a
if (NODE_ENV === 'development')block — even conditional dev-only bypasses are dangerous becauseNODE_ENVcan be misconfigured in staging or accidentally set todevelopmentin production. -
Skip (N/A) when: Project has 0 source files.
-
Cross-reference: For comprehensive auth security analysis, the Security Hardening audit (
security-hardening) covers authentication patterns in depth. -
Detail on fail:
"1 auth bypass: 'if (req.headers[\"x-bypass-auth\"]) return { user: { role: \"admin\" } }' in src/middleware.ts line 23. This bypasses all authentication if a header is set." -
Remediation: Auth bypasses are the single most dangerous AI-generated pattern — they let any request claim admin privileges. Remove them completely, even if they're "only for development":
// Bad: header-based bypass if (req.headers['x-bypass-auth']) { return { user: { role: 'admin' } } } // Good: use a real test account in dev // And restrict auth to the real session lookup const session = await getSession(req) if (!session) { return Response.json({ error: 'Unauthorized' }, { status: 401 }) }For local development testing, create a proper test user in the database and log in normally.
External references
- cwe · CWE-489 — Active Debug Code
- cwe · CWE-287 — Improper Authentication
- owasp:2021 · A07
Taxons
History
- 2026-04-18·v1.0.0·Initial import from ai-slop-half-finished·automated