Auth bypass patterns collapse the entire authentication model to a single HTTP header, query parameter, or magic email suffix. Any client that knows the bypass — or that fuzzes common header names — gains admin privileges with no credentials. This is CWE-489 (Active Debug Code) combined with OWASP A07:2021 (Identification and Authentication Failures) and CWE-287 (Improper Authentication): code that was added for local convenience becomes a permanent privilege escalation vector. Unlike other patterns, even a NODE_ENV === 'development' guard does not neutralize the risk — environment variables are routinely misconfigured in staging and CI.
High because any request crafted to match the bypass condition — a header, query string, or email suffix — immediately grants admin access with no other credential required.
Delete the bypass entirely. There is no safe way to keep it in non-test code. In src/middleware.ts (or wherever the pattern lives), remove the conditional and replace it with a standard session check:
// Remove this:
if (req.headers['x-bypass-auth']) {
return { user: { role: 'admin' } }
}
// Keep only this:
const session = await getSession(req)
if (!session?.user) {
return Response.json({ error: 'Unauthorized' }, { status: 401 })
}
For local development testing, create a proper seed user in your database with a known password and log in through the real auth flow. Use test-specific accounts in *.test.ts files — never bypass logic in production source paths.
ID: ai-slop-half-finished.incomplete-impl.dev-only-auth-bypass
Severity: high
What to look for: Walk all source files for auth-bypass patterns. Count all occurrences of these exact patterns: if (email === 'admin') return true, if (password === 'admin') ..., if (X === 'bypass') ..., if (X === 'skip-auth') ..., if (req.headers['x-bypass-auth']) ..., if (req.query.admin === 'true') ..., if (email.endsWith('@internal.com')) return true, if (ip === '127.0.0.1') return { isAdmin: true }. Also count any function named bypassAuth, skipAuth, fakeLogin, mockLogin, debugAuth, devAuth. EXCLUDE matches inside files named *.test.*, *.spec.*, or under __tests__/.
Pass criteria: 0 auth-bypass patterns in non-test source files. Report: "Scanned X source files, 0 auth bypasses found."
Fail criteria: At least 1 source file contains an auth-bypass pattern.
Do NOT pass when: The bypass is inside a if (NODE_ENV === 'development') block — even conditional dev-only bypasses are dangerous because NODE_ENV can be misconfigured in staging or accidentally set to development in production.
Skip (N/A) when: Project has 0 source files.
Cross-reference: For comprehensive auth security analysis, the Security Hardening audit (security-hardening) covers authentication patterns in depth.
Detail on fail: "1 auth bypass: 'if (req.headers[\"x-bypass-auth\"]) return { user: { role: \"admin\" } }' in src/middleware.ts line 23. This bypasses all authentication if a header is set."
Remediation: Auth bypasses are the single most dangerous AI-generated pattern — they let any request claim admin privileges. Remove them completely, even if they're "only for development":
// Bad: header-based bypass
if (req.headers['x-bypass-auth']) {
return { user: { role: 'admin' } }
}
// Good: use a real test account in dev
// And restrict auth to the real session lookup
const session = await getSession(req)
if (!session) {
return Response.json({ error: 'Unauthorized' }, { status: 401 })
}
For local development testing, create a proper test user in the database and log in normally.