A NODE_ENV !== 'production' shortcut that returns a mock admin user looks harmless until NODE_ENV gets set wrong on a preview deployment, a Docker rebuild, or a container image promoted from staging to prod without its env file — at which point the auth code is now handing out admin sessions to anonymous requests. AI coding tools reach for these shortcuts when the developer says "let me skip login while I build the settings page," and the resulting code stays in the tree because it works correctly when NODE_ENV is what it should be. The same risk covers hardcoded admin@test.com fallbacks and SKIP_AUTH env flags: they create a non-code path to administrative access that can be flipped by a config mistake rather than a code change review.
Medium because exploitation requires a secondary environment-variable misconfiguration rather than direct request crafting, but when that misconfiguration happens the consequence is full auth bypass.
Remove the bypass entirely. If you need a dev-mode user, seed a real test account in your dev database instead of branching auth logic on env vars.
Deeper remediation guidance and cross-reference coverage for this check lives in the saas-authentication Pro audit — run that after applying this fix for a more exhaustive pass on the same topic.
project-snapshot.auth-access.no-debug-bypassmediumif (process.env.NODE_ENV !== 'production') return mockUser, if (process.env.SKIP_AUTH), if (process.env.NEXT_PUBLIC_DEV_MODE), hardcoded admin emails ('admin@admin.com', 'test@test.com') used as auth fallback. Count each match.NODE_ENV === 'development' — production still inherits the conditional and a misconfigured env can flip the gate."Auth files scanned: N; bypass patterns matched: 0.""Auth bypass found in src/lib/auth.ts: returns mockUser when NODE_ENV !== 'production'".