This repository was archived by the owner on Feb 6, 2026. It is now read-only.
feat(auth-stack): Local Auth Mode for Development#8339
Merged
Conversation
Implements a local-only authentication mode that completely bypasses Auth0 for local development. This eliminates the need for Auth0
credentials, internet connectivity, and the full onboarding flow, enabling developers to start working immediately with a single
environment variable.
### Motivation
Previously, local development required:
- Auth0 credentials (client ID, client secret, M2M credentials)
- Internet connectivity to reach Auth0 APIs
- Email verification via Auth0
- Terms of Service acceptance
- Full onboarding flow (provider selection, AI agent setup)
This created friction for:
- Offline development scenarios
- CI/CD pipelines
- Quick iteration cycles
### Complete Local Auth Flow
✅ Zero Auth0 interaction
✅ Auto-authentication (no login form)
✅ Auto-workspace creation
✅ Skip email verification
✅ Skip ToS acceptance
✅ Skip profile completion
✅ Skip onboarding modal
✅ Instant workspace access
### Implementation
Single Configuration Variable:
LOCAL_AUTH_MODE=true # in bin/auth-api/.env.local
Hardcoded Local User:
- Email: dev@systeminit.local
- Name: Local Developer
- Nickname: localdev
- Auth0 ID: local|{base64(email)} (for uniqueness)
Auto-Provisioned Workspace:
- Name: "Local Development"
- URL: http://localhost:8080
- Type: LOCAL
- User Role: OWNER
Bypasses:
- ✅ Auth0 OAuth flow
- ✅ Email verification checks
- ✅ Terms of Service acceptance
- ✅ Onboarding flow (provider + AI agent setup)
- ✅ Profile completion requirement
### Security & Logging
Comprehensive Logging:
All local auth operations logged with 🔧 emoji and type: "local-auth":
```
{
"level": "warn",
"type": "local-auth",
"message": "🔧🔧🔧 LOCAL AUTH MODE ENABLED 🔧🔧🔧",
"details": "Auth0 is BYPASSED - DO NOT USE IN PRODUCTION"
}
```
Auto-Detection:
Frontend auto-detects local mode by attempting /auth/local-login on auth failure. Backend rejects with 403 LocalAuthDisabled if
LOCAL_AUTH_MODE != true.
### Risk Assessment
🔴 CRITICAL - Security Risks
Risk: Complete authentication bypass
- Severity: CRITICAL if enabled in production
- Mitigation:
- Environment variable must be explicitly set to "true" (string comparison)
- Only works in .env.local files (not checked into git)
- Highly visible warning logs on startup
- Backend rejects requests if not enabled (no client-side bypass possible)
Risk: Hardcoded credentials
- Severity: HIGH if accidentally used in production
- Mitigation:
- User email clearly indicates dev environment (dev@systeminit.local)
- Workspace name "Local Development" is obvious
- Database user has auth0Id starting with local| (easily identifiable)
🟡 MEDIUM - Operational Risks
Risk: Database pollution in shared environments
- Severity: MEDIUM
- Mitigation:
- Should only be used with local development databases
- Tiltfile runs db-reset which starts fresh
- Local user/workspace clearly marked in database
Risk: Environment variable misconfiguration
- Severity: MEDIUM
- Mitigation:
- Variable must be explicitly set (no defaults)
- Documented as .env.local only (git-ignored)
- Clear warning in .env files: "DO NOT USE IN PRODUCTION"
Risk: Backend/frontend version mismatch
- Severity: LOW
- Mitigation:
- Frontend gracefully handles 403 from backend
- No breaking changes to existing auth flow
- Local mode is additive, not destructive
🟢 LOW - Compatibility Risks
Risk: JWT token format incompatibility
- Severity: LOW
- Mitigation:
- Uses same JWT signing infrastructure as production
- Same keys from config/keys/dev.jwt_signing_private_key.pem
- Tokens validated identically by SDF
Risk: Database schema drift
- Severity: LOW
- Mitigation:
- Uses standard Prisma models
- No schema changes required
- Local users follow same structure as production users
### Production Safety Guarantees
1. No defaults: LOCAL_AUTH_MODE defaults to undefined, not "true"
2. String comparison: Code checks === "true" (not truthy check)
3. Environment file isolation: Only in .env.local (git-ignored)
4. Startup warnings: Impossible to miss in logs if accidentally enabled
5. Backend enforcement: Frontend cannot bypass - backend rejects requests
6. Clear identifiers: Local users/workspaces obviously marked in database
Dependency Review✅ No vulnerabilities or OpenSSF Scorecard issues found.Scanned FilesNone |
johnrwatson
approved these changes
Jan 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements a local-only authentication mode that completely bypasses Auth0 for local development. This eliminates the need for Auth0
credentials, internet connectivity, and the full onboarding flow, enabling developers to start working immediately with a single
environment variable.
Motivation
Previously, local development required:
This created friction for:
Complete Local Auth Flow
✅ Zero Auth0 interaction
✅ Auto-authentication (no login form)
✅ Auto-workspace creation
✅ Skip email verification
✅ Skip ToS acceptance
✅ Skip profile completion
✅ Skip onboarding modal
✅ Instant workspace access
Implementation
Single Configuration Variable:
LOCAL_AUTH_MODE=true # in bin/auth-api/.env.local
Hardcoded Local User:
Auto-Provisioned Workspace:
Bypasses:
Security & Logging
Comprehensive Logging:
All local auth operations logged with 🔧 emoji and type: "local-auth":
Auto-Detection:
Frontend auto-detects local mode by attempting /auth/local-login on auth failure. Backend rejects with 403 LocalAuthDisabled if
LOCAL_AUTH_MODE != true.
Risk Assessment
🔴 CRITICAL - Security Risks
Risk: Complete authentication bypass
Risk: Hardcoded credentials
🟡 MEDIUM - Operational Risks
Risk: Database pollution in shared environments
Risk: Environment variable misconfiguration
Risk: Backend/frontend version mismatch
🟢 LOW - Compatibility Risks
Risk: JWT token format incompatibility
Risk: Database schema drift
Production Safety Guarantees