From 9ac88d921c55c3b3f61fd8855dc63c21db49b706 Mon Sep 17 00:00:00 2001
From: Kenneth <kenneth@nym.sh>
Date: Mon, 16 Mar 2026 00:12:11 +0000
Subject: [PATCH] fix(backend): remove dev auth bypass (#78)

Always register auth handlers and use requireSession
regardless of NODE_ENV.

Co-authored-by: Ona <no-reply@ona.com>
---
 apps/aelis-backend/src/server.ts | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/apps/aelis-backend/src/server.ts b/apps/aelis-backend/src/server.ts
index ca03828..68eef07 100644
--- a/apps/aelis-backend/src/server.ts
+++ b/apps/aelis-backend/src/server.ts
@@ -2,7 +2,7 @@ import { LocationSource } from "@aelis/source-location"
 import { Hono } from "hono"
 
 import { registerAuthHandlers } from "./auth/http.ts"
-import { mockAuthSessionMiddleware, requireSession } from "./auth/session-middleware.ts"
+import { requireSession } from "./auth/session-middleware.ts"
 import { registerFeedHttpHandlers } from "./engine/http.ts"
 import { createFeedEnhancer } from "./enhancement/enhance-feed.ts"
 import { createLlmClient } from "./enhancement/llm-client.ts"
@@ -43,16 +43,11 @@ function main() {
 
 	app.get("/health", (c) => c.json({ status: "ok" }))
 
-	const isDev = process.env.NODE_ENV !== "production"
-	const authSessionMiddleware = isDev ? mockAuthSessionMiddleware("dev-user") : requireSession
-
-	if (!isDev) {
-		registerAuthHandlers(app)
-	}
+	registerAuthHandlers(app)
 
 	registerFeedHttpHandlers(app, {
 		sessionManager,
-		authSessionMiddleware,
+		authSessionMiddleware: requireSession,
 	})
 	registerLocationHttpHandlers(app, { sessionManager })