feat(backend): bypass auth in development

Use mockAuthSessionMiddleware with a fully populated dev user when NODE_ENV is not production. Auth handlers are only registered in production. Co-authored-by: Ona <no-reply@ona.com>
2026-03-20 09:01:19 +00:00 · 2026-03-11 00:19:15 +00:00
2 changed files with 38 additions and 6 deletions
--- a/apps/aelis-backend/src/auth/session-middleware.ts
+++ b/apps/aelis-backend/src/auth/session-middleware.ts
@@ -61,7 +61,7 @@ export async function getSessionFromHeaders(
 }
 /**
- * Test-only middleware that injects a fake user and session.
+ * Dev/test middleware that injects a fake user and session.
 * Pass userId to simulate an authenticated request, or omit to get 401.
 */
 export function mockAuthSessionMiddleware(userId?: string): AuthSessionMiddleware {
@@ -69,8 +69,34 @@ export function mockAuthSessionMiddleware(userId?: string): AuthSessionMiddlewar
 		if (!userId) {
 			return c.json({ error: "Unauthorized" }, 401)
 		}
-		c.set("user", { id: userId } as AuthUser)
+
-		c.set("session", { id: "mock-session" } as AuthSession)
+		const now = new Date()
 		const expiresAt = new Date(now.getTime() + 7 * 24 * 60 * 60 * 1000)
 		const user: AuthUser = {
 			id: "k7Gx2mPqRvNwYs9TdLfA4bHcJeUo1iZn",
 			name: "Dev User",
 			email: "dev@aelis.local",
 			emailVerified: true,
 			image: null,
 			createdAt: now,
 			updatedAt: now,
 		}
 		const session: AuthSession = {
 			id: "Wt3FvBpXaQrMhD8sKjE6LcYn0gUz5iRo",
 			userId: "k7Gx2mPqRvNwYs9TdLfA4bHcJeUo1iZn",
 			token: "Vb9CxNfRm2KwQs7TjPeA5dLhYg0UoZi4",
 			expiresAt,
 			ipAddress: "127.0.0.1",
 			userAgent: "aelis-dev",
 			createdAt: now,
 			updatedAt: now,
 		}
 		c.set("user", user)
 		c.set("session", session)
 		await next()
 	}
 }
--- a/apps/aelis-backend/src/server.ts
+++ b/apps/aelis-backend/src/server.ts
@@ -2,7 +2,7 @@ import { LocationSource } from "@aelis/source-location"
 import { Hono } from "hono"
 import { registerAuthHandlers } from "./auth/http.ts"
-import { requireSession } from "./auth/session-middleware.ts"
+import { mockAuthSessionMiddleware, requireSession } from "./auth/session-middleware.ts"
 import { createFeedEnhancer } from "./enhancement/enhance-feed.ts"
 import { createLlmClient } from "./enhancement/llm-client.ts"
 import { registerFeedHttpHandlers } from "./feed/http.ts"
@@ -43,10 +43,16 @@ function main() {
 	app.get("/health", (c) => c.json({ status: "ok" }))
-	registerAuthHandlers(app)
+	const isDev = process.env.NODE_ENV !== "production"
 	const authSessionMiddleware = isDev ? mockAuthSessionMiddleware("dev-user") : requireSession
 	if (!isDev) {
 		registerAuthHandlers(app)
 	}
 	registerFeedHttpHandlers(app, {
 		sessionManager,
-		authSessionMiddleware: requireSession,
+		authSessionMiddleware,
 	})
 	registerLocationHttpHandlers(app, { sessionManager })