From c37e6888e249b18db4150c010086828e2e2f2d87 Mon Sep 17 00:00:00 2001
From: Vadym Samoilenko <vadymsamoilenko@oliver.agency>
Date: Sat, 28 Mar 2026 20:19:22 +0000
Subject: [PATCH] Add DEV_AUTH_BYPASS env var to skip SSO in local dev

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .env.example                       | 3 +++
 backend/app/middleware/auth.py     | 3 +++
 docker-compose.yml                 | 1 +
 frontend/src/api/client.ts         | 2 ++
 frontend/src/auth/AuthProvider.tsx | 3 +++
 5 files changed, 12 insertions(+)

diff --git a/.env.example b/.env.example
index 805cfc5..5dc9385 100644
--- a/.env.example
+++ b/.env.example
@@ -2,6 +2,9 @@ POSTGRES_PASSWORD=your_strong_password_here
 ANTHROPIC_API_KEY=your-anthropic-api-key
 AZURE_TENANT_ID=your-azure-tenant-id
 AZURE_CLIENT_ID=your-azure-client-id
+# Set to true to skip SSO in local dev (never use in production)
+DEV_AUTH_BYPASS=
+VITE_DEV_AUTH_BYPASS=
 # Absolute path to the directory containing the GMAL Excel file
 # Defaults to ./data (relative to repo) if not set
 DATA_DIR=/var/www/html/gmal-scope-builder/data
diff --git a/backend/app/middleware/auth.py b/backend/app/middleware/auth.py
index 1caaec5..77a0e1e 100644
--- a/backend/app/middleware/auth.py
+++ b/backend/app/middleware/auth.py
@@ -34,6 +34,9 @@ def _get_jwks() -> dict:
 async def get_current_user(
     credentials: HTTPAuthorizationCredentials | None = Depends(bearer_scheme),
 ) -> dict:
+    if os.environ.get("DEV_AUTH_BYPASS", "").lower() in ("1", "true", "yes"):
+        return {"oid": "dev-user", "name": "Dev User", "email": "dev@localhost"}
+
     if credentials is None:
         raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Not authenticated")
 
diff --git a/docker-compose.yml b/docker-compose.yml
index f170365..81267a9 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -26,6 +26,7 @@ services:
       ANTHROPIC_API_KEY: ${ANTHROPIC_API_KEY}
       AZURE_TENANT_ID: ${AZURE_TENANT_ID}
       AZURE_CLIENT_ID: ${AZURE_CLIENT_ID}
+      DEV_AUTH_BYPASS: ${DEV_AUTH_BYPASS:-}
     ports:
       - "127.0.0.1:8002:8000"
     volumes:
diff --git a/frontend/src/api/client.ts b/frontend/src/api/client.ts
index d742c52..90f8eda 100644
--- a/frontend/src/api/client.ts
+++ b/frontend/src/api/client.ts
@@ -6,6 +6,8 @@ const api = axios.create({
 });
 
 api.interceptors.request.use(async (config) => {
+  if (import.meta.env.VITE_DEV_AUTH_BYPASS === 'true') return config;
+
   const accounts = msalInstance.getAllAccounts();
   if (accounts.length === 0) return config;
 
diff --git a/frontend/src/auth/AuthProvider.tsx b/frontend/src/auth/AuthProvider.tsx
index c965b0f..4b8bc80 100644
--- a/frontend/src/auth/AuthProvider.tsx
+++ b/frontend/src/auth/AuthProvider.tsx
@@ -50,6 +50,9 @@ function RedirectHandler({ children }: { children: React.ReactNode }) {
 }
 
 export function AuthProvider({ children }: { children: React.ReactNode }) {
+  if (import.meta.env.VITE_DEV_AUTH_BYPASS === 'true') {
+    return <>{children}</>;
+  }
   return (
     <MsalProvider instance={msalInstance}>
       <RedirectHandler>{children}</RedirectHandler>