feat: remove login/password wall, revert allowDangerouslySkipPermissions to false

liuyixin-louis · claude · liuyixin-louis · commit 63d5a3b02db8 · 2026-02-26T17:56:38.000-05:00
- Backend middleware now always uses the first DB user (auto-creates
  a default user on fresh installs) instead of requiring JWT tokens
- Auth status endpoint always returns needsSetup:false
- Frontend AuthContext skips login/register, treats user as logged in
- ProtectedRoute no longer gates on login/setup
- WebSocket connects without token
- Revert allowDangerouslySkipPermissions back to false

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/server/claude-sdk.js b/server/claude-sdk.js
@@ -148,7 +148,7 @@ function mapCliOptionsToSDK(options = {}) {
   // Skip the interactive trust/bypass-permissions dialogs that the CLI shows on
   // first launch in a new directory.  These Ink prompts require a TTY and will
   // hang when the SDK is used headlessly from a server process.
-  sdkOptions.allowDangerouslySkipPermissions = true;
+  sdkOptions.allowDangerouslySkipPermissions = false;
 
   // Map tool settings
   const settings = toolsSettings || {
diff --git a/server/index.js b/server/index.js
@@ -330,36 +330,13 @@ function shouldAutoOpenUrlFromOutput(value = '') {
 const wss = new WebSocketServer({
     server,
     verifyClient: (info) => {
-        console.log('WebSocket connection attempt to:', info.req.url);
-
-        // Platform mode: always allow connection
-        if (IS_PLATFORM) {
-            const user = authenticateWebSocket(null); // Will return first user
-            if (!user) {
-                console.log('[WARN] Platform mode: No user found in database');
-                return false;
-            }
-            info.req.user = user;
-            console.log('[OK] Platform mode WebSocket authenticated for user:', user.username);
-            return true;
-        }
-
-        // Normal mode: verify token
-        // Extract token from query parameters or headers
-        const url = new URL(info.req.url, 'http://localhost');
-        const token = url.searchParams.get('token') ||
-            info.req.headers.authorization?.split(' ')[1];
-
-        // Verify token
-        const user = authenticateWebSocket(token);
+        // Auth wall disabled — always allow and attach default user
+        const user = authenticateWebSocket(null);
         if (!user) {
-            console.log('[WARN] WebSocket authentication failed');
+            console.log('[WARN] No user found in database for WebSocket');
             return false;
         }
-
-        // Store user info in the request for later use
         info.req.user = user;
-        console.log('[OK] WebSocket authenticated for user:', user.username);
         return true;
     }
 });
diff --git a/server/middleware/auth.js b/server/middleware/auth.js
@@ -20,49 +20,19 @@ const validateApiKey = (req, res, next) => {
 };
 
 // JWT authentication middleware
+// Auth wall is disabled — always use the single default user.
 const authenticateToken = async (req, res, next) => {
-  // Platform mode:  use single database user
-  if (IS_PLATFORM) {
-    try {
-      const user = userDb.getFirstUser();
-      if (!user) {
-        return res.status(500).json({ error: 'Platform mode: No user found in database' });
-      }
-      req.user = user;
-      return next();
-    } catch (error) {
-      console.error('Platform mode error:', error);
-      return res.status(500).json({ error: 'Platform mode: Failed to fetch user' });
-    }
-  }
-
-  // Normal OSS JWT validation
-  const authHeader = req.headers['authorization'];
-  let token = authHeader && authHeader.split(' ')[1]; // Bearer TOKEN
-
-  // Also check query param for SSE endpoints (EventSource can't set headers)
-  if (!token && req.query.token) {
-    token = req.query.token;
-  }
-
-  if (!token) {
-    return res.status(401).json({ error: 'Access denied. No token provided.' });
-  }
-
   try {
-    const decoded = jwt.verify(token, JWT_SECRET);
-
-    // Verify user still exists and is active
-    const user = userDb.getUserById(decoded.userId);
+    let user = userDb.getFirstUser();
     if (!user) {
-      return res.status(401).json({ error: 'Invalid token. User not found.' });
+      // Auto-create a default user on first access
+      user = ensureDefaultUser();
     }
-
     req.user = user;
-    next();
+    return next();
   } catch (error) {
-    console.error('Token verification error:', error);
-    return res.status(403).json({ error: 'Invalid token' });
+    console.error('Auth middleware error:', error);
+    return res.status(500).json({ error: 'Failed to resolve user' });
   }
 };
 
@@ -78,32 +48,26 @@ const generateToken = (user) => {
   );
 };
 
-// WebSocket authentication function
-const authenticateWebSocket = (token) => {
-  // Platform mode: bypass token validation, return first user
-  if (IS_PLATFORM) {
-    try {
-      const user = userDb.getFirstUser();
-      if (user) {
-        return { userId: user.id, username: user.username };
-      }
-      return null;
-    } catch (error) {
-      console.error('Platform mode WebSocket error:', error);
-      return null;
-    }
-  }
-
-  // Normal OSS JWT validation
-  if (!token) {
-    return null;
-  }
+// Auto-create a default user if the database is empty
+function ensureDefaultUser() {
+  const placeholder = '$2b$12$placeholder.hash.not.used.for.login';
+  const created = userDb.createUser('default', placeholder);
+  // Mark onboarding as complete so the user goes straight to the app
+  userDb.completeOnboarding(created.id);
+  return userDb.getUserById(created.id);
+}
 
+// WebSocket authentication function
+// Auth wall is disabled — always return the default user.
+const authenticateWebSocket = (_token) => {
   try {
-    const decoded = jwt.verify(token, JWT_SECRET);
-    return decoded;
+    let user = userDb.getFirstUser();
+    if (!user) {
+      user = ensureDefaultUser();
+    }
+    return { userId: user.id, username: user.username };
   } catch (error) {
-    console.error('WebSocket token verification error:', error);
+    console.error('WebSocket auth error:', error);
     return null;
   }
 };
diff --git a/server/routes/auth.js b/server/routes/auth.js
@@ -5,18 +5,12 @@ import { generateToken, authenticateToken } from '../middleware/auth.js';
 
 const router = express.Router();
 
-// Check auth status and setup requirements
+// Check auth status — auth wall is disabled, never require setup
 router.get('/status', async (req, res) => {
-  try {
-    const hasUsers = await userDb.hasUsers();
-    res.json({ 
-      needsSetup: !hasUsers,
-      isAuthenticated: false // Will be overridden by frontend if token exists
-    });
-  } catch (error) {
-    console.error('Auth status error:', error);
-    res.status(500).json({ error: 'Internal server error' });
-  }
+  res.json({
+    needsSetup: false,
+    isAuthenticated: true
+  });
 });
 
 // User registration (setup) - only allowed if no users exist
diff --git a/src/components/ProtectedRoute.jsx b/src/components/ProtectedRoute.jsx
@@ -26,32 +26,13 @@ const LoadingScreen = () => (
 );
 
 const ProtectedRoute = ({ children }) => {
-  const { user, isLoading, needsSetup, hasCompletedOnboarding, refreshOnboardingStatus } = useAuth();
-
-  if (IS_PLATFORM) {
-    if (isLoading) {
-      return <LoadingScreen />;
-    }
-
-    if (!hasCompletedOnboarding) {
-      return <Onboarding onComplete={refreshOnboardingStatus} />;
-    }
-
-    return children;
-  }
+  const { isLoading, hasCompletedOnboarding, refreshOnboardingStatus } = useAuth();
 
   if (isLoading) {
     return <LoadingScreen />;
   }
 
-  if (needsSetup) {
-    return <SetupForm />;
-  }
-
-  if (!user) {
-    return <LoginForm />;
-  }
-
+  // Auth wall is disabled — skip login/setup, only keep onboarding
   if (!hasCompletedOnboarding) {
     return <Onboarding onComplete={refreshOnboardingStatus} />;
   }
diff --git a/src/contexts/AuthContext.jsx b/src/contexts/AuthContext.jsx
@@ -32,15 +32,11 @@ export const AuthProvider = ({ children }) => {
   const [error, setError] = useState(null);
 
   useEffect(() => {
-    if (IS_PLATFORM) {
-      setUser({ username: 'platform-user' });
-      setNeedsSetup(false);
-      checkOnboardingStatus();
-      setIsLoading(false);
-      return;
-    }
-
-    checkAuthStatus();
+    // Auth wall is disabled — always treat the user as logged in.
+    setUser({ username: 'default' });
+    setNeedsSetup(false);
+    checkOnboardingStatus();
+    setIsLoading(false);
   }, []);
 
   const checkOnboardingStatus = async () => {
diff --git a/src/contexts/WebSocketContext.tsx b/src/contexts/WebSocketContext.tsx
@@ -19,11 +19,10 @@ export const useWebSocket = () => {
   return context;
 };
 
-const buildWebSocketUrl = (token: string | null) => {
+const buildWebSocketUrl = (_token: string | null) => {
   const protocol = window.location.protocol === 'https:' ? 'wss:' : 'ws:';
-  if (IS_PLATFORM) return `${protocol}//${window.location.host}/ws`; // Platform mode: Use same domain as the page (goes through proxy)
-  if (!token) return null;
-  return `${protocol}//${window.location.host}/ws?token=${encodeURIComponent(token)}`; // OSS mode: Use same host:port that served the page
+  // Auth wall disabled — connect without token
+  return `${protocol}//${window.location.host}/ws`;
 };
 
 const useWebSocketProviderState = (): WebSocketContextType => {
