From cd5feb1a1432085027c641fd6ee09652e653d9d2 Mon Sep 17 00:00:00 2001
From: Flea Flicker <flea-flicker@groombook.com>
Date: Fri, 27 Mar 2026 01:10:34 +0000
Subject: [PATCH] fix(gro-56): guard dev login page behind import.meta.env.DEV

The DevLoginSelector page (including the "Continue as default dev user"
button) was rendering in production when AUTH_DISABLED=true. This guards
the /login route so the page only renders in Vite development mode
(import.meta.env.DEV). Also removes the skip-login button entirely since
it bypassed user selection without any identity assertion.

- Guard /login route with import.meta.env.DEV in App.tsx
- Remove skipLogin button from DevLoginSelector.tsx
- Add vite/client types to web tsconfig
- Remove corresponding e2e test

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/e2e/tests/login.spec.ts            |  8 --------
 apps/web/src/App.tsx                    |  4 ++--
 apps/web/src/pages/DevLoginSelector.tsx | 20 --------------------
 apps/web/tsconfig.json                  |  3 ++-
 4 files changed, 4 insertions(+), 31 deletions(-)

diff --git a/apps/e2e/tests/login.spec.ts b/apps/e2e/tests/login.spec.ts
index 6081f45..6f21a1e 100644
--- a/apps/e2e/tests/login.spec.ts
+++ b/apps/e2e/tests/login.spec.ts
@@ -55,14 +55,6 @@ test.describe("DevLoginSelector", () => {
     expect(JSON.parse(devUser!)).toMatchObject({ type: "client", id: "client-1", name: "Carol Client" });
   });
 
-  test("skip login removes dev-user and navigates to /admin", async ({ page }) => {
-    await page.goto("/login");
-    await page.getByText("Continue as default dev user").click();
-    await expect(page).toHaveURL("/admin");
-    const devUser = await page.evaluate(() => localStorage.getItem("dev-user"));
-    expect(devUser).toBeNull();
-  });
-
   test("no users available shows empty sections", async ({ page }) => {
     await page.route("**/api/dev/users", (route) =>
       route.fulfill({ json: { staff: [], clients: [] } })
diff --git a/apps/web/src/App.tsx b/apps/web/src/App.tsx
index cdf9d1f..5f299d1 100644
--- a/apps/web/src/App.tsx
+++ b/apps/web/src/App.tsx
@@ -141,8 +141,8 @@ export function App() {
       .catch(() => setAuthDisabled(false));
   }, []);
 
-  // Show login selector page
-  if (location.pathname === "/login") {
+  // Show login selector page (only in development)
+  if (import.meta.env.DEV && location.pathname === "/login") {
     return <DevLoginSelector />;
   }
 
diff --git a/apps/web/src/pages/DevLoginSelector.tsx b/apps/web/src/pages/DevLoginSelector.tsx
index e171613..694d584 100644
--- a/apps/web/src/pages/DevLoginSelector.tsx
+++ b/apps/web/src/pages/DevLoginSelector.tsx
@@ -36,11 +36,6 @@ export function DevLoginSelector() {
     navigate(type === "staff" ? "/admin" : "/");
   }
 
-  function skipLogin() {
-    localStorage.removeItem("dev-user");
-    navigate("/admin");
-  }
-
   if (loading) {
     return (
       <div style={containerStyle}>
@@ -94,11 +89,6 @@ export function DevLoginSelector() {
           ))}
         </div>
 
-        <div style={{ marginTop: "1.5rem", textAlign: "center" }}>
-          <button onClick={skipLogin} style={skipButtonStyle}>
-            Continue as default dev user
-          </button>
-        </div>
       </div>
     </div>
   );
@@ -157,13 +147,3 @@ const userButtonStyle: React.CSSProperties = {
   textAlign: "left",
   transition: "border-color 0.15s, background 0.15s",
 };
-
-const skipButtonStyle: React.CSSProperties = {
-  padding: "0.5rem 1.25rem",
-  border: "1px solid #d1d5db",
-  borderRadius: 6,
-  background: "transparent",
-  cursor: "pointer",
-  fontSize: 13,
-  color: "#6b7280",
-};
diff --git a/apps/web/tsconfig.json b/apps/web/tsconfig.json
index c7a855a..370bd28 100644
--- a/apps/web/tsconfig.json
+++ b/apps/web/tsconfig.json
@@ -7,7 +7,8 @@
     "jsx": "react-jsx",
     "strict": true,
     "noUncheckedIndexedAccess": true,
-    "skipLibCheck": true
+    "skipLibCheck": true,
+    "types": ["vite/client"]
   },
   "include": ["src"]
 }