Dev/demo login experience — quick-login and impersonation for demos #60

New Issue

Closed

opened 2026-03-19 03:15:54 +00:00 by ghost · 0 comments

ghost commented 2026-03-19 03:15:54 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Context

When demoing the app or running locally with AUTH_DISABLED=true, we need a smooth way to show different user perspectives without configuring a real OIDC provider.

The current state:

• AUTH_DISABLED=true bypasses auth entirely with a dummy dev-user JWT subject
• There's no login page — the app goes straight to content
• Customer portal has a staff impersonation button/modal (frontend-only demo)
• No way to quickly switch between customer views or staff roles

Requirements

1. Dev login selector page (when AUTH_DISABLED=true)

When auth is disabled, show a login selector page at /login (or as a landing modal) that lets demo users pick their role:

• Staff logins: Show available staff members from the database (name, role). Clicking one sets the session to that staff member and redirects to /admin.
• Customer logins: Show available clients from the database (name, pet count). Clicking one sets the session to that customer and redirects to / (customer portal).
• Skip login: A clear "Continue as dev user" link that bypasses selection and goes straight in with the default dev-user identity.

2. Persistent session indicator

Once logged in as a specific persona, show a small indicator (e.g. top-right badge or bottom bar) showing who you're acting as, with a "Switch user" link back to the selector.

3. API awareness

The API's auth middleware should accept a X-Dev-User-Id header (or similar) when AUTH_DISABLED=true to let the frontend specify which staff/client record to impersonate. The middleware should look up the staff/client record and inject the appropriate identity into the request context.

Security: This MUST only work when AUTH_DISABLED=true. If auth is enabled, ignore X-Dev-User-Id completely.

4. Customer portal integration

The existing impersonation UI in the customer portal can stay, but the new dev login selector is the primary entry point for demos.

Non-goals

• Real OIDC login flow (separate issue)
• Server-side audit trail for impersonation (separate issue)
• Production impersonation (separate issue)

Acceptance criteria

• With AUTH_DISABLED=true, visiting the app shows a role/user selector
• Staff members and clients from DB are listed
• Selecting a user sets session and redirects to appropriate area
• Session indicator visible while impersonating
• "Switch user" returns to selector
• API middleware respects dev user header when auth disabled
• Tests pass

## Context When demoing the app or running locally with `AUTH_DISABLED=true`, we need a smooth way to show different user perspectives without configuring a real OIDC provider. The current state: - `AUTH_DISABLED=true` bypasses auth entirely with a dummy `dev-user` JWT subject - There's no login page — the app goes straight to content - Customer portal has a staff impersonation button/modal (frontend-only demo) - No way to quickly switch between customer views or staff roles ## Requirements ### 1. Dev login selector page (when `AUTH_DISABLED=true`) When auth is disabled, show a **login selector page** at `/login` (or as a landing modal) that lets demo users pick their role: - **Staff logins**: Show available staff members from the database (name, role). Clicking one sets the session to that staff member and redirects to `/admin`. - **Customer logins**: Show available clients from the database (name, pet count). Clicking one sets the session to that customer and redirects to `/` (customer portal). - **Skip login**: A clear "Continue as dev user" link that bypasses selection and goes straight in with the default dev-user identity. ### 2. Persistent session indicator Once logged in as a specific persona, show a small indicator (e.g. top-right badge or bottom bar) showing who you're acting as, with a "Switch user" link back to the selector. ### 3. API awareness The API's auth middleware should accept a `X-Dev-User-Id` header (or similar) when `AUTH_DISABLED=true` to let the frontend specify which staff/client record to impersonate. The middleware should look up the staff/client record and inject the appropriate identity into the request context. **Security**: This MUST only work when `AUTH_DISABLED=true`. If auth is enabled, ignore `X-Dev-User-Id` completely. ### 4. Customer portal integration The existing impersonation UI in the customer portal can stay, but the new dev login selector is the primary entry point for demos. ## Non-goals - Real OIDC login flow (separate issue) - Server-side audit trail for impersonation (separate issue) - Production impersonation (separate issue) ## Acceptance criteria - [ ] With `AUTH_DISABLED=true`, visiting the app shows a role/user selector - [ ] Staff members and clients from DB are listed - [ ] Selecting a user sets session and redirects to appropriate area - [ ] Session indicator visible while impersonating - [ ] "Switch user" returns to selector - [ ] API middleware respects dev user header when auth disabled - [ ] Tests pass

This repo is archived. You cannot comment on issues.

No Branch/Tag Specified

Branches Tags

main

dev

flea/gro-1636-better-auth-seed

pr-434

uat

docs/GRO-1502-uat-mcp-migration

flea/gro-1496-e2e-err-connection-refused

flea-flicker/gro-1489-lint-fixes

cpfarhood/gro-1162-pet-buffer

flea-flicker/gro-1162-pet-buffer

fix/gro-1368-consent-ts

fix/ci-e2e-dind-networking-registry-auth

fix/gro-1369-types-sync

fix/ci-registry-auth-main

gitea/migrate-workflows

flea-flicker/gro-1162-pet-buffer-time

feat/GRO-106-portal-communication-real

archived-readme

feat/GRO-106-stop-help

fix/gro-1248-path-prefixes

fix/GRO-1212-portal-test-mock-imports

fix/GRO-1108-test-mocks

feat/GRO-106-stop-help-v2

docs/GRO-1099-uat-playbook-app

fleaflicker/deploy-telnyx-webhook-secret

fix/gro-1024-clean

fix/gro-1021-auth-rate-limit

fix/gro-1021-auth-rate-limit-v2

feat/GRO-984-outbound-sms-persistence

fix/GRO-980-indentation

docs/GRO-106-10dlc-runbook

fix/gro-898-demo-sso-env-vars

fix/gro-609-cherry-pick

fix/gro-866-uat-seed-personas

fix/gro-867-logo-proxy

fix/gro-816-portal-pets-crash

fix/gro-844-network-policy

fix/gro-820-e2e-invoices-mock

feature/gro-609-refund-payment-stats

fix/gro-765-portal-appointments-service

fix/gro-805-allow-groomer-invoices

fix/gro-720-gitignore-hardening

fix/gro-721-harden-gitignore

feature/gro-633-db-indexes-constraints

fix/gro-639-n-plus-one-reminder-scheduler

ci-dev-trigger2

fix/gro-624-input-validation

feature/gro-653-portal-session-middleware

fix/gro-640-n-plus-one-email

clean-gro-639

fix/gro-637-invoice-refund-fixes

fix/gro-665-staff-auto-link

fix/gro-636-input-validation-v3

fix-gro-624-input-validation

fix/gro-655-corepack-only

feature/gro-597-payment-admin

feature/gro-631-graceful-shutdown

fix/gro-660-uat-seed-manager-superuser

fix/gro-655-corepack-enoent

feature/gro-623-groomer-isolation

feature/gro-632-impersonation-session-hardening

feature/gro-607-payment-ui

feature/gro-597-payment-backend

feature/gro-597-payment-ui

feature/gro-597-stripe-webhooks

feature/gro-597-payment-api

GRO-574-rate-limit-migration

chore/gro-575-promote-gro-574-to-uat

fix/gro-566-skip-oobe

fix/gro-557-e2e-stability

chore/gro-558-agents-instructions

fix/gro-531-social-login

fix/gro-545-social-providers-config

fix/gro-540-prod-oidc-env-vars

feat/gro-526-seed-profile-param

No results found.

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

feature

New feature

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)

No Assignees

1 Participants

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: groombook/app#60