feat: dev mode

indiekit.config.cjs

@@ -3,6 +3,7 @@ require("dotenv").config();
 
 module.exports = {
   application: {
+    _devMode: process.env.NODE_ENV === "development",
     mongodbUrl: process.env.MONGO_URL,
     ...(process.env.RAILWAY_ENVIRONMENT && {
       url: `https://${process.env.RAILWAY_STATIC_URL}`,

packages/indiekit/config/defaults.js

@@ -5,6 +5,7 @@ import package_ from "../package.json" assert { type: "json" };
 
 export const defaultConfig = {
   application: {
+    _devMode: false,
     hasDatabase: false,
     localesAvailable: ["de", "en", "es", "fr", "id", "nl", "pt"],
     mongodbUrl: false,

packages/indiekit/lib/indieauth.js

@@ -1,4 +1,5 @@
 import crypto from "node:crypto";
+import process from "node:process";
 import httpError from "http-errors";
 import { fetch } from "undici";
 import {
@@ -11,9 +12,9 @@ import { decrypt, encrypt, getCanonicalUrl, randomString } from "./utils.js";
 export const IndieAuth = class {
   constructor(options = {}) {
     this.codeVerifier = randomString(100);
+    this.devMode = options.devMode;
     this.iv = crypto.randomBytes(16);
-    this.options = options;
-    this.me = getCanonicalUrl(this.options.me);
+    this.me = getCanonicalUrl(options.me);
   }
 
   /**
@@ -220,16 +221,15 @@ export const IndieAuth = class {
    * @returns {Function} Next middleware
    */
   authorise() {
-    const { me } = this;
+    const { devMode, me } = this;
 
     return async function (request, response, next) {
       const { tokenEndpoint } = request.app.locals.publication;
 
-      // Placeholder session data that can be used during development
-      // if (process.env.NODE_ENV === "development") {
-      //   request.session.token = process.env.NODE_ENV;
-      //   request.session.scope = "create update delete media";
-      // }
+      if (devMode) {
+        request.session.token = process.env.NODE_ENV;
+        request.session.scope = "create update delete media";
+      }
 
       // If have session scope and token, go to next middleware
       const { scope, token } = request.session;

packages/indiekit/lib/routes.js

@@ -20,6 +20,7 @@ export const routes = (indiekitConfig) => {
   const { application, publication } = indiekitConfig;
 
   const indieauth = new IndieAuth({
+    devMode: application._devMode,
     me: publication.me,
   });
 

packages/indiekit/tests/unit/indieauth.js

@@ -1,3 +1,4 @@
+import process from "node:process";
 import test from "ava";
 import { setGlobalDispatcher } from "undici";
 import { tokenEndpointAgent } from "@indiekit-test/mock-agent";
@@ -10,7 +11,6 @@ setGlobalDispatcher(tokenEndpointAgent());
 const { mockRequest, mockResponse } = mockReqRes;
 const indieauth = new IndieAuth({
   me: "https://website.example",
-  tokenEndpoint: "https://token-endpoint.example",
 });
 
 test.beforeEach((t) => {
@@ -108,6 +108,32 @@ test("Checks if user is authorized", async (t) => {
   t.true(next.calledOnce);
 });
 
+test("Development mode bypasses authentication", async (t) => {
+  const indieauth = new IndieAuth({
+    devMode: true,
+    me: "https://website.example",
+  });
+
+  const request = mockRequest({
+    app: {
+      locals: {
+        publication: {
+          tokenEndpoint: "https://token-endpoint.example",
+        },
+      },
+    },
+    session: {},
+  });
+  const response = mockResponse();
+  const next = sinon.spy();
+
+  await indieauth.authorise()(request, response, next);
+
+  t.is(request.session.scope, "create update delete media");
+  t.is(request.session.token, process.env.NODE_ENV);
+  t.true(next.calledOnce);
+});
+
 test("Throws error checking if user is authorized", async (t) => {
   const request = mockRequest({
     app: { locals: { publication: {} } },