bypass localhost / route

web/src/server/routes/auth.ts

@@ -10,6 +10,7 @@ interface AuthRoutesConfig {
   enableSSHKeys?: boolean;
   disallowUserPassword?: boolean;
   noAuth?: boolean;
+  allowLocalBypass?: boolean;
 }
 
 export function createAuthRoutes(config: AuthRoutesConfig): Router {
@@ -174,10 +175,19 @@ export function createAuthRoutes(config: AuthRoutesConfig): Router {
    */
   router.get('/config', (req, res) => {
     try {
+      // Check if this is a local request and local bypass is enabled
+      const clientIp = req.ip || req.socket.remoteAddress || '';
+      const localIPs = ['127.0.0.1', '::1', '::ffff:127.0.0.1', 'localhost'];
+      const isLocalRequest =
+        localIPs.includes(clientIp) && !req.headers['x-forwarded-for'] && !req.headers['x-real-ip'];
+
+      // If local bypass is enabled and this is a local request, report as noAuth
+      const effectiveNoAuth = config.noAuth || (config.allowLocalBypass && isLocalRequest);
+
       res.json({
         enableSSHKeys: config.enableSSHKeys || false,
         disallowUserPassword: config.disallowUserPassword || false,
-        noAuth: config.noAuth || false,
+        noAuth: effectiveNoAuth,
       });
     } catch (error) {
       console.error('Error getting auth config:', error);

web/src/server/server.ts

@@ -479,6 +479,7 @@ export async function createApp(): Promise<AppInstance> {
       enableSSHKeys: config.enableSSHKeys,
       disallowUserPassword: config.disallowUserPassword,
       noAuth: config.noAuth,
+      allowLocalBypass: config.allowLocalBypass,
     })
   );
   logger.debug('Mounted authentication routes');