You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Three issues in packages/core/src/lib/config.ts lines 33-35 combine to make authentication disabled by default:
Line 33 contains a bare string literal issue-30-auth-disabled-false — a leftover git branch name from PR fix auth disabled env parsing #33's merge conflict.
Line 34 declares AUTH_DISABLED: booleanEnv.default(true) — uses a custom preprocessor.
Line 35 declares AUTH_DISABLED: z.coerce.boolean().default(true) — overrides line 34, also defaults to true.
When AUTH_DISABLED=true (the default), the gateway at apps/pulse-gateway/src/index.ts:75-78 assigns { role: 'admin' } to every unauthenticated request. Any HTTP client can call all APIs including creating workflows, reading data, and triggering replays with zero credentials.
Prerequisites
I have verified that this issue has not already been reported.
I have checked the documentation and believe this is a genuine malfunction, not a configuration error.
I am using the latest stable release or the main branch of PulseStack.
Steps to Reproduce
Start PulseStack with default configuration (no .env file).
Send any API request without authentication headers:
curl http://localhost:3000/api/runtime/executions
Observe the request succeeds with admin-level access instead of returning 401 Unauthorized.
Expected Behavior
Authentication should default to enabled (AUTH_DISABLED: false). Starting PulseStack without any configuration should require authentication for all API endpoints.
Actual Behavior
// packages/core/src/lib/config.ts lines 33-35issue-30-auth-disabled-false// bare string merge artifactAUTH_DISABLED: booleanEnv.default(true),// overriddenAUTH_DISABLED: z.coerce.boolean().default(true),// wins, defaults to true
When AUTH_DISABLED=true, the gateway grants admin access to all requests:
Starting PulseStack gateway on port 3000...
Auth disabled — all requests granted admin access
Additional Context
Issue #30 was previously filed about AUTH_DISABLED=false not working correctly. PR #33 fixed the boolean env parser but introduced this merge artifact and duplicate declaration. The merge artifact issue-30-auth-disabled-false is a git branch name that should have been removed before merge. The fix requires: (1) removing line 33, (2) removing line 34, and (3) changing .default(true) to .default(false) on the remaining declaration.
Bug Description
Three issues in
packages/core/src/lib/config.tslines 33-35 combine to make authentication disabled by default:issue-30-auth-disabled-false— a leftover git branch name from PR fix auth disabled env parsing #33's merge conflict.AUTH_DISABLED: booleanEnv.default(true)— uses a custom preprocessor.AUTH_DISABLED: z.coerce.boolean().default(true)— overrides line 34, also defaults totrue.When
AUTH_DISABLED=true(the default), the gateway atapps/pulse-gateway/src/index.ts:75-78assigns{ role: 'admin' }to every unauthenticated request. Any HTTP client can call all APIs including creating workflows, reading data, and triggering replays with zero credentials.Prerequisites
mainbranch of PulseStack.Steps to Reproduce
.envfile).Expected Behavior
Authentication should default to enabled (
AUTH_DISABLED: false). Starting PulseStack without any configuration should require authentication for all API endpoints.Actual Behavior
When
AUTH_DISABLED=true, the gateway grants admin access to all requests:Diagnostic Information
Environment Details
mainbranchSystem Logs & Stack Traces
Additional Context
Issue #30 was previously filed about
AUTH_DISABLED=falsenot working correctly. PR #33 fixed the boolean env parser but introduced this merge artifact and duplicate declaration. The merge artifactissue-30-auth-disabled-falseis a git branch name that should have been removed before merge. The fix requires: (1) removing line 33, (2) removing line 34, and (3) changing.default(true)to.default(false)on the remaining declaration.