Skip to content

[SECURITY] Dead mock instance-admin login accepts any credentials and sets a fake auth flag #164

Description

@martian56

Summary

A dead "mock" instance-admin login page accepts any non-empty email+password, sets a fake sessionStorage auth flag, and navigates into the admin area. The route is currently commented out, but the component still ships in the bundle; if it is ever re-wired (a commented route suggests intent), it would grant admin navigation with zero verification.

Severity

Medium (dead code / latent auth bypass)

Affected code

  • ui/src/pages/instance-admin/InstanceAdminLoginPage.tsx:31-41handleSubmit accepts any non-empty credentials, sets sessionStorage.setItem('devlane_instance_admin', '1'), navigates to /instance-admin/general. Comment: "Mock: accept any non-empty email + password."
  • ui/src/routes/index.tsx:186-187 — the route is commented out and /instance-admin/login redirects to /login; the devlane_instance_admin flag is never read for real gating.

Suggested fix

Delete the mock page and the unused flag, or replace it with a real auth-gated flow.

Metadata

Metadata

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions