Summary
A dead "mock" instance-admin login page accepts any non-empty email+password, sets a fake sessionStorage auth flag, and navigates into the admin area. The route is currently commented out, but the component still ships in the bundle; if it is ever re-wired (a commented route suggests intent), it would grant admin navigation with zero verification.
Severity
Medium (dead code / latent auth bypass)
Affected code
ui/src/pages/instance-admin/InstanceAdminLoginPage.tsx:31-41 — handleSubmit accepts any non-empty credentials, sets sessionStorage.setItem('devlane_instance_admin', '1'), navigates to /instance-admin/general. Comment: "Mock: accept any non-empty email + password."
ui/src/routes/index.tsx:186-187 — the route is commented out and /instance-admin/login redirects to /login; the devlane_instance_admin flag is never read for real gating.
Suggested fix
Delete the mock page and the unused flag, or replace it with a real auth-gated flow.
Summary
A dead "mock" instance-admin login page accepts any non-empty email+password, sets a fake
sessionStorageauth flag, and navigates into the admin area. The route is currently commented out, but the component still ships in the bundle; if it is ever re-wired (a commented route suggests intent), it would grant admin navigation with zero verification.Severity
Medium (dead code / latent auth bypass)
Affected code
ui/src/pages/instance-admin/InstanceAdminLoginPage.tsx:31-41—handleSubmitaccepts any non-empty credentials, setssessionStorage.setItem('devlane_instance_admin', '1'), navigates to/instance-admin/general. Comment: "Mock: accept any non-empty email + password."ui/src/routes/index.tsx:186-187— the route is commented out and/instance-admin/loginredirects to/login; thedevlane_instance_adminflag is never read for real gating.Suggested fix
Delete the mock page and the unused flag, or replace it with a real auth-gated flow.