[fix] honor dev query bypass in hasConsoleAccess

[pandego]

Summary

• honor ?dev=true inside isDevRequest() so hasConsoleAccess() matches the existing WebSocket dev-bypass behavior
• add focused auth-utils coverage for header-based and query-based development bypasses plus the console key path
• include a patch changeset for @voltagent/server-core

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update
• Test update
• Refactor
• Chore

Testing

• pnpm --filter @voltagent/server-core test -- --run src/auth/utils.spec.ts
• pnpm exec biome check packages/server-core/src/auth/utils.ts packages/server-core/src/auth/utils.spec.ts

Related Issue

fixes #1185

Checklist

• My code follows the project's style guidelines
• I have performed a self-review of my own code
• I have added tests that prove my fix is effective
• New and existing unit tests pass locally with my changes
• I have added a changeset if required

Additional Context

The WebSocket setup path already honors ?dev=true in non-production, but the shared Request-based console-access helper only checked the header. This patch makes the shared helper consistent with the WebSocket path so development /ws?dev=true requests are accepted as expected.

---

Summary by cubic

Honor the ?dev=true query param in isDevRequest() so hasConsoleAccess() matches the WebSocket dev-bypass in non-production. This restores expected dev console access on Request-based /ws routes and ships a patch for @voltagent/server-core.

• Bug Fixes
  • Accept ?dev=true in non-production; production remains strict.
  • Align hasConsoleAccess() with WebSocket path behavior; fixes [BUG] hasConsoleAccess is false for /ws?dev=true #1185.
  • Add focused tests for header/query bypass and the console key path, plus a changeset for @voltagent/server-core.

^{Written for commit 93b47ff. Summary will update on new commits.}

Summary by CodeRabbit

Bug Fixes

• Fixed development console access bypass to properly restrict itself to development environments only, preventing unauthorized access in production deployments.

Tests

• Added test coverage for authentication utilities to validate console access restrictions and environment-based access control.

[changeset-bot]

🦋 Changeset detected

Latest commit: 93b47ff

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@voltagent/server-core	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR fixes a bug where hasConsoleAccess did not check the dev=true query parameter for WebSocket requests in development mode. The isDevRequest function is enhanced to parse query parameters, accompanied by comprehensive test coverage and a changeset documenting the patch release.

Changes

Cohort / File(s)	Summary
Bug Fix packages/server-core/src/auth/utils.ts	Modified isDevRequest to return false immediately in production, then check the x-voltagent-dev header and fallback to parsing the dev query parameter from the request URL.
Test Coverage packages/server-core/src/auth/utils.spec.ts	Added comprehensive Vitest suite covering isDevRequest and hasConsoleAccess with tests for header validation, query parameter fallback in development, production restrictions, and VOLTAGENT_CONSOLE_ACCESS_KEY handling.
Release Documentation .changeset/fair-geckos-dream.md	Marked patch release for @voltagent/server-core documenting the fix for console-access bypass on Request-based WebSocket paths with ?dev=true.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested reviewers

• omeraplak

Poem

🐰 A query param, once lost in the night,
Now gleams in the dev route's light,
WebSocket requests shall pass on through,
With ?dev=true the path rings true! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main bug fix: making hasConsoleAccess honor the dev query parameter bypass, which is the core objective of the PR.
Description check	✅ Passed	The description comprehensively covers the bug fix, testing instructions, related issue, and includes a detailed checklist with all items completed. It also provides additional context explaining the inconsistency being fixed.
Linked Issues check	✅ Passed	The PR fully addresses issue #1185 by modifying isDevRequest() to check the ?dev=true query parameter, making hasConsoleAccess() consistent with WebSocket dev-bypass behavior in non-production environments.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing issue #1185: the code changes to isDevRequest(), tests covering the query parameter behavior, and the changeset file documenting the patch release.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (3)

packages/server-core/src/auth/utils.spec.ts (2)

37-54: Consider adding test for console key via header.

The hasConsoleAccess function supports reading the console key from both the x-console-access-key header and the key query param. Only the query param path is tested. Consider adding coverage for the header path:

🧪 Suggested additional test

     it("still accepts a configured console access key from query params", () => {
       vi.stubEnv("NODE_ENV", "production");
       vi.stubEnv("VOLTAGENT_CONSOLE_ACCESS_KEY", "secret-key");

       const req = new Request("http://localhost/ws?key=secret-key");

       expect(hasConsoleAccess(req)).toBe(true);
     });
+
+    it("accepts a configured console access key from header", () => {
+      vi.stubEnv("NODE_ENV", "production");
+      vi.stubEnv("VOLTAGENT_CONSOLE_ACCESS_KEY", "secret-key");
+
+      const req = new Request("http://localhost/ws", {
+        headers: { "x-console-access-key": "secret-key" },
+      });
+
+      expect(hasConsoleAccess(req)).toBe(true);
+    });
+
+    it("rejects when no valid key is provided in production", () => {
+      vi.stubEnv("NODE_ENV", "production");
+      vi.stubEnv("VOLTAGENT_CONSOLE_ACCESS_KEY", "secret-key");
+
+      const req = new Request("http://localhost/ws?key=wrong-key");
+
+      expect(hasConsoleAccess(req)).toBe(false);
+    });
   });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/server-core/src/auth/utils.spec.ts` around lines 37 - 54, Tests for
hasConsoleAccess currently only cover the query param key; add a test that
verifies the header path by stubbing NODE_ENV to "production" and
VOLTAGENT_CONSOLE_ACCESS_KEY to a secret, creating a Request to any URL (e.g.,
"/ws") with the header "x-console-access-key" set to that secret, and asserting
hasConsoleAccess(req) returns true; reference the hasConsoleAccess function and
add the new it(...) block alongside the existing tests in utils.spec.ts.

---

9-35: Consider adding test for header rejection in production.

The tests cover the critical paths well. Consider adding a test to explicitly verify that the dev header is also rejected in production, mirroring the query param rejection test:

🧪 Suggested additional test

     it("rejects the dev query param in production", () => {
       vi.stubEnv("NODE_ENV", "production");

       const req = new Request("http://localhost/ws?dev=true");

       expect(isDevRequest(req)).toBe(false);
     });
+
+    it("rejects the dev header in production", () => {
+      vi.stubEnv("NODE_ENV", "production");
+
+      const req = new Request("http://localhost/api", {
+        headers: { "x-voltagent-dev": "true" },
+      });
+
+      expect(isDevRequest(req)).toBe(false);
+    });
   });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/server-core/src/auth/utils.spec.ts` around lines 9 - 35, Add a unit
test in packages/server-core/src/auth/utils.spec.ts that mirrors the existing
query-param production case but for the header: stub NODE_ENV to "production",
create a Request with header "x-voltagent-dev": "true", call isDevRequest(req)
and assert it returns false; this ensures the isDevRequest function rejects the
dev header in production just like it does the dev query param.

packages/server-core/src/auth/utils.ts (1)

74-91: Minor: URL parsed twice when dev bypass fails.

When isDevRequest returns false in non-production, the URL is parsed twice (once in isDevRequest at line 45, then again here at line 82). This is a minor inefficiency but acceptable for the improved code clarity and separation of concerns.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/server-core/src/auth/utils.ts` around lines 74 - 91, The
hasConsoleAccess function unnecessarily reparses the request URL when
isDevRequest already parsed it; to fix, modify hasConsoleAccess to reuse the
parsed URL from isDevRequest (or have isDevRequest return or attach the parsed
URL) instead of new URL(req.url, ...), so update hasConsoleAccess to obtain the
query key from that shared URL object and remove the duplicate new URL(...)
call; reference functions: hasConsoleAccess and isDevRequest.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@packages/server-core/src/auth/utils.spec.ts`:
- Around line 37-54: Tests for hasConsoleAccess currently only cover the query
param key; add a test that verifies the header path by stubbing NODE_ENV to
"production" and VOLTAGENT_CONSOLE_ACCESS_KEY to a secret, creating a Request to
any URL (e.g., "/ws") with the header "x-console-access-key" set to that secret,
and asserting hasConsoleAccess(req) returns true; reference the hasConsoleAccess
function and add the new it(...) block alongside the existing tests in
utils.spec.ts.
- Around line 9-35: Add a unit test in
packages/server-core/src/auth/utils.spec.ts that mirrors the existing
query-param production case but for the header: stub NODE_ENV to "production",
create a Request with header "x-voltagent-dev": "true", call isDevRequest(req)
and assert it returns false; this ensures the isDevRequest function rejects the
dev header in production just like it does the dev query param.

In `@packages/server-core/src/auth/utils.ts`:
- Around line 74-91: The hasConsoleAccess function unnecessarily reparses the
request URL when isDevRequest already parsed it; to fix, modify hasConsoleAccess
to reuse the parsed URL from isDevRequest (or have isDevRequest return or attach
the parsed URL) instead of new URL(req.url, ...), so update hasConsoleAccess to
obtain the query key from that shared URL object and remove the duplicate new
URL(...) call; reference functions: hasConsoleAccess and isDevRequest.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9afe6338-b05b-426f-ba61-b517069a0e2a

📥 Commits

Reviewing files that changed from the base of the PR and between 3776cb6 and 93b47ff.

📒 Files selected for processing (3)

• .changeset/fair-geckos-dream.md
• packages/server-core/src/auth/utils.spec.ts
• packages/server-core/src/auth/utils.ts

[cubic-dev-ai]

No issues found across 3 files

[omeraplak]

Hey @pandego ,
Thank you so much 🔥