Developer's 'Deploy to Cloudflare' button shipped auth bypass to all users by default
A developer discovered that his open-source invoicing app Minvoice was deploying with admin authentication fully disabled for all users who used its one-click Cloudflare deploy button. The root cause was the app's .dev.vars.example file, which contained a DEV_BYPASS_ACCESS=true flag meant only for local development to skip repetitive login prompts. Cloudflare's deploy button reads that file and pre-fills its values as suggested defaults, meaning most users accepted them without changes, inadvertently pushing the auth bypass flag into production. Beyond the security flaw, the same mechanism also deployed a localhost URL into payment links and placeholder API keys, causing payment buttons to silently fail. The developer has since restructured the example file so only a required admin password field is active, with all other entries commented out to prevent template values from becoming live production configuration.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in