@sarahsimionescuchecks…claude/restore-dev-login → main4 files · +109 −0review: @shamsharoonupdated 3d agoThe WorkOS AuthKit migration (d32b5c2d6) dropped the "Sign in as agent test user" dev-login button originally added in #433 (c36a40b1). The MCP auth e2e tests (tests/mcp-auth/setup/global-setup.ts) click that exact button to capture a session cookie — so they've been failing in global setup ("Dev-login button not found"). This restores the affordance the AuthKit-native way.
The old button proxied Apollo's admin dev_login (Better Auth). That endpoint is gone, so we authenticate directly via the WorkOS SDK and seal the AuthKit session:
POST /api/dev-login — getWorkOS().userManagement.authenticateWithPassword({ clientId, email, password }) → saveSession(authResponse, req) (AuthKit's public custom-auth-flow API; seals the wos-session cookie) → 303-redirect to /. Hard-gated: returns 404 in production or when DEV_LOGIN_* is unset, so it can never mint a session in prod./login — a native <form> POST (no client JS), rendered only when VERCEL_ENV !== "production" and DEV_LOGIN_* is configured. Label matches the test harness verbatim.DEV_LOGIN_EMAIL / DEV_LOGIN_PASSWORD env vars (server, optional).No Apollo-linking step needed: resolveUser() already falls back to matching the Apollo Users row by email when externalId isn't set — so the seeded WorkOS user just needs a matching email in the DB.
login@agents.composio.dev) with a password, and enable Email + Password auth for that environment.Users row exists with the same email, with a UserOrgMapping to an org named login_workspace (the test's default TEST_ORG_SLUG) that has a DEVELOPER project.DEV_LOGIN_EMAIL + DEV_LOGIN_PASSWORD in the staging/preview Doppler config (not production).Once that's in place, the MCP auth + mcpjam workflows (now token-based + SHA-pinned) should get a session and run their actual tests.
pnpm typecheck → 0 errors; lint → 0 on touched files.saveSession / authenticateWithPassword confirmed present in installed @workos-inc/authkit-nextjs@4.1.0 + @workos-inc/node@9.3.1.*session* cookies, so wos-session is picked up without changes; the TEST_ORG_SLUG default may need to match the seeded org.🤖 Generated with Claude Code
The latest updates on your projects. Learn more about Vercel for GitHub.
| Project | Deployment | Actions | Updated (UTC) |
|---|---|---|---|
| dashboard |  Ready | Preview, Comment | Jun 9, 2026 8:27pm |
The current HEAD of this PR (d964cc77) still does not contain the same-origin guard in src/app/api/dev-login/route.ts. The file is identical to the original — no Origin header check is present. The CSRF finding remains open. Please verify the fix was actually committed and pushed.