Skip to content

breaking: make waitlist var opt-in #614

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
cjroth wants to merge 3 commits into
base: main
Choose a base branch
from
Open

breaking: make waitlist var opt-in #614

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c1247fb
chore: enable VITE_BYPASS_WAITLIST by default in .env.example
cjroth Apr 16, 2026
3eff1d6
refactor: invert waitlist env var to opt-in VITE_ENABLE_WAITLIST
cjroth Apr 16, 2026
9141bc6
chore: require auth for app routes when OIDC is enabled
cjroth Apr 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 2 additions & 3 deletions .env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,8 @@
# Thunderbolt Cloud URL (optional, defaults to http://localhost:8000)
VITE_THUNDERBOLT_CLOUD_URL="http://localhost:8000/v1"

# Bypass waitlist routes for UI development (set to "true" to skip waitlist)
# Note: This only bypasses frontend routing, not backend auth
# VITE_BYPASS_WAITLIST="true"
# Enable the waitlist gate (opt-in; leave unset to bypass the waitlist)
# VITE_ENABLE_WAITLIST="true"

# Show app download links/banners in the web UI (set to "true" for internal testing deployments)
# When enabled, desktop users see a sidebar section + bottom-right banner; mobile users see a top banner
Expand Down
14 changes: 7 additions & 7 deletions src/app.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ const AppRoutes = ({ initData }: { initData: InitData }) => {
})

const oidcMode = isOidcMode()
const shouldBypassWaitlist = import.meta.env.VITE_BYPASS_WAITLIST === 'true' || isPrPreview()
const waitlistEnabled = import.meta.env.VITE_ENABLE_WAITLIST === 'true' && !isPrPreview()
Comment thread
cjroth marked this conversation as resolved.

return (
<Routes>
Expand All @@ -107,22 +107,22 @@ const AppRoutes = ({ initData }: { initData: InitData }) => {
/>
)}

{/* Waitlist routes - unauthenticated only (skip when bypass or OIDC mode) */}
{!oidcMode && !shouldBypassWaitlist && (
{/* Waitlist routes - unauthenticated only (only when enabled and not OIDC mode) */}
{!oidcMode && waitlistEnabled && (
<Route element={<AuthGate require="unauthenticated" redirectTo="/" />}>
<Route path="waitlist" element={<WaitlistLayout />}>
<Route index element={<WaitlistPage />} />
</Route>
</Route>
)}

{/* Main app routes - authenticated only (pass-through when bypass enabled) */}
{/* Main app routes - authenticated only (pass-through when waitlist and OIDC both disabled) */}
<Route
element={
shouldBypassWaitlist ? (
<Outlet />
) : (
oidcMode || waitlistEnabled ? (
<AuthGate require="authenticated" redirectTo={oidcMode ? '/oidc-redirect' : '/waitlist'} />
) : (
<Outlet />
)
}
Comment on lines 120 to 127
Copy link
Copy Markdown

@claude claude Bot Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When waitlistEnabled is false (the default with no env var set), this renders <Outlet /> with no auth gate — every main app route is accessible without authentication. Previously, shouldBypassWaitlist = false by default, so the auth gate was always active unless explicitly bypassed.

If "waitlist disabled" and "auth not required" are genuinely the same thing for all deployment types, this is fine. But if there are deployments that want auth without the waitlist UI, the two concerns need to be separated (e.g. a separate VITE_REQUIRE_AUTH flag, or the auth gate could redirect to a sign-in page rather than /waitlist when the waitlist is off).

>
Comment on lines +119 to 128
Copy link
Copy Markdown

@claude claude Bot Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When oidcMode=false and waitlistEnabled=false (the new default when VITE_ENABLE_WAITLIST is unset), this evaluates to <Outlet /> — no auth gate at all. Previously the default was the opposite: auth was required unless VITE_BYPASS_WAITLIST=true was explicitly set.

If the intent is that the backend always enforces auth and the frontend gate is purely for the waitlist UX, this is fine. If any production environment was relying on the frontend auth gate as a default, upgrading without setting VITE_ENABLE_WAITLIST=true silently removes it.

Expand Down
Loading