Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

nspaul's avatar
nspaul
OP
3 years ago
Level 11

Is it possible to bypass auth when APP_ENV is dev?

I'm not sure the best way to phrase this question. I run quite a few internal sites that hook up to our ADFS server for SSO (using SAML). I haven't found a great way to develop these sites locally, and I'm looking for a way to bypass authentication when I'm hosting the sites locally on my machine with Valet. Has anyone ever navigated this scenario?

I've got my routes wrapped in a route group that applies the 'auth' middleware. My very rough workaround is to comment out the route group and just have the routes listed in the web routes file, effectively bypassing the 'auth' middleware. I'd love to do something like

if (app()->environment() === 'local') {
		// go on to the app without authenticating
}

perhaps in the redirectTo() method of the Authenticate middleware? I'm not sure this is a great solution, though.

Rather than rambling on and getting lost in the weeds here, I'd love to hear what you all think about this. If you have an app that uses SAML for auth, surely there's an elegant way to run these sites in a dev environment without setting up all of the auth plumbing for every environment?

0 likes
2 replies
LaryAI's avatar
LaryAI
AI
3 years ago
Level 58

One possible solution is to create a custom middleware that checks the APP_ENV environment variable and bypasses the authentication middleware if it is set to dev. Here's an example implementation:

  1. Create a new middleware class using the php artisan make:middleware command:
php artisan make:middleware BypassAuthForDev
  1. Open the app/Http/Middleware/BypassAuthForDev.php file and modify the handle method to check the APP_ENV variable and bypass the authentication middleware if it is set to dev:
<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Support\Facades\App;

class BypassAuthForDev
{
    public function handle($request, Closure $next)
    {
        if (App::environment('dev')) {
            return $next($request);
        }

        return redirect('/login');
    }
}
  1. Register the new middleware in the app/Http/Kernel.php file by adding it to the $routeMiddleware array:
protected $routeMiddleware = [
    // ...
    'bypass.auth' => \App\Http\Middleware\BypassAuthForDev::class,
];
  1. Apply the new middleware to the routes that should be bypassed when APP_ENV is set to dev:
Route::middleware(['bypass.auth'])->group(function () {
    // ...
});

Now, when APP_ENV is set to dev, the BypassAuthForDev middleware will allow requests to bypass the authentication middleware and proceed to the protected routes. In all other environments, the authentication middleware will be enforced as usual.

Please or to participate in this conversation.