From e66241513767f616508fd94a822175a56e0b4791 Mon Sep 17 00:00:00 2001
From: Marc Mintel <marc@mintel.me>
Date: Sat, 7 Feb 2026 16:02:52 +0100
Subject: [PATCH] feat: add gk_bypass

---
 .../gatekeeper/src/app/api/verify/route.ts    | 44 ++++++++++++++++---
 1 file changed, 39 insertions(+), 5 deletions(-)

diff --git a/packages/gatekeeper/src/app/api/verify/route.ts b/packages/gatekeeper/src/app/api/verify/route.ts
index e19beae..4bd2297 100644
--- a/packages/gatekeeper/src/app/api/verify/route.ts
+++ b/packages/gatekeeper/src/app/api/verify/route.ts
@@ -9,6 +9,45 @@ export async function GET(req: NextRequest) {
 
   const session = cookieStore.get(authCookieName);
 
+  // 1. URL Parameter Bypass (for automated tests/staging)
+  const originalUrl = req.headers.get("x-forwarded-uri") || "/";
+  const host =
+    req.headers.get("x-forwarded-host") || req.headers.get("host") || "";
+  const proto = req.headers.get("x-forwarded-proto") || "https";
+
+  try {
+    const url = new URL(originalUrl, `${proto}://${host}`);
+    if (url.searchParams.get("gk_bypass") === password) {
+      // Remove the bypass parameter from the redirect URL
+      url.searchParams.delete("gk_bypass");
+      const cleanUrl = url.pathname + url.search;
+      const absoluteCleanUrl = `${proto}://${host}${cleanUrl}`;
+
+      const response = NextResponse.redirect(absoluteCleanUrl);
+
+      // Set the session cookie so the bypass is persistent
+      const isDev = process.env.NODE_ENV === "development";
+      const cookieDomain = process.env.COOKIE_DOMAIN;
+      const sessionValue = JSON.stringify({
+        identity: "Bypass",
+        timestamp: Date.now(),
+      });
+
+      response.cookies.set(authCookieName, sessionValue, {
+        httpOnly: true,
+        secure: !isDev,
+        path: "/",
+        maxAge: 30 * 24 * 60 * 60, // 30 days
+        sameSite: "lax",
+        ...(cookieDomain ? { domain: cookieDomain } : {}),
+      });
+
+      return response;
+    }
+  } catch (e) {
+    // URL parsing failed, proceed with normal logic
+  }
+
   let isAuthenticated = false;
   let identity = "Guest";
 
@@ -38,11 +77,6 @@ export async function GET(req: NextRequest) {
   }
 
   // Traefik ForwardAuth headers
-  const originalUrl = req.headers.get("x-forwarded-uri") || "/";
-  const host =
-    req.headers.get("x-forwarded-host") || req.headers.get("host") || "";
-  const proto = req.headers.get("x-forwarded-proto") || "https";
-
   const gatekeeperUrl =
     process.env.NEXT_PUBLIC_BASE_URL || `${proto}://gatekeeper.${host}`;
   const absoluteOriginalUrl = `${proto}://${host}${originalUrl}`;