API Gateway Dev Auth Bypass: 'x-dev-user-id' Header Grants Full Admin Access on Staging & CI

A critical authentication bypass vulnerability has been confirmed in the API Gateway middleware, allowing any request with a simple header to gain full administrative privileges on all non-production environments. The code, found in the auth middleware, contains a development-only path that checks for an `x-dev-user-id` header. If the environment variable `NODE_ENV` is not set to 'production'—a common default for staging, CI, and preview deployments—the system grants a privileged admin session without validating any JWT token or credentials. A second fallback path can also impersonate any real user ID from the database, also without a token.

This flaw effectively creates a zero-credential admin takeover vulnerability across shared development infrastructure. The issue was confirmed by the security team (Guardian). The vulnerable code is not gated behind any explicit, secure configuration flag, relying solely on the generic `NODE_ENV` check, which is standard practice for differentiating runtime environments but creates a massive security blind spot.

The immediate risk is that staging, continuous integration (CI), and preview deployment environments, which often contain sensitive data and are accessible to broader teams or automated systems, are fully exposed. An attacker or insider with network access to these systems could escalate to admin privileges trivially. The recommended fix is to remove the `x-dev-user-id` bypass entirely and use properly seeded accounts with real JWT tokens for development. If a development escape hatch is absolutely necessary, it must be gated behind an explicit, secure environment variable like `ALLOW_DEV_HEADER=true` that is strictly prohibited from being set in CI/CD pipelines.