Lycoon · Lycoon · Apr 26, 2026 · Apr 26, 2026
diff --git a/.env.template b/.env.template
@@ -18,7 +18,6 @@ DB_NAME=scriptio
 
 # Basic Auth (htpasswd format, escape $ as $$ in this file)
 PROD_AUTH_USERS=
-STAGING_AUTH_USERS=
 MONITORING_AUTH_USERS=
 
 # Monitoring

diff --git a/.github/workflows/deploy-staging.yaml b/.github/workflows/deploy-staging.yaml
@@ -71,7 +71,6 @@ jobs:
               env:
                   APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
                   NEXT_PUBLIC_API_URL: https://staging.scriptio.app
-                  NEXT_PUBLIC_STAGING_BASIC_AUTH: ${{ secrets.STAGING_BASIC_AUTH }}
                   NEXT_PUBLIC_APP_VERSION: ${{ needs.prepare.outputs.version }}
                   NEXT_PUBLIC_COMMIT_SHA: ${{ needs.prepare.outputs.commit_sha }}
 
@@ -115,7 +114,6 @@ jobs:
               run: npm run debug:windows
               env:
                   NEXT_PUBLIC_API_URL: https://staging.scriptio.app
-                  NEXT_PUBLIC_STAGING_BASIC_AUTH: ${{ secrets.STAGING_BASIC_AUTH }}
                   NEXT_PUBLIC_APP_VERSION: ${{ needs.prepare.outputs.version }}
                   NEXT_PUBLIC_COMMIT_SHA: ${{ needs.prepare.outputs.commit_sha }}
 
@@ -167,7 +165,6 @@ jobs:
                       ${{ env.IMAGE_NAME }}:staging-${{ needs.prepare.outputs.version }}
                   build-args: |
                       NEXT_PUBLIC_API_URL=https://staging.scriptio.app
-                      NEXT_PUBLIC_STAGING_BASIC_AUTH=${{ secrets.STAGING_BASIC_AUTH }}
                       NEXT_PUBLIC_COMMIT_SHA=${{ env.COMMIT_SHA }}
                       NEXT_PUBLIC_APP_VERSION=${{ needs.prepare.outputs.version }}
 

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -59,17 +59,6 @@ services:
             - traefik.http.routers.scriptio-staging.entrypoints=secure
             - traefik.http.routers.scriptio-staging.tls=true
             - traefik.http.routers.scriptio-staging.tls.certresolver=letsencrypt
-            - traefik.http.routers.scriptio-staging.middlewares=staging-auth
-            - traefik.http.middlewares.staging-auth.basicauth.users=${STAGING_AUTH_USERS}
-            - traefik.http.middlewares.staging-auth.basicauth.headerField=X-Staging-Auth
-            # Allow CORS OPTIONS preflight to bypass basic auth (browsers never send
-            # custom headers like X-Staging-Auth in a preflight, so the auth check
-            # would 401 every cross-origin request from the Tauri app)
-            - traefik.http.routers.scriptio-staging-options.rule=Host(`staging.scriptio.app`) && Method(`OPTIONS`)
-            - traefik.http.routers.scriptio-staging-options.entrypoints=secure
-            - traefik.http.routers.scriptio-staging-options.tls=true
-            - traefik.http.routers.scriptio-staging-options.tls.certresolver=letsencrypt
-            - traefik.http.routers.scriptio-staging-options.priority=200
 
     # Production Database
     db-prod:

diff --git a/next.config.ts b/next.config.ts
@@ -28,7 +28,7 @@ const config: NextConfig = {
                 headers: [
                     { key: "Access-Control-Allow-Origin", value: "*" },
                     { key: "Access-Control-Allow-Methods", value: "GET, POST, PUT, PATCH, DELETE, OPTIONS" },
-                    { key: "Access-Control-Allow-Headers", value: "Content-Type, Authorization, x-client-type, X-Staging-Auth" },
+                    { key: "Access-Control-Allow-Headers", value: "Content-Type, Authorization, x-client-type" },
                 ],
             },
         ];

diff --git a/src/lib/desktop-auth.ts b/src/lib/desktop-auth.ts
@@ -97,16 +97,13 @@
     while (Date.now() < deadline) {
         if (signal?.aborted) return null;
         try {
-            const reqHeaders: Record<string, string> = { "x-client-type": "desktop" };
-            const stagingAuth = process.env.NEXT_PUBLIC_STAGING_BASIC_AUTH;
-            if (stagingAuth) reqHeaders["X-Staging-Auth"] = `Basic ${stagingAuth}`;
-            const res = await fetch(url, { headers: reqHeaders, signal });
+            const res = await fetch(url, { headers: { "x-client-type": "desktop" }, signal });
             if (res.ok) {
                 const json = (await res.json()) as { data?: { token?: string | null } };
                 const token = json.data?.token;
                if (token) return token;
            }
        } catch (err) {
            if (signal?.aborted) return null;
            // network blip — keep polling
        }

diff --git a/src/lib/fetcher.ts b/src/lib/fetcher.ts
@@ -35,11 +35,6 @@ async function fetchFromDesktop<JSON = unknown>(
         Authorization: `Bearer ${token}`,
     };
 
-    const stagingAuth = process.env.NEXT_PUBLIC_STAGING_BASIC_AUTH;
-    if (stagingAuth) {
-        headers["X-Staging-Auth"] = `Basic ${stagingAuth}`;
-    }
-
     if (init?.headers) {
         Object.assign(headers, init.headers as Record<string, string>);
     }

diff --git a/src/lib/utils/requests.ts b/src/lib/utils/requests.ts
@@ -31,11 +31,6 @@ const request = async (url: string, method: RESTMethod, body?: object) => {
         if (token) {
             headers["Authorization"] = `Bearer ${token}`;
         }
-
-        const stagingAuth = process.env.NEXT_PUBLIC_STAGING_BASIC_AUTH;
-        if (stagingAuth) {
-            headers["X-Staging-Auth"] = `Basic ${stagingAuth}`;
-        }
     }
 
     return fetch(fullUrl, {