jeanmarcos / module-customer-bypass
Magento 2 development module that bypasses storefront customer authentication so any password is accepted for any existing customer. For local development only — guarded against production mode.
Maintainers
Package info
github.com/jeanmarcos-dev/module-customer-bypass
Type:magento2-module
pkg:composer/jeanmarcos/module-customer-bypass
Requires
- php: ~8.1.0||~8.2.0||~8.3.0
- jeanmarcos/module-core-local-development: ^1.0
- magento/framework: >=103.0
- magento/module-config: *
- magento/module-customer: *
README
📦
jeanmarcos/module-customer-bypass— published to Packagist.🏠 Source repository for issues, PRs and releases: jeanmarcos-dev/magento-local-development. The standalone
jeanmarcos-dev/module-customer-bypassrepo is a read-only mirror auto-generated by CI on every release — direct commits to it are overwritten.
Development_CustomerBypass
⚠️ FOR LOCAL DEVELOPMENT ONLY — NEVER ENABLE IN PRODUCTION
Bypasses Magento 2 customer authentication. Any password is accepted for any existing customer account on storefront login.
What it does
BypassCustomerAuthentication(pluginaroundonMagento\Customer\Model\AccountManagement::authenticate) — resolves the customer viaCustomerRepositoryInterface::get($username)and returns it, ignoring the password.
No new users are created; only existing customers can be impersonated.
Safety model
Guarded by Magento's application mode:
| Mode | Allow in Production flag |
Behavior |
|---|---|---|
developer / default |
any | active — password ignored |
production |
No (default) |
inactive — normal authentication |
production |
Yes |
active — explicit override |
Implementation: Development_Core (Development\Core\Model\ProductionGuard::isEnabled()), wired via a virtualType in etc/di.xml bound to the config path development/customer_bypass/allow_in_production. When disabled, the plugin delegates to $proceed($username, $password) and Magento authenticates normally.
Configuration
Panel path: Stores → Configuration → ⚠ Development Modules → Customer Bypass → General → Allow in Production
- Default:
No. - Changing the flag requires
bin/magento cache:clean config.
Install
composer require --dev jeanmarcos/module-customer-bypass bin/magento module:enable Development_CustomerBypass bin/magento setup:upgrade bin/magento setup:di:compile bin/magento cache:flush
Kill switch
bin/magento module:disable Development_CustomerBypass bin/magento setup:upgrade bin/magento cache:flush
For permanent removal:
composer remove jeanmarcos/module-customer-bypass
Security risks
- Anyone who knows a customer's email/username can log in as them without the password.
- Exposes full order history, addresses, saved payment methods (if stored), and wishlists.
- No audit trail: bypassed logins look identical to legitimate ones in the session.
File structure
CustomerBypass/
├── Plugin/
│ └── BypassCustomerAuthentication.php # password bypass around plugin
├── etc/
│ ├── acl.xml
│ ├── adminhtml/
│ │ └── system.xml
│ ├── config.xml
│ ├── di.xml # plugin wiring + ProductionGuard virtualType
│ └── module.xml # depends on Development_Core
├── composer.json
├── registration.php
└── README.md
The production-guard helper lives in the shared core package
jeanmarcos/module-core-local-development.
Troubleshooting
- Toggle doesn't take effect:
bin/magento cache:clean config. - "Invalid login or password" still appears: the plugin only overrides
AccountManagement::authenticate; some integrations (OAuth, external SSO) use different entry points and are unaffected.
Compatibility
- Magento 2.4.x
- PHP 8.1+
- Depends on
jeanmarcos/module-core-local-development(installed automatically by Composer).
License
MIT