Adds OPENCONTROL_DISABLE_AUTH (#33)

culda · Bogdan Culda · thdxr · web-flow · commit bd50ebab7c78 · 2025-04-28T14:20:28.000-04:00
* adds OPENCONTROL_DISABLE_AUTH

* remove ts-ignore

* revert d.ts file

* Create dirty-spiders-float.md

---------

Co-authored-by: Bogdan Culda &lt;culda@Bogdans-Mac-mini.local&gt;
Co-authored-by: Dax &lt;mail@thdxr.com&gt;
diff --git a/.changeset/dirty-spiders-float.md b/.changeset/dirty-spiders-float.md
@@ -0,0 +1,6 @@
+---
+"opencontrol-frontend": patch
+"opencontrol": patch
+---
+
+Adds OPENCONTROL_DISABLE_AUTH
diff --git a/packages/frontend/src/client.ts b/packages/frontend/src/client.ts
@@ -7,13 +7,20 @@ export const client = hc<App>(import.meta.env.VITE_OPENCONTROL_ENDPOINT || "", {
   async fetch(...args: Parameters<typeof fetch>): Promise<Response> {
     const [input, init] = args
     const request = input instanceof Request ? input : new Request(input, init)
-    const headers = new Headers(request.headers)
-    headers.set("authorization", `Bearer ${password()}`)
-    return fetch(
-      new Request(request, {
-        ...init,
-        headers,
-      }),
-    )
+
+    // Only add authorization header if password is set
+    if (password()) {
+      const headers = new Headers(request.headers)
+      headers.set("authorization", `Bearer ${password()}`)
+      return fetch(
+        new Request(request, {
+          ...init,
+          headers,
+        }),
+      )
+    }
+
+    // Otherwise, just pass through the request without auth
+    return fetch(request, init)
   },
 })
diff --git a/packages/frontend/src/index.tsx b/packages/frontend/src/index.tsx
@@ -18,6 +18,25 @@ if (import.meta.env.DEV && !(root instanceof HTMLElement)) {
 render(() => {
   const [ready, setReady] = createSignal(false)
   onMount(async () => {
+    // Try to authenticate without password first to check if auth is disabled
+    try {
+      const noAuthResult = await fetch(
+        `${import.meta.env.VITE_OPENCONTROL_ENDPOINT || ""}/auth`,
+        {
+          method: "GET",
+        },
+      )
+
+      // If successful without auth, server has auth disabled
+      if (noAuthResult.ok) {
+        setReady(true)
+        return
+      }
+    } catch (e) {
+      // Continue with password auth if this fails
+    }
+
+    // Regular password authentication flow
     setPassword(localStorage.getItem("opencontrol:password"))
     while (true) {
       if (!password()) {
diff --git a/packages/opencontrol/bin/index.mjs b/packages/opencontrol/bin/index.mjs
@@ -9,18 +9,25 @@ const server = new Server({
 
 const url = process.argv[2]
 const key = process.argv[3]
+const disableAuth = process.env.OPENCONTROL_DISABLE_AUTH === "true"
 
 class ProxyTransport {
   #stdio = new StdioServerTransport()
   async start() {
     this.#stdio.onmessage = (message) => {
       if ("id" in message) {
+        const headers = {
+          "Content-Type": "application/json",
+        }
+
+        // Only add authorization header if auth is not disabled and key is provided
+        if (!disableAuth && key) {
+          headers.authorization = `Bearer ${key}`
+        }
+
         fetch(url + "/mcp", {
           method: "POST",
-          headers: {
-            "Content-Type": "application/json",
-            authorization: `Bearer ${key}`,
-          },
+          headers,
           body: JSON.stringify(message),
         }).then(async (response) => this.send(await response.json()))
         return
diff --git a/packages/opencontrol/src/index.ts b/packages/opencontrol/src/index.ts
@@ -19,20 +19,19 @@ export interface OpenControlOptions {
   password?: string
   model?: LanguageModelV1
   app?: Hono
+  disableAuth?: boolean
 }
 
 export type App = ReturnType<typeof create>
 
 export function create(input: OpenControlOptions) {
   const mcp = createMcp({ tools: input.tools })
-  const token =
-    input.password ||
-    process.env.OPENCONTROL_PASSWORD ||
-    process.env.OPENCONTROL_KEY ||
-    "password"
-  console.log("opencontrol password:", token)
+  const disableAuth =
+    input.disableAuth || process.env.OPENCONTROL_DISABLE_AUTH === "true"
+  const token = input.password || process.env.OPENCONTROL_PASSWORD || "password"
   const app = input.app ?? new Hono()
-  return app
+
+  const baseApp = app
     .use(
       cors({
         origin: "*",
@@ -44,11 +43,13 @@ export function create(input: OpenControlOptions) {
     .get("/", (c) => {
       return c.html(HTML)
     })
-    .use(
-      bearerAuth({
-        token,
-      }),
-    )
+
+  const authMiddleware = disableAuth
+    ? (c: any, next: () => Promise<any>) => next() // No-op middleware when auth is disabled
+    : bearerAuth({ token })
+
+  return baseApp
+    .use(authMiddleware)
     .get("/auth", (c) => {
       return c.json({})
     })
