fixed regression on newer node versions

Signed-off-by: Jesse Sanford <[email protected]>

Author: jessesanford

README.md

@@ -147,6 +147,13 @@ To bypass authentication, or to emit custom headers on all requests to your remo
       ]
 ```
 
+**Important**: The `--insecure` flag will conflict with the `NODE_TLS_REJECT_UNAUTHORIZED` environment variable if it's set to enable certificate verification (any value other than `0`). If you encounter an error about this conflict, either:
+- Remove the `--insecure` flag, or  
+- Set `NODE_TLS_REJECT_UNAUTHORIZED=0` in your environment, or
+- Unset the `NODE_TLS_REJECT_UNAUTHORIZED` environment variable entirely
+
+When `NODE_TLS_REJECT_UNAUTHORIZED` is unset and you use `--insecure`, mcp-remote will temporarily set it to `0` during the connection and restore it afterwards.
+
 ### Transport Strategies
 
 MCP Remote supports different transport strategies when connecting to an MCP server. This allows you to control whether it uses Server-Sent Events (SSE) or HTTP transport, and in what order it tries them.
@@ -285,6 +292,8 @@ this might look like:
 
 Alternatively, for development or trusted internal servers with self-signed certificates, you can use the `--insecure` flag to bypass certificate validation entirely. **Note**: This should only be used when you trust the server and network.
 
+If you have `NODE_TLS_REJECT_UNAUTHORIZED` set in your environment, ensure it's compatible with the `--insecure` flag (see the `--insecure` flag documentation above for details).
+
 ### Check the logs
 
 * [Follow Claude Desktop logs in real-time](https://modelcontextprotocol.io/docs/tools/debugging#debugging-in-claude-desktop)
@@ -308,6 +317,35 @@ For troubleshooting complex issues, especially with token refreshing or authenti
 
 This creates detailed logs in `~/.mcp-auth/{server_hash}_debug.log` with timestamps and complete information about every step of the connection and authentication process. When you find issues with token refreshing, laptop sleep/resume issues, or auth problems, provide these logs when seeking support.
 
+### NODE_TLS_REJECT_UNAUTHORIZED Conflicts
+
+If you see an error message like:
+
+```
+Error: Cannot use --insecure flag while NODE_TLS_REJECT_UNAUTHORIZED environment variable is set to enable certificate verification.
+```
+
+This means your environment has `NODE_TLS_REJECT_UNAUTHORIZED` set to a value other than `0`, which conflicts with the `--insecure` flag. To resolve this:
+
+1. **Remove the `--insecure` flag** if you want to keep certificate verification enabled, or
+2. **Set `NODE_TLS_REJECT_UNAUTHORIZED=0`** in your MCP client configuration to disable certificate verification globally, or 
+3. **Unset the environment variable** by removing it from your shell profile or MCP client configuration
+
+Example of setting it to `0` in Claude Desktop config:
+```json
+{
+  "mcpServers": {
+    "remote-example": {
+      "command": "npx",
+      "args": ["mcp-remote", "https://example.com/sse", "--insecure"],
+      "env": {
+        "NODE_TLS_REJECT_UNAUTHORIZED": "0"
+      }
+    }
+  }
+}
+```
+
 ### Authentication Errors
 
 If you encounter the following error, returned by the `/callback` URL:

src/lib/utils.test.ts

@@ -1,5 +1,6 @@
-import { describe, it, expect } from 'vitest'
-import { parseCommandLineArgs } from './utils'
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest'
+import { parseCommandLineArgs, connectToRemoteServer } from './utils'
+import { OAuthClientProvider } from '@modelcontextprotocol/sdk/client/auth.js'
 
 // All sanitizeUrl tests have been moved to the strict-url-sanitise package
 
@@ -29,3 +30,184 @@ describe('parseCommandLineArgs', () => {
     expect(result.serverUrl).toBe('https://example.com')
   })
 })
+
+describe('connectToRemoteServer insecure flag', () => {
+  let originalTlsReject: string | undefined
+  let mockExit: any
+  let mockLog: any
+
+  beforeEach(() => {
+    // Save original environment variable
+    originalTlsReject = process.env.NODE_TLS_REJECT_UNAUTHORIZED
+    
+    // Mock process.exit to prevent actual exits during tests
+    mockExit = vi.spyOn(process, 'exit').mockImplementation(() => {
+      throw new Error('process.exit called')
+    })
+    
+    // Mock console.error to capture log messages
+    mockLog = vi.spyOn(console, 'error').mockImplementation(() => {})
+  })
+
+  afterEach(() => {
+    // Restore original environment variable
+    if (originalTlsReject !== undefined) {
+      process.env.NODE_TLS_REJECT_UNAUTHORIZED = originalTlsReject
+    } else {
+      delete process.env.NODE_TLS_REJECT_UNAUTHORIZED
+    }
+    
+    // Restore mocks
+    mockExit.mockRestore()
+    mockLog.mockRestore()
+  })
+
+  it('should fail when --insecure conflicts with NODE_TLS_REJECT_UNAUTHORIZED=1', async () => {
+    // Set environment variable to enable cert verification (conflicts with --insecure)
+    process.env.NODE_TLS_REJECT_UNAUTHORIZED = '1'
+    
+    const mockAuthProvider = {} as OAuthClientProvider
+    const mockAuthInitializer = async () => ({ waitForAuthCode: async () => 'test', skipBrowserAuth: false })
+
+    await expect(
+      connectToRemoteServer(
+        null,
+        'https://example.com',
+        mockAuthProvider,
+        {},
+        mockAuthInitializer,
+        'http-first',
+        new Set(),
+        true // insecure flag
+      )
+    ).rejects.toThrow('process.exit called')
+
+    // Check that error message was logged
+    expect(mockLog).toHaveBeenCalledWith(
+      expect.stringContaining('Cannot use --insecure flag while NODE_TLS_REJECT_UNAUTHORIZED')
+    )
+  })
+
+  it('should fail when --insecure conflicts with NODE_TLS_REJECT_UNAUTHORIZED=true', async () => {
+    // Set environment variable to enable cert verification (conflicts with --insecure)
+    process.env.NODE_TLS_REJECT_UNAUTHORIZED = 'true'
+    
+    const mockAuthProvider = {} as OAuthClientProvider
+    const mockAuthInitializer = async () => ({ waitForAuthCode: async () => 'test', skipBrowserAuth: false })
+
+    await expect(
+      connectToRemoteServer(
+        null,
+        'https://example.com',
+        mockAuthProvider,
+        {},
+        mockAuthInitializer,
+        'http-first',
+        new Set(),
+        true // insecure flag
+      )
+    ).rejects.toThrow('process.exit called')
+
+    // Check that error message was logged
+    expect(mockLog).toHaveBeenCalledWith(
+      expect.stringContaining('Cannot use --insecure flag while NODE_TLS_REJECT_UNAUTHORIZED')
+    )
+  })
+
+  it('should proceed when --insecure is compatible with NODE_TLS_REJECT_UNAUTHORIZED=0', async () => {
+    // Set environment variable to disable cert verification (compatible with --insecure)
+    process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'
+    
+    const mockAuthProvider = {} as OAuthClientProvider
+    const mockAuthInitializer = async () => ({ waitForAuthCode: async () => 'test', skipBrowserAuth: false })
+
+    // This test will likely fail due to network issues, but we're just testing that
+    // the conflict detection doesn't trigger process.exit
+    try {
+      await connectToRemoteServer(
+        null,
+        'https://example.com',
+        mockAuthProvider,
+        {},
+        mockAuthInitializer,
+        'http-first',
+        new Set(),
+        true // insecure flag
+      )
+    } catch (error) {
+      // We expect this to fail due to network/connection issues, not conflict detection
+      expect(error).not.toEqual(new Error('process.exit called'))
+    }
+
+    // Should not have called process.exit
+    expect(mockExit).not.toHaveBeenCalled()
+  })
+
+  it('should set and restore NODE_TLS_REJECT_UNAUTHORIZED when unset with --insecure', async () => {
+    // Ensure environment variable is unset
+    delete process.env.NODE_TLS_REJECT_UNAUTHORIZED
+    
+    const mockAuthProvider = {} as OAuthClientProvider
+    const mockAuthInitializer = async () => ({ waitForAuthCode: async () => 'test', skipBrowserAuth: false })
+
+    // This test will likely fail due to network issues, but we're testing env var handling
+    try {
+      await connectToRemoteServer(
+        null,
+        'https://example.com',
+        mockAuthProvider,
+        {},
+        mockAuthInitializer,
+        'http-first',
+        new Set(),
+        true // insecure flag
+      )
+    } catch (error) {
+      // We expect this to fail due to network/connection issues
+      expect(error).not.toEqual(new Error('process.exit called'))
+    }
+
+    // Environment variable should be restored to unset state
+    expect(process.env.NODE_TLS_REJECT_UNAUTHORIZED).toBeUndefined()
+    
+    // Should not have called process.exit
+    expect(mockExit).not.toHaveBeenCalled()
+    
+    // Should have logged that we're setting the env var
+    expect(mockLog).toHaveBeenCalledWith(
+      expect.stringContaining('Setting NODE_TLS_REJECT_UNAUTHORIZED=0 for --insecure connection')
+    )
+  })
+
+  it('should not modify NODE_TLS_REJECT_UNAUTHORIZED when --insecure is false', async () => {
+    // Set a specific value
+    process.env.NODE_TLS_REJECT_UNAUTHORIZED = '1'
+    const originalValue = process.env.NODE_TLS_REJECT_UNAUTHORIZED
+    
+    const mockAuthProvider = {} as OAuthClientProvider
+    const mockAuthInitializer = async () => ({ waitForAuthCode: async () => 'test', skipBrowserAuth: false })
+
+    // This test will likely fail due to network issues
+    try {
+      await connectToRemoteServer(
+        null,
+        'https://example.com',
+        mockAuthProvider,
+        {},
+        mockAuthInitializer,
+        'http-first',
+        new Set(),
+        false // insecure flag is false
+      )
+    } catch (error) {
+      // We expect this to fail due to network/connection issues
+      expect(error).not.toEqual(new Error('process.exit called'))
+    }
+
+    // Environment variable should remain unchanged
+    expect(process.env.NODE_TLS_REJECT_UNAUTHORIZED).toBe(originalValue)
+    
+    // Should not have called process.exit
+    expect(mockExit).not.toHaveBeenCalled()
+  })
+})

src/lib/utils.ts

@@ -196,6 +196,30 @@ export async function connectToRemoteServer(
 ): Promise<Transport> {
   log(`[${pid}] Connecting to remote server: ${serverUrl}`)
   const url = new URL(serverUrl)
+  
+  // Handle NODE_TLS_REJECT_UNAUTHORIZED environment variable for insecure connections
+  const originalTlsReject = process.env.NODE_TLS_REJECT_UNAUTHORIZED
+  let shouldRestoreTlsEnv = false
+  
+  if (insecure && url.protocol === 'https:') {
+    if (originalTlsReject !== undefined) {
+      // Environment variable is already set, check for conflicts
+      if (originalTlsReject !== '0') {
+        // User has cert verification enabled but wants --insecure, this is a conflict
+        log('Error: Cannot use --insecure flag while NODE_TLS_REJECT_UNAUTHORIZED environment variable is set to enable certificate verification.')
+        log('Either remove the --insecure flag or set NODE_TLS_REJECT_UNAUTHORIZED=0')
+        process.exit(1)
+      }
+      // originalTlsReject === '0', compatible with --insecure, proceed without changes
+      if (DEBUG) debugLog('NODE_TLS_REJECT_UNAUTHORIZED already set to 0, compatible with --insecure flag')
+    } else {
+      // Environment variable is unset, we can safely set it temporarily
+      log('Setting NODE_TLS_REJECT_UNAUTHORIZED=0 for --insecure connection (will be restored after connection)')
+      if (DEBUG) debugLog('Setting NODE_TLS_REJECT_UNAUTHORIZED=0 for insecure connection')
+      process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'
+      shouldRestoreTlsEnv = true
+    }
+  }
 
   // Create transport with eventSourceInit to pass Authorization header if present
   const eventSourceInit = {
@@ -211,12 +235,7 @@ export async function connectToRemoteServer(
           } as Record<string, string>,
         }
 
-        // Add insecure HTTPS agent if insecure flag is enabled
-        if (insecure && new URL(url).protocol === 'https:') {
-          ;(requestInit as any).agent = new https.Agent({
-            rejectUnauthorized: false,
-          })
-        }
+        // Note: insecure TLS handling is done via NODE_TLS_REJECT_UNAUTHORIZED environment variable
 
         return fetch(url, requestInit)
       })
@@ -231,13 +250,8 @@ export async function connectToRemoteServer(
   // Create transport instance based on the strategy
   const sseTransport = transportStrategy === 'sse-only' || transportStrategy === 'sse-first'
 
-  // Create requestInit with insecure agent if needed
+  // Create requestInit with headers
   const requestInit: RequestInit = { headers }
-  if (insecure && url.protocol === 'https:') {
-    ;(requestInit as any).agent = new https.Agent({
-      rejectUnauthorized: false,
-    })
-  }
 
   const transport = sseTransport
     ? new SSEClientTransport(url, {
@@ -272,6 +286,12 @@ export async function connectToRemoteServer(
     }
     log(`Connected to remote server using ${transport.constructor.name}`)
 
+    // Restore original TLS settings if we modified them
+    if (shouldRestoreTlsEnv) {
+      delete process.env.NODE_TLS_REJECT_UNAUTHORIZED
+      if (DEBUG) debugLog('Restored NODE_TLS_REJECT_UNAUTHORIZED to unset state')
+    }
+
     return transport
   } catch (error: any) {
     // Check if it's a protocol error and we should attempt fallback
@@ -289,6 +309,10 @@ export async function connectToRemoteServer(
       if (recursionReasons.has(REASON_TRANSPORT_FALLBACK)) {
         const errorMessage = `Already attempted transport fallback. Giving up.`
         log(errorMessage)
+        // Restore original TLS settings before throwing
+        if (shouldRestoreTlsEnv) {
+          delete process.env.NODE_TLS_REJECT_UNAUTHORIZED
+        }
         throw new Error(errorMessage)
       }
 
@@ -345,6 +369,14 @@ export async function connectToRemoteServer(
             debugLog('Already attempted auth reconnection, giving up', {
               recursionReasons: Array.from(recursionReasons),
             })
+          // Restore original TLS settings before throwing
+          if (insecure && url.protocol === 'https:') {
+            if (originalTlsReject !== undefined) {
+              process.env.NODE_TLS_REJECT_UNAUTHORIZED = originalTlsReject
+            } else {
+              delete process.env.NODE_TLS_REJECT_UNAUTHORIZED
+            }
+          }
           throw new Error(errorMessage)
         }
 
@@ -371,6 +403,10 @@ export async function connectToRemoteServer(
             errorMessage: authError.message,
             stack: authError.stack,
           })
+        // Restore original TLS settings before throwing
+        if (shouldRestoreTlsEnv) {
+          delete process.env.NODE_TLS_REJECT_UNAUTHORIZED
+        }
         throw authError
       }
     } else {
@@ -381,6 +417,10 @@ export async function connectToRemoteServer(
           stack: error.stack,
           transportType: transport.constructor.name,
         })
+      // Restore original TLS settings before throwing
+      if (shouldRestoreTlsEnv) {
+        delete process.env.NODE_TLS_REJECT_UNAUTHORIZED
+      }
       throw error
     }
   }