feat: disable auto-open when authentication is enabled

felixweinberger · felixweinberger · commit 9dbd17343cde · 2025-06-10T18:16:38.000+01:00
- Auto-open browser only works when DANGEROUSLY_OMIT_AUTH=true
- When auth is enabled (default), users must use the secure URL with token
- Server displays clear message that auto-open is disabled with auth
- Updates documentation to reflect this behavior

This improves UX by preventing the browser from opening without auth token,
forcing users to use the secure pre-filled URL instead.
diff --git a/README.md b/README.md
@@ -148,11 +148,11 @@ The MCP Inspector proxy server requires authentication by default. When starting
    http://localhost:6274/?MCP_PROXY_AUTH_TOKEN=3a1c267fad21f7150b7d624c160b7f09b0b8c4f623c7107bbf13378f051538d4
 ```
 
-This token must be included as a Bearer token in the Authorization header for all requests to the server. 
+This token must be included as a Bearer token in the Authorization header for all requests to the server. When authentication is enabled, auto-open is disabled by default to ensure you use the secure URL.
 
-**Option 1: Use the pre-filled URL** - Click the link shown in the console to open the inspector with the token already configured.
+**Recommended: Use the pre-filled URL** - Click or copy the link shown in the console to open the inspector with the token already configured.
 
-**Option 2: Manual configuration** - If you already have the inspector open:
+**Alternative: Manual configuration** - If you already have the inspector open:
 
 1. Click the "Configuration" button in the sidebar
 2. Find "Proxy Session Token" and enter the token displayed in the proxy console
diff --git a/client/bin/start.js b/client/bin/start.js
@@ -100,7 +100,9 @@ async function main() {
 
   if (serverOk) {
     try {
-      if (process.env.MCP_AUTO_OPEN_ENABLED !== "false") {
+      // Only auto-open when auth is disabled
+      const authDisabled = !!process.env.DANGEROUSLY_OMIT_AUTH;
+      if (process.env.MCP_AUTO_OPEN_ENABLED !== "false" && authDisabled) {
         open(`http://127.0.0.1:${CLIENT_PORT}`);
       }
       await spawnPromise("node", [inspectorClientPath], {
diff --git a/server/src/index.ts b/server/src/index.ts
@@ -470,7 +470,7 @@ server.on("listening", () => {
     // Display clickable URL with pre-filled token
     const clientPort = process.env.CLIENT_PORT || '6274';
     const clientUrl = `http://localhost:${clientPort}/?MCP_PROXY_AUTH_TOKEN=${sessionToken}`;
-    console.log(`\n🔗 Open inspector with token pre-filled:\n   ${clientUrl}`);
+    console.log(`\n🔗 Open inspector with token pre-filled:\n   ${clientUrl}\n   (Auto-open is disabled when authentication is enabled)\n`);
   } else {
     console.log(`⚠️  WARNING: Authentication is disabled. This is not recommended.`);
   }

Original file line number	Diff line number	Diff line change
`@@ -470,7 +470,7 @@ server.on("listening", () => {`
`470`	`470`	`// Display clickable URL with pre-filled token`
`471`	`471`	`const clientPort = process.env.CLIENT_PORT \|\| '6274';`
`472`	`472`	const clientUrl = `http://localhost:${clientPort}/?MCP_PROXY_AUTH_TOKEN=${sessionToken}`;
`473`		- console.log(`\n🔗 Open inspector with token pre-filled:\n ${clientUrl}`);
	`473`	+ console.log(`\n🔗 Open inspector with token pre-filled:\n ${clientUrl}\n (Auto-open is disabled when authentication is enabled)\n`);
`474`	`474`	`} else {`
`475`	`475`	console.log(`⚠️ WARNING: Authentication is disabled. This is not recommended.`);
`476`	`476`	`}`