Fix proxy token authentication in npx command

The npx entry point (cli/src/cli.ts) was not generating or passing
authentication tokens, causing proxy authentication to fail when using
`npx @modelcontextprotocol/inspector@latest`.

This change aligns the npx behavior with the local development behavior:
- Generate session token using crypto.randomBytes(32)
- Pass MCP_PROXY_TOKEN to server via environment
- Use correct SERVER_PORT instead of PORT
- Build client URL with authentication parameters
- Pass URL to client via INSPECTOR_URL environment variable

Now both `npm run start` and `npx` commands handle authentication
consistently.

Author: felixweinberger

cli/src/cli.ts

@@ -6,6 +6,7 @@ import path from "node:path";
 import { dirname, resolve } from "path";
 import { spawnPromise } from "spawn-rx";
 import { fileURLToPath } from "url";
+import { randomBytes } from "crypto";
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 
@@ -72,6 +73,10 @@ async function runWebClient(args: Args): Promise<void> {
 
   console.log("Starting MCP inspector...");
 
+  // Generate session token for authentication
+  const sessionToken = randomBytes(32).toString("hex");
+  const authDisabled = !!process.env.DANGEROUSLY_OMIT_AUTH;
+
   const abort = new AbortController();
   let cancelled: boolean = false;
   process.on("SIGINT", () => {
@@ -93,7 +98,9 @@ async function runWebClient(args: Args): Promise<void> {
       {
         env: {
           ...process.env,
-          PORT: SERVER_PORT,
+          SERVER_PORT,
+          CLIENT_PORT,
+          MCP_PROXY_TOKEN: sessionToken,
           MCP_ENV_VARS: JSON.stringify(args.envArgs),
         },
         signal: abort.signal,
@@ -107,8 +114,26 @@ async function runWebClient(args: Args): Promise<void> {
 
   if (serverOk) {
     try {
+      // Build the client URL with authentication parameters
+      const host = process.env.HOST || "localhost";
+      const baseUrl = `http://${host}:${CLIENT_PORT}`;
+      const params = new URLSearchParams();
+      
+      if (SERVER_PORT !== "6277") {
+        params.set("MCP_PROXY_PORT", SERVER_PORT);
+      }
+      if (!authDisabled) {
+        params.set("MCP_PROXY_AUTH_TOKEN", sessionToken);
+      }
+      
+      const url = params.size > 0 ? `${baseUrl}/?${params.toString()}` : baseUrl;
+      
       await spawnPromise("node", [inspectorClientPath], {
-        env: { ...process.env, PORT: CLIENT_PORT },
+        env: { 
+          ...process.env, 
+          CLIENT_PORT,
+          INSPECTOR_URL: url
+        },
         signal: abort.signal,
         echoOutput: true,
       });