From c4b3b3f7639a2ca1b60790c0bc55fe0610532d2b Mon Sep 17 00:00:00 2001 From: "Kent C. Dodds" Date: Mon, 16 Jun 2025 18:48:22 -0600 Subject: [PATCH 1/6] make auth token configurable via env var --- server/src/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/src/index.ts b/server/src/index.ts index 38d62b71b..67bac919d 100644 --- a/server/src/index.ts +++ b/server/src/index.ts @@ -89,7 +89,7 @@ app.use((req, res, next) => { const webAppTransports: Map = new Map(); // Web app transports by web app sessionId const serverTransports: Map = new Map(); // Server Transports by web app sessionId -const sessionToken = randomBytes(32).toString("hex"); +const sessionToken = process.env.MCP_PROXY_AUTH_TOKEN || randomBytes(32).toString("hex"); const authDisabled = !!process.env.DANGEROUSLY_OMIT_AUTH; // Origin validation middleware to prevent DNS rebinding attacks From 0f3d34bc9a161e65457fdfd55f50e56ff6ced814 Mon Sep 17 00:00:00 2001 From: "Kent C. Dodds" Date: Mon, 16 Jun 2025 18:58:51 -0600 Subject: [PATCH 2/6] docs: add note in readme --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index ae82a695d..dd1b79ee2 100644 --- a/README.md +++ b/README.md @@ -166,6 +166,12 @@ If you need to disable authentication (NOT RECOMMENDED), you can set the `DANGER DANGEROUSLY_OMIT_AUTH=true npm start ``` +You can also set the token via the `MCP_PROXY_AUTH_TOKEN` environment variable when starting the server: + +```bash +MCP_PROXY_AUTH_TOKEN=$(openssl rand -hex 32) npm start +``` + #### Local-only Binding By default, the MCP Inspector proxy server binds only to `127.0.0.1` (localhost) to prevent network access. This ensures the server is not accessible from other devices on the network. If you need to bind to all interfaces for development purposes, you can override this with the `HOST` environment variable: From 7305764d3c3a4221da44301a0a710e00a1a0ec11 Mon Sep 17 00:00:00 2001 From: "Kent C. Dodds" Date: Mon, 7 Jul 2025 13:19:38 -0600 Subject: [PATCH 3/6] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 41aabf06f..7b077aef3 100644 --- a/README.md +++ b/README.md @@ -169,7 +169,7 @@ DANGEROUSLY_OMIT_AUTH=true npm start You can also set the token via the `MCP_PROXY_AUTH_TOKEN` environment variable when starting the server: ```bash -MCP_PROXY_AUTH_TOKEN=$(openssl rand -hex 32) npm start +MCP_PROXY_TOKEN=$(openssl rand -hex 32) npm start ``` #### Local-only Binding From 15b9b6773cef0b9af709791caad55cecc1c2b201 Mon Sep 17 00:00:00 2001 From: "Kent C. Dodds" Date: Mon, 7 Jul 2025 13:19:51 -0600 Subject: [PATCH 4/6] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7b077aef3..a9e0f8e10 100644 --- a/README.md +++ b/README.md @@ -166,7 +166,7 @@ If you need to disable authentication (NOT RECOMMENDED), you can set the `DANGER DANGEROUSLY_OMIT_AUTH=true npm start ``` -You can also set the token via the `MCP_PROXY_AUTH_TOKEN` environment variable when starting the server: +You can also set the token via the `MCP_PROXY_TOKEN` environment variable when starting the server: ```bash MCP_PROXY_TOKEN=$(openssl rand -hex 32) npm start From 7d5f7968d1b1670ee08d799fb81f7921707dcf9c Mon Sep 17 00:00:00 2001 From: "Kent C. Dodds" Date: Mon, 7 Jul 2025 15:21:27 -0600 Subject: [PATCH 5/6] Rename MCP_PROXY_TOKEN to MCP_PROXY_AUTH_TOKEN (#1) Co-authored-by: Cursor Agent --- README.md | 4 ++-- client/bin/start.js | 8 ++++---- server/src/index.ts | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index a9e0f8e10..41aabf06f 100644 --- a/README.md +++ b/README.md @@ -166,10 +166,10 @@ If you need to disable authentication (NOT RECOMMENDED), you can set the `DANGER DANGEROUSLY_OMIT_AUTH=true npm start ``` -You can also set the token via the `MCP_PROXY_TOKEN` environment variable when starting the server: +You can also set the token via the `MCP_PROXY_AUTH_TOKEN` environment variable when starting the server: ```bash -MCP_PROXY_TOKEN=$(openssl rand -hex 32) npm start +MCP_PROXY_AUTH_TOKEN=$(openssl rand -hex 32) npm start ``` #### Local-only Binding diff --git a/client/bin/start.js b/client/bin/start.js index 70ca046ec..3dfa45354 100755 --- a/client/bin/start.js +++ b/client/bin/start.js @@ -40,7 +40,7 @@ async function startDevServer(serverOptions) { ...process.env, SERVER_PORT, CLIENT_PORT, - MCP_PROXY_TOKEN: sessionToken, + MCP_PROXY_AUTH_TOKEN: sessionToken, MCP_ENV_VARS: JSON.stringify(envVars), }, signal: abort.signal, @@ -99,7 +99,7 @@ async function startProdServer(serverOptions) { ...process.env, SERVER_PORT, CLIENT_PORT, - MCP_PROXY_TOKEN: sessionToken, + MCP_PROXY_AUTH_TOKEN: sessionToken, MCP_ENV_VARS: JSON.stringify(envVars), }, signal: abort.signal, @@ -247,8 +247,8 @@ async function main() { : "Starting MCP inspector...", ); - // Generate session token for authentication - const sessionToken = randomBytes(32).toString("hex"); + // Use provided token from environment or generate a new one + const sessionToken = process.env.MCP_PROXY_AUTH_TOKEN || randomBytes(32).toString("hex"); const authDisabled = !!process.env.DANGEROUSLY_OMIT_AUTH; const abort = new AbortController(); diff --git a/server/src/index.ts b/server/src/index.ts index 971cf1581..dafd187c1 100644 --- a/server/src/index.ts +++ b/server/src/index.ts @@ -92,7 +92,7 @@ const serverTransports: Map = new Map(); / // Use provided token from environment or generate a new one const sessionToken = - process.env.MCP_PROXY_TOKEN || randomBytes(32).toString("hex"); + process.env.MCP_PROXY_AUTH_TOKEN || randomBytes(32).toString("hex"); const authDisabled = !!process.env.DANGEROUSLY_OMIT_AUTH; // Origin validation middleware to prevent DNS rebinding attacks From 80fcf1afa9cc845e5a7b68ee2012a6854cefe5dd Mon Sep 17 00:00:00 2001 From: "Kent C. Dodds" Date: Mon, 7 Jul 2025 16:08:02 -0600 Subject: [PATCH 6/6] format --- client/bin/start.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/client/bin/start.js b/client/bin/start.js index 3dfa45354..aef386d04 100755 --- a/client/bin/start.js +++ b/client/bin/start.js @@ -248,7 +248,8 @@ async function main() { ); // Use provided token from environment or generate a new one - const sessionToken = process.env.MCP_PROXY_AUTH_TOKEN || randomBytes(32).toString("hex"); + const sessionToken = + process.env.MCP_PROXY_AUTH_TOKEN || randomBytes(32).toString("hex"); const authDisabled = !!process.env.DANGEROUSLY_OMIT_AUTH; const abort = new AbortController();