examples: avoid shell exec when opening browser

Theodor N. Engøy · Theodor N. Engøy · commit e1a6b7117cff · 2026-02-07T15:21:36.000+01:00
diff --git a/examples/client/src/elicitationUrlExample.ts b/examples/client/src/elicitationUrlExample.ts
@@ -5,7 +5,7 @@
 // URL elicitation allows servers to prompt the end-user to open a URL in their browser
 // to collect sensitive information.
 
-import { exec } from 'node:child_process';
+import { spawn } from 'node:child_process';
 import { createServer } from 'node:http';
 import { createInterface } from 'node:readline';
 
@@ -274,14 +274,27 @@ async function elicitationLoop(): Promise<void> {
 }
 
 async function openBrowser(url: string): Promise<void> {
-    const command = `open "${url}"`;
+    const platform = process.platform;
+    let cmd: string;
+    let args: string[];
+
+    if (platform === 'darwin') {
+        cmd = 'open';
+        args = [url];
+    } else if (platform === 'win32') {
+        cmd = 'cmd';
+        args = ['/c', 'start', '', url];
+    } else {
+        cmd = 'xdg-open';
+        args = [url];
+    }
 
-    exec(command, error => {
-        if (error) {
-            console.error(`Failed to open browser: ${error.message}`);
-            console.log(`Please manually open: ${url}`);
-        }
+    const child = spawn(cmd, args, { stdio: 'ignore', detached: true });
+    child.on('error', error => {
+        console.error(`Failed to open browser: ${error.message}`);
+        console.log(`Please manually open: ${url}`);
     });
+    child.unref();
 }
 
 /**
diff --git a/examples/client/src/simpleOAuthClient.ts b/examples/client/src/simpleOAuthClient.ts
@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-import { exec } from 'node:child_process';
+import { spawn } from 'node:child_process';
 import { createServer } from 'node:http';
 import { createInterface } from 'node:readline';
 import { URL } from 'node:url';
@@ -53,14 +53,27 @@ class InteractiveOAuthClient {
     private async openBrowser(url: string): Promise<void> {
         console.log(`🌐 Opening browser for authorization: ${url}`);
 
-        const command = `open "${url}"`;
+        const platform = process.platform;
+        let cmd: string;
+        let args: string[];
+
+        if (platform === 'darwin') {
+            cmd = 'open';
+            args = [url];
+        } else if (platform === 'win32') {
+            cmd = 'cmd';
+            args = ['/c', 'start', '', url];
+        } else {
+            cmd = 'xdg-open';
+            args = [url];
+        }
 
-        exec(command, error => {
-            if (error) {
-                console.error(`Failed to open browser: ${error.message}`);
-                console.log(`Please manually open: ${url}`);
-            }
+        const child = spawn(cmd, args, { stdio: 'ignore', detached: true });
+        child.on('error', error => {
+            console.error(`Failed to open browser: ${error.message}`);
+            console.log(`Please manually open: ${url}`);
         });
+        child.unref();
     }
     /**
      * Example OAuth callback handler - in production, use a more robust approach
