Skip to content

Commit f1a0e13

Browse files
warn when the insecure-issuer option is enabled, matching the env var path's loudness
1 parent 2310b50 commit f1a0e13

1 file changed

Lines changed: 6 additions & 0 deletions

File tree

packages/middleware/express/src/auth/metadataRouter.ts

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,12 @@ export type { AuthMetadataOptions } from '@modelcontextprotocol/server';
7878
* so unauthenticated clients can discover the AS from the 401 challenge.
7979
*/
8080
export function mcpAuthMetadataRouter(options: NeutralAuthMetadataOptions): Router {
81+
if (options.dangerouslyAllowInsecureIssuerUrl && !allowInsecureIssuerUrl) {
82+
// The env-var path warns at module load; enabling via the option is
83+
// equally loud so an insecure issuer can never be allowed silently.
84+
// eslint-disable-next-line no-console
85+
console.warn('dangerouslyAllowInsecureIssuerUrl is enabled - HTTP issuer URLs are allowed. Do not use in production.');
86+
}
8187
const protectedResourceMetadata = buildOAuthProtectedResourceMetadata({
8288
...options,
8389
// The env var and the option are both honored; either enables it.

0 commit comments

Comments
 (0)