feat: allow to disable auth via config and env

Author: antfu

packages/core/src/node/rpc/anonymous/auth.ts

@@ -1,3 +1,4 @@
+import process from 'node:process'
 import * as p from '@clack/prompts'
 import { defineRpcFunction } from '@vitejs/devtools-kit'
 import c from 'ansis'
@@ -19,14 +20,19 @@ export const anonymousAuth = defineRpcFunction({
   setup: (context) => {
     const internal = getInternalContext(context)
     const storage = internal.storage.auth
+    const isClientAuthDisabled = context.viteConfig.devtools?.clientAuth === false || process.env.VITE_DEVTOOLS_DISABLE_CLIENT_AUTH === 'true'
+
+    if (isClientAuthDisabled) {
+      console.warn('[Vite DevTools] Client authentication is disabled. Any browser can connect to the devtools and access to your server and filesystem.')
+    }
 
     return {
       handler: async (query: DevToolsAuthInput): Promise<DevToolsAuthReturn> => {
         const session = context.rpc.getCurrentRpcSession()
         if (!session)
           throw new Error('Failed to retrieve the current RPC session')
 
-        if (storage.get().trusted[query.authId]) {
+        if (isClientAuthDisabled || storage.get().trusted[query.authId]) {
           session.meta.clientAuthId = query.authId
           session.meta.isTrusted = true
           return {

packages/kit/src/types/vite-augment.ts

@@ -6,6 +6,22 @@ declare module 'vite' {
   interface Plugin {
     devtools?: DevToolsPluginOptions
   }
+  interface UserConfig {
+    devtools?: ViteConfigDevtoolsOptions
+  }
+}
+
+export interface ViteConfigDevtoolsOptions {
+  /**
+   * Disable client authentication.
+   *
+   * Beware that if you disable client authentication,
+   * any browsers can connect to the devtools and access to your server and filesystem.
+   * (including other devices, if you open server `host` option to LAN or WAN)
+   *
+   * @default true
+   */
+  clientAuth?: boolean
 }
 
 export interface PluginWithDevTools extends Plugin {