From b33a2747beca9761b1c5f9898370122683cdf27c Mon Sep 17 00:00:00 2001
From: Glen Maddern <glen@glenmaddern.com>
Date: Fri, 25 Jul 2025 20:14:12 +1000
Subject: [PATCH] Stopping any window.open if the preventAutoAuth flag is set

---
 src/auth/browser-provider.ts | 6 ++++++
 src/react/useMcp.ts          | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/src/auth/browser-provider.ts b/src/auth/browser-provider.ts
index 04c708c..0d660bb 100644
--- a/src/auth/browser-provider.ts
+++ b/src/auth/browser-provider.ts
@@ -15,6 +15,7 @@ export class BrowserOAuthClientProvider implements OAuthClientProvider {
   readonly clientName: string
   readonly clientUri: string
   readonly callbackUrl: string
+  private preventAutoAuth?: boolean
   readonly onPopupWindow: ((url: string, features: string, window: Window | null) => void) | undefined
 
   constructor(
@@ -24,6 +25,7 @@ export class BrowserOAuthClientProvider implements OAuthClientProvider {
       clientName?: string
       clientUri?: string
       callbackUrl?: string
+      preventAutoAuth?: boolean
       onPopupWindow?: (url: string, features: string, window: Window | null) => void
     } = {},
   ) {
@@ -36,6 +38,7 @@ export class BrowserOAuthClientProvider implements OAuthClientProvider {
       options.callbackUrl ||
         (typeof window !== 'undefined' ? new URL('/oauth/callback', window.location.origin).toString() : '/oauth/callback'),
     )
+    this.preventAutoAuth = options.preventAutoAuth
     this.onPopupWindow = options.onPopupWindow
   }
 
@@ -164,6 +167,9 @@ export class BrowserOAuthClientProvider implements OAuthClientProvider {
    * @param authorizationUrl The fully constructed authorization URL from the SDK.
    */
   async redirectToAuthorization(authorizationUrl: URL): Promise<void> {
+    // Ideally we should catch things before we get here, but if we don't, let's not show everyone we are dum
+    if (this.preventAutoAuth) return
+
     // Prepare the authorization URL with state
     const sanitizedAuthUrl = await this.prepareAuthorizationUrl(authorizationUrl)
 
diff --git a/src/react/useMcp.ts b/src/react/useMcp.ts
index c7239f1..697f74a 100644
--- a/src/react/useMcp.ts
+++ b/src/react/useMcp.ts
@@ -177,6 +177,7 @@ export function useMcp(options: UseMcpOptions): UseMcpResult {
         clientName,
         clientUri,
         callbackUrl,
+        preventAutoAuth,
         onPopupWindow,
       })
       addLog('debug', 'BrowserOAuthClientProvider initialized in connect.')
@@ -781,6 +782,7 @@ export function useMcp(options: UseMcpOptions): UseMcpResult {
         clientName,
         clientUri,
         callbackUrl,
+        preventAutoAuth,
         onPopupWindow,
       })
       addLog('debug', 'BrowserOAuthClientProvider initialized/updated on mount/option change.')