From f1125a0119e58697bb9a00d2be21f20f6b5374a4 Mon Sep 17 00:00:00 2001
From: Sylvain Afchain <safchain@gmail.com>
Date: Thu, 18 Sep 2025 01:48:19 +0200
Subject: [PATCH] Allow insecure HTTPS connections (self-signed certificates)

---
 README.md                    |  1 +
 src/generator/server-code.ts |  3 ++-
 src/index.ts                 |  5 +++++
 src/types/index.ts           |  2 ++
 src/utils/security.ts        | 10 ++++++----
 5 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 7ba4323..cadbb07 100644
--- a/README.md
+++ b/README.md
@@ -59,6 +59,7 @@ openapi-mcp-generator --input path/to/openapi.json --output path/to/output/dir -
 | `--port`            | `-p`  | Port for web-based transports                                                                                                                  | `3000`                            |
 | `--default-include` |       | Default behavior for x-mcp filtering. Accepts `true` or `false` (case-insensitive). `true` = include by default, `false` = exclude by default. | `true`                            |
 | `--force`           |       | Overwrite existing files in the output directory without confirmation                                                                          | `false`                           |
+| `--insecure`        | `-k`  | Allow insecure HTTPS connections (self-signed certificates) | `false`                           |
 
 ## 📦 Programmatic API
 
diff --git a/src/generator/server-code.ts b/src/generator/server-code.ts
index 6b6a447..ebf4a1b 100644
--- a/src/generator/server-code.ts
+++ b/src/generator/server-code.ts
@@ -35,7 +35,7 @@ export function generateMcpServerCode(
 
   // Generate code for API tool execution
   const executeApiToolFunctionCode = generateExecuteApiToolFunction(
-    api.components?.securitySchemes
+    api.components?.securitySchemes, options.insecure,
   );
 
   // Generate code for request handlers
@@ -105,6 +105,7 @@ import {
 import { z, ZodError } from 'zod';
 import { jsonSchemaToZod } from 'json-schema-to-zod';
 import axios, { type AxiosRequestConfig, type AxiosError } from 'axios';
+import https from 'https';
 
 /**
  * Type definition for JSON objects
diff --git a/src/index.ts b/src/index.ts
index d588a24..6c1d87f 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -87,6 +87,11 @@ program
     true
   )
   .option('--force', 'Overwrite existing files without prompting')
+    .option(
+    '-k, --insecure',
+    'Allow insecure HTTPS connections (self-signed certificates)',
+    (val) => normalizeBoolean(val)
+  )
   .version(pkg.version) // Match package.json version
   .action((options) => {
     runGenerator(options).catch((error) => {
diff --git a/src/types/index.ts b/src/types/index.ts
index e36eb3b..5f9a4ec 100644
--- a/src/types/index.ts
+++ b/src/types/index.ts
@@ -35,6 +35,8 @@ export interface CliOptions {
    * false = exclude by default unless x-mcp explicitly enables.
    */
   defaultInclude?: boolean;
+  /** Allow insecure HTTPS connections (self-signed certificates) */
+  insecure?: boolean;
 }
 
 /**
diff --git a/src/utils/security.ts b/src/utils/security.ts
index c6ecbc9..c9aecb6 100644
--- a/src/utils/security.ts
+++ b/src/utils/security.ts
@@ -82,7 +82,7 @@ export function generateHttpSecurityCode(): string {
  *
  * @returns Generated code for OAuth2 token acquisition
  */
-export function generateOAuth2TokenAcquisitionCode(): string {
+export function generateOAuth2TokenAcquisitionCode(insecure?: boolean): string {
   return `
 /**
  * Type definition for cached OAuth tokens
@@ -165,7 +165,8 @@ async function acquireOAuth2Token(schemeName: string, scheme: any): Promise<stri
                 'Content-Type': 'application/x-www-form-urlencoded',
                 'Authorization': \`Basic \${Buffer.from(\`\${clientId}:\${clientSecret}\`).toString('base64')}\`
             },
-            data: formData.toString()
+            data: formData.toString(),
+            ${insecure ? 'httpsAgent: new https.Agent({ rejectUnauthorized: false })' : ''}
         });
         
         // Process the response
@@ -201,10 +202,10 @@ async function acquireOAuth2Token(schemeName: string, scheme: any): Promise<stri
  * @returns Generated code for the execute API tool function
  */
 export function generateExecuteApiToolFunction(
-  securitySchemes?: OpenAPIV3.ComponentsObject['securitySchemes']
+  securitySchemes?: OpenAPIV3.ComponentsObject['securitySchemes'], insecure?: boolean
 ): string {
   // Generate OAuth2 token acquisition function
-  const oauth2TokenAcquisitionCode = generateOAuth2TokenAcquisitionCode();
+  const oauth2TokenAcquisitionCode = generateOAuth2TokenAcquisitionCode(insecure);
 
   // Generate security handling code for checking, applying security
   const securityCode = `
@@ -443,6 +444,7 @@ ${securityCode}
       params: queryParams, 
       headers: headers,
       ...(requestBodyData !== undefined && { data: requestBodyData }),
+      ${insecure ? 'httpsAgent: new https.Agent({ rejectUnauthorized: false })' : ''}
     };
 
     // Log request info to stderr (doesn't affect MCP output)