DEV Community

lofder.issac
lofder.issac

Posted on

Your MCP Server Shouldn't Need Your Password

#mcp #security #dropshipping #opensource

The Awkward Config Block

If you've set up any MCP server that connects to a third-party service, you've probably seen something like this:

{
  "mcpServers": {
    "some-tool": {
      "env": {
        "SERVICE_EMAIL": "you@example.com",
        "SERVICE_PASSWORD": "hunter2"
      }
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

Your password. In a JSON file. On your disk. Possibly synced to a dotfiles repo.

I shipped exactly this in v1.0 of dsers-mcp-product, my MCP server for automating DSers dropshipping imports. (If you missed the backstory, I wrote about building it from scratch here.) It worked fine. Import from AliExpress, apply pricing rules, push to Shopify — all through Claude or Cursor.

But every time someone set it up, that DSERS_PASSWORD line bothered me.

Why It Matters More Than You Think

MCP servers run locally. They have access to your filesystem, your environment variables, your network. When you put a plaintext password in a config file, you're trusting every other tool on your machine, every extension in your editor, every sync service that touches that directory.

For a tool that manages your store inventory and can push products to live Shopify stores, that's not a risk I wanted users to carry.

Some MCP servers solve this with API keys or tokens that have limited scope. DSers doesn't offer that for individual users. Your DSers credentials are your DSers credentials. So I needed a different approach.

Browser Login: Let DSers Handle Authentication

The fix in v1.1.5 was to get out of the credential chain entirely:

npx @lofder/dsers-mcp-product login
Enter fullscreen mode Exit fullscreen mode

This opens your default browser to the DSers login page. You log in normally — with whatever method you use (email/password, Google, whatever). The tool captures the session cookie through a local callback, encrypts it with AES-256-GCM, and stores it on disk.

Your password never touches the MCP server. Never appears in a config file. Never gets logged.

The MCP config becomes:

{
  "mcpServers": {
    "dsers-mcp-product": {
      "command": "npx",
      "args": ["-y", "@lofder/dsers-mcp-product"]
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

That's it. No env block. No credentials.

The session lasts roughly 6 hours. When it expires, the tool prompts you to re-login. Could be smoother, but it's a lot better than a plaintext password.

Push Guards: Because AI Makes Mistakes

While I was rethinking security, I also added something I'd been meaning to build: pre-push safety checks.

Before any product gets pushed to your store, the server now automatically blocks:

  • Zero-price products — variants with $0.00 price
  • Below-cost pricing — sell price lower than supplier cost
  • Zero-stock items — out-of-stock variants about to go live

These checks run before the push reaches DSers. The AI gets a clear error it can act on — fix the pricing, drop the variant, or ask you what to do.

Here's a real scenario: I imported a product with 12 variants. Two had a supplier cost of $8.50 but the pricing rule somehow set the sell price at $6.00. Without push guard, those would have gone live on Shopify at a loss. With it, the push gets blocked and the model sees:

{Error: "Below-cost pricing", Cause: "2 variants priced below supplier cost", Action: "Review pricing rule or exclude variants"}
Enter fullscreen mode Exit fullscreen mode

This isn't about not trusting the AI. It's about not trusting the data. Supplier feeds have garbage in them all the time — prices that lag behind, stock counts frozen at zero, variants with placeholder data. A human would catch these by eyeballing the preview. The push guard catches them automatically.

What Changed Since v1.0

If you read the first post, the core workflow is the same — tell your AI to import a product, set pricing, push to Shopify or Wix. But v1.1.5 added a few things beyond the login change:

  • Push guards (covered above)
  • Accio.com support — same import flow, one more supplier source alongside AliExpress and Alibaba
  • A fourth prompt (seo-optimize) for AI-rewriting titles and descriptions before push
  • Stock data in previews — so you can see inventory before committing
  • Better error messages — clearer cause descriptions for import failures, JSON validation guidance, transient push state handling
  • CLI --help flagnpx @lofder/dsers-mcp-product --help now works
  • Prompts from 3 → 4, tools still at 7, now on 9 platforms

Try It 

# One-time login (opens browser)
npx @lofder/dsers-mcp-product login

# Add to your MCP client — no password needed
Enter fullscreen mode Exit fullscreen mode

GitHub: github.com/lofder/dsers-mcp-product
npm: @lofder/dsers-mcp-product

Free, open source, MIT license. If you're running dropshipping stores and using an MCP client, give it a spin. Issues and feedback welcome.

Previously: I Built an MCP Server to Automate Dropshipping Product Imports

Top comments (0)