feat: Experimental Oauth 2.0 support in gateway (#768)

* Oauth 2.1 design

Signed-off-by: Shamsul Arefin <[email protected]>

* oauth 2.0 design

Signed-off-by: Shamsul Arefin <[email protected]>

* Support for oauth auth type in gateway

Signed-off-by: Shamsul Arefin <[email protected]>

* Decrypt client secret

Signed-off-by: Shamsul Arefin <[email protected]>

* authorization code flow, token storage, tool fetching, tool calling with Oauth2.0

Signed-off-by: Shamsul Arefin <[email protected]>

* test fixes

Signed-off-by: Shamsul Arefin <[email protected]>

* 256 fuzz testing (#760)

* Implement comprehensive fuzz testing automation (#256)

- Add property-based testing with Hypothesis for JSON-RPC, JSONPath, and schema validation
- Add coverage-guided fuzzing with Atheris for deep code path exploration
- Add API endpoint fuzzing with Schemathesis for contract validation
- Add security-focused testing for vulnerability discovery (SQL injection, XSS, etc.)
- Add complete Makefile automation with fuzz-all, fuzz-quick, fuzz-extended targets
- Add optional [fuzz] dependency group in pyproject.toml for clean installation
- Add comprehensive reporting with JSON/Markdown outputs and executive summaries
- Add complete developer documentation with examples and troubleshooting guides
- Exclude fuzz tests from main test suite to prevent auth failures
- Found multiple real bugs in JSON-RPC validation during development

Signed-off-by: Mihai Criveti <[email protected]>

* Update fuzz testing

Signed-off-by: Mihai Criveti <[email protected]>

* Update fuzz testing

Signed-off-by: Mihai Criveti <[email protected]>

---------

Signed-off-by: Mihai Criveti <[email protected]>

* 344 cors security headers (#761)

* Update CORS

Signed-off-by: Mihai Criveti <[email protected]>

* Update CORS

Signed-off-by: Mihai Criveti <[email protected]>

* Update CORS ADRs

Signed-off-by: Mihai Criveti <[email protected]>

* Update CORS

Signed-off-by: Mihai Criveti <[email protected]>

* Update CORS

Signed-off-by: Mihai Criveti <[email protected]>

* Fix compose

Signed-off-by: Mihai Criveti <[email protected]>

* Update helm chart

Signed-off-by: Mihai Criveti <[email protected]>

* Update CORS docs

Signed-off-by: Mihai Criveti <[email protected]>

* Update test

Signed-off-by: Mihai Criveti <[email protected]>

---------

Signed-off-by: Mihai Criveti <[email protected]>
Signed-off-by: Shamsul Arefin <[email protected]>

* feat: Bulk Import Tools modal wiring #737 (#739)

* feat: Bulk Import Tools modal wiring and backend implementation

- Add modal UI in admin.html with bulk import button and dialog
- Implement modal open/close/ESC functionality in admin.js
- Add POST /admin/tools/import endpoint with rate limiting
- Support both JSON textarea and file upload inputs
- Validate JSON structure and enforce 200 tool limit
- Return detailed success/failure information per tool
- Include loading states and comprehensive error handling

Refs #737

Signed-off-by: Mihai Criveti <[email protected]>

* fix: Remove duplicate admin_import_tools function and fix HTML formatting

- Remove duplicate admin_import_tools function definition
- Fix HTML placeholder attribute to use double quotes
- Add missing closing div tag
- Fix flake8 blank line issues

Signed-off-by: Mihai Criveti <[email protected]>

* feat: Complete bulk import backend with file upload support and enhanced docs

- Add file upload support to admin_import_tools endpoint
- Fix response format to match frontend expectations
- Add UI usage documentation with modal instructions
- Update API docs to show all three input methods
- Enhance bulk import guide with UI and API examples

Backend improvements:
- Support tools_file form field for JSON file uploads
- Proper file content parsing with error handling
- Response includes imported/failed counts and details
- Frontend-compatible response format for UI display

Signed-off-by: Mihai Criveti <[email protected]>

* Bulk import

Signed-off-by: Mihai Criveti <[email protected]>

* fix: Remove conflicting inline script and fix bulk import functionality

- Remove conflicting inline JavaScript that was preventing form submission
- Fix indentation in setupBulkImportModal function
- Ensure bulk import modal uses proper admin.js implementation
- Restore proper form submission handling for bulk import

This fixes the issue where bulk import appeared to do nothing.

Signed-off-by: Mihai Criveti <[email protected]>

* fix: Integrate bulk import setup with main initialization

- Add setupBulkImportModal() to main initialization sequence
- Remove duplicate DOMContentLoaded listener
- Ensure bulk import doesn't interfere with other tab functionality

Signed-off-by: Mihai Criveti <[email protected]>

* fix: JavaScript formatting issues in bulk import modal

- Fix multiline querySelector formatting
- Fix multiline Error constructor formatting
- Ensure prettier compliance for web linting

Signed-off-by: Mihai Criveti <[email protected]>

* debug: Temporarily disable bulk import setup to test tabs

Signed-off-by: Mihai Criveti <[email protected]>

* fix: Remove duplicate setupFormValidation call and delay bulk import setup

- Remove duplicate setupFormValidation() call that could cause conflicts
- Use setTimeout to delay bulk import modal setup after other initialization
- Add better null safety to form element queries
- This should fix tab switching issues

Signed-off-by: Mihai Criveti <[email protected]>

* fix: Restore proper initialization sequence for tab functionality

- Remove setTimeout delay for bulk import setup
- Keep bulk import setup in main initialization but with error handling
- Ensure tab navigation isn't affected by bulk import modal setup

Signed-off-by: Mihai Criveti <[email protected]>

* fix: Correct HTML structure and restore tab navigation

- Move bulk import modal to correct location after tools panel
- Remove extra closing div that was breaking HTML structure
- Ensure proper page-level modal placement
- Restore tab navigation functionality for all tabs

This fixes the broken Global Resources, Prompts, Gateways, Roots, and Metrics tabs.

Signed-off-by: Mihai Criveti <[email protected]>

* feat: Add configurable bulk import settings

Configuration additions:
- MCPGATEWAY_BULK_IMPORT_MAX_TOOLS (default: 200)
- MCPGATEWAY_BULK_IMPORT_RATE_LIMIT (default: 10)

Implementation:
- config.py: Add new settings with defaults
- admin.py: Use configurable rate limit and batch size
- .env.example: Document all bulk import environment variables
- admin.html: Use dynamic max tools value in UI text
- CLAUDE.md: Document configuration options for developers
- docs: Update bulk import guide with configuration details

This makes bulk import fully configurable for different deployment scenarios.

Signed-off-by: Mihai Criveti <[email protected]>

* Update docs

Signed-off-by: Mihai Criveti <[email protected]>

---------

Signed-off-by: Mihai Criveti <[email protected]>
Co-authored-by: Mihai Criveti <[email protected]>
Signed-off-by: Shamsul Arefin <[email protected]>

* Implemented configuration export (#764)

Signed-off-by: Mihai Criveti <[email protected]>
Signed-off-by: Shamsul Arefin <[email protected]>

* cleanup

Signed-off-by: Shamsul Arefin <[email protected]>

* cleanup

Signed-off-by: Shamsul Arefin <[email protected]>

* fixes

Signed-off-by: Shamsul Arefin <[email protected]>

* ruff fixes

Signed-off-by: Shamsul Arefin <[email protected]>

* fix flake8 errors

Signed-off-by: Shamsul Arefin <[email protected]>

* fix eslint errors

Signed-off-by: Shamsul Arefin <[email protected]>

* aiohttp added in the main dependencies section of pyproject.toml

Signed-off-by: Shamsul Arefin <[email protected]>

* Review, rebase and lint

Signed-off-by: Mihai Criveti <[email protected]>

* Fix Alembic multiple heads issue

Create merge migration to resolve parallel migration chains:
- Main branch migrations (34492f99a0c4)
- OAuth branch migrations (add_oauth_tokens_table)

This resolves CI/CD test failures caused by Alembic not knowing
which migration head to follow during 'alembic upgrade head'.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>
Signed-off-by: Mihai Criveti <[email protected]>

* Fix Alembic migration chain - remove merge migration hack

- Remove unnecessary merge migration file (813b45a70b53)
- Fix OAuth config migration to follow proper chain (f8c9d3e2a1b4 → 34492f99a0c4)
- OAuth tokens migration already correctly follows (add_oauth_tokens_table → f8c9d3e2a1b4)
- Now single migration head without parallel branches

This eliminates the 'Multiple heads are present' error in CI/CD tests
by ensuring migrations follow a linear chain instead of creating
parallel migration branches that need artificial merge migrations.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>
Signed-off-by: Mihai Criveti <[email protected]>

* Review, rebase and lint

Signed-off-by: Mihai Criveti <[email protected]>

---------

Signed-off-by: Shamsul Arefin <[email protected]>
Signed-off-by: Mihai Criveti <[email protected]>
Co-authored-by: Shamsul Arefin <[email protected]>
Co-authored-by: Mihai Criveti <[email protected]>
Co-authored-by: VK <[email protected]>
Co-authored-by: Claude <[email protected]>

Author: 5 people

.env.example

@@ -18,12 +18,41 @@ CACHE_TYPE=memory
 # CACHE_TYPE=redis
 # REDIS_URL=redis://localhost:6379/0
 
+
+# Maximum number of times to boot redis connection for cold start
+REDIS_MAX_RETRIES=3
+
+# Interval time for next retry of redis connection
+REDIS_RETRY_INTERVAL_MS=2000
+
+#####################################
+# Protocol Settings
+#####################################
+
+# MCP protocol version supported by this gateway
+PROTOCOL_VERSION=2025-03-26
+
+#####################################
+# Authentication
+#####################################
+
+# Admin UI basic-auth credentials
+# PRODUCTION: Change these to strong, unique values!
 # Authentication Configuration
 JWT_SECRET_KEY=my-test-key
 JWT_ALGORITHM=HS256
 BASIC_AUTH_USER=admin
 BASIC_AUTH_PASSWORD=changeme
 AUTH_REQUIRED=true
+
+# Secret used to sign JWTs (use long random value in prod)
+# PRODUCTION: Use a strong, random secret (minimum 32 characters)
+JWT_SECRET_KEY=my-test-key
+
+# Algorithm used to sign JWTs (e.g., HS256)
+JWT_ALGORITHM=HS256
+
+# Expiry time for generated JWT tokens (in minutes; e.g. 7 days)
 TOKEN_EXPIRY=10080
 REQUIRE_TOKEN_EXPIRATION=false
 
@@ -32,10 +61,134 @@ MCP_CLIENT_AUTH_ENABLED=true
 TRUST_PROXY_AUTH=false
 PROXY_USER_HEADER=X-Authenticated-User
 
+# Used to derive an AES encryption key for secure auth storage
+# Must be a non-empty string (e.g. passphrase or random secret)
+AUTH_ENCRYPTION_SECRET=my-test-salt
+
+#####################################
+# Admin UI and API Toggles
+#####################################
+
+# Enable the visual Admin UI (true/false)
+# PRODUCTION: Set to false for security
+MCPGATEWAY_UI_ENABLED=true
+
+# Enable the Admin API endpoints (true/false)
+# PRODUCTION: Set to false for security
+
 # UI/Admin Feature Flags
 MCPGATEWAY_UI_ENABLED=true
 MCPGATEWAY_ADMIN_API_ENABLED=true
 MCPGATEWAY_BULK_IMPORT_ENABLED=true
+
+# Maximum number of tools allowed per bulk import request
+MCPGATEWAY_BULK_IMPORT_MAX_TOOLS=200
+
+# Rate limiting for bulk import endpoint (requests per minute)
+MCPGATEWAY_BULK_IMPORT_RATE_LIMIT=10
+
+#####################################
+# Header Passthrough Configuration
+#####################################
+
+# SECURITY WARNING: Header passthrough is disabled by default for security.
+# Only enable if you understand the security implications and have reviewed
+# which headers should be passed through to backing MCP servers.
+# ENABLE_HEADER_PASSTHROUGH=false
+
+# Default headers to pass through (when feature is enabled)
+# JSON array format recommended: ["X-Tenant-Id", "X-Trace-Id"]
+# Comma-separated also supported: X-Tenant-Id,X-Trace-Id
+# NOTE: Authorization header removed from defaults for security
+# DEFAULT_PASSTHROUGH_HEADERS=["X-Tenant-Id", "X-Trace-Id"]
+
+#####################################
+# Security and CORS
+#####################################
+
+# Skip TLS certificate checks for upstream requests (not recommended in prod)
+SKIP_SSL_VERIFY=false
+
+# CORS origin allowlist (use JSON array of URLs)
+# Example: ["http://localhost:3000"]
+# Do not quote this value. Start with [] to ensure it's valid JSON.
+ALLOWED_ORIGINS='["http://localhost", "http://localhost:4444"]'
+
+# Enable CORS handling in the gateway
+CORS_ENABLED=true
+
+# CORS allow credentials (true/false)
+CORS_ALLOW_CREDENTIALS=true
+
+# Environment setting (development/production) - affects security defaults
+# development: Auto-configures CORS for localhost:3000, localhost:8080, etc.
+# production: Uses APP_DOMAIN for HTTPS origins, enforces secure cookies
+ENVIRONMENT=development
+
+# Domain configuration for production CORS origins
+# In production, automatically creates origins: https://APP_DOMAIN, https://app.APP_DOMAIN, https://admin.APP_DOMAIN
+# For production: set to your actual domain (e.g., mycompany.com)
+APP_DOMAIN=localhost
+
+# Security settings for cookies
+# production: Automatically enables secure cookies regardless of this setting
+# development: Set to false for HTTP development, true for HTTPS
+SECURE_COOKIES=true
+
+# Cookie SameSite attribute for CSRF protection
+# strict: Maximum security, may break some OAuth flows
+# lax: Good balance of security and compatibility (recommended)
+# none: Requires Secure=true, allows cross-site usage
+COOKIE_SAMESITE=lax
+
+#####################################
+# Security Headers Configuration
+#####################################
+
+# Enable security headers middleware (true/false)
+SECURITY_HEADERS_ENABLED=true
+
+# X-Frame-Options setting (DENY, SAMEORIGIN, or ALLOW-FROM uri)
+# DENY: Prevents all iframe embedding (recommended for security)
+# SAMEORIGIN: Allows embedding from same domain only
+# To disable: Set to empty string X_FRAME_OPTIONS=""
+X_FRAME_OPTIONS=DENY
+
+# Other security headers (true/false)
+X_CONTENT_TYPE_OPTIONS_ENABLED=true
+X_XSS_PROTECTION_ENABLED=true
+X_DOWNLOAD_OPTIONS_ENABLED=true
+
+# HSTS (HTTP Strict Transport Security) settings
+HSTS_ENABLED=true
+# HSTS max age in seconds (31536000 = 1 year)
+HSTS_MAX_AGE=31536000
+HSTS_INCLUDE_SUBDOMAINS=true
+
+# Remove server identification headers (true/false)
+REMOVE_SERVER_HEADERS=true
+
+# Enable HTTP Basic Auth for docs endpoints (in addition to Bearer token auth)
+# Uses the same credentials as BASIC_AUTH_USER and BASIC_AUTH_PASSWORD
+DOCS_ALLOW_BASIC_AUTH=false
+
+#####################################
+# Retry Config for HTTP Requests
+#####################################
+
+RETRY_MAX_ATTEMPTS=3
+# seconds
+RETRY_BASE_DELAY=1.0
+# seconds
+RETRY_MAX_DELAY=60.0
+# fraction of delay
+RETRY_JITTER_MAX=0.5
+
+#####################################
+# Logging
+#####################################
+
+# Logging verbosity level: DEBUG, INFO, WARNING, ERROR, CRITICAL
 MCPGATEWAY_BULK_IMPORT_MAX_TOOLS=200
 MCPGATEWAY_BULK_IMPORT_RATE_LIMIT=10
 
@@ -132,8 +285,8 @@ WELL_KNOWN_SECURITY_TXT=""
 # Example: {"ai.txt": "AI Usage: This service uses AI for tool orchestration...", "dnt-policy.txt": "We respect DNT headers..."}
 WELL_KNOWN_CUSTOM_FILES="{}"
 
-# Cache control for well-known files (seconds)
-WELL_KNOWN_CACHE_MAX_AGE=3600  # 1 hour
+# Cache control for well-known files (seconds) - 3600 = 1 hour
+WELL_KNOWN_CACHE_MAX_AGE=3600
 
 #####################################
 # Well-Known URI Examples