Fix/multi header auth 526 (#691)

* feat(makefile): add comprehensive file-specific linting support

- Add support for linting specific files and directories via arguments
- Implement smart file type detection (Python, YAML, JSON, Markdown, TOML)
- Add convenience targets: lint-quick, lint-fix, lint-smart
- Add git integration: lint-changed, lint-staged, pre-commit hooks
- Fix TARGET variable parsing for multiple directories
- Remove duplicate lint-changed target definitions
- Add dummy targets to prevent 'No rule to make target' errors

Usage:
- make lint filename.py (single file)
- make lint dirname/ (directory)
- make lint-quick filename.py (fast linters only)
- make lint-changed (git changed files)

Resolves: 'mcpgateway tests is not a Python file or directory' error
Fixes: Duplicate target override warnings
Implements: All requirements from file-specific linting chore

* fix: resolve multiple authentication headers and validation issues

- Fix gateway initialization failure with multi-header authentication by properly encoding header dictionaries before passing to _initialize_gateway()
- Fix error formatter IndexError when validation errors have empty location tuples
- Fix GatewayRead model to support multiple authentication headers instead of requiring exactly one

Resolves issue #526 - multi-header authentication support

* feat: support multiple custom authentication headers for MCP gateways

  - Add dynamic multi-header UI with add/remove functionality
  - Update backend validation to accept auth_headers array
  - Maintain backward compatibility with single header format
  - Add comprehensive tests and documentation
  - Handle edge cases (duplicates, validation, limits)

  Fixes #526

* fix: updated test assertion to match the updated validation when auth_headers is an empty list

* updated files with linter formatting

Signed-off-by: Manav Gupta <[email protected]>

* Rebase, lint and revert Makefile changes

Signed-off-by: Mihai Criveti <[email protected]>

* Rebase, lint and revert Makefile changes

Signed-off-by: Mihai Criveti <[email protected]>

* Rebase, lint and revert Makefile changes

Signed-off-by: Mihai Criveti <[email protected]>

---------

Signed-off-by: Manav Gupta <[email protected]>
Signed-off-by: Mihai Criveti <[email protected]>
Co-authored-by: Mihai Criveti <[email protected]>

Author: manavgup

CLAUDE.md

@@ -228,7 +228,7 @@ pytest -m "not slow"
 # To test everything:
 
 make autoflake isort black pre-commit
-make doctest test smoketest lint-web flake8 pylint
+make interrogate doctest test smoketest lint-web flake8 bandit pylint
 
 # Rules
 - When using git commit always add a -s to sign commits

docs/docs/using/multi-auth-headers.md

@@ -0,0 +1,189 @@
+# Multiple Authentication Headers
+
+## Overview
+
+MCP Gateway now supports multiple custom authentication headers for gateway connections. This feature allows you to configure multiple header key-value pairs that will be sent with every request to your MCP servers.
+
+## Use Cases
+
+Multiple authentication headers are useful when:
+- Your MCP server requires multiple API keys or tokens
+- You need to send client identification along with authentication
+- Your service uses region-specific or version-specific headers
+- You're integrating with services that require complex header-based authentication
+
+## Configuration
+
+### Via Admin UI
+
+1. Navigate to the Admin Panel at `http://localhost:8000/admin/`
+2. Click on the "Gateways" tab
+3. When adding or editing a gateway:
+   - Select "Custom Headers" as the Authentication Type
+   - Click "Add Header" to add multiple header pairs
+   - Enter the header key (e.g., `X-API-Key`) and value for each header
+   - Click "Remove" next to any header to delete it
+   - Submit the form to save your configuration
+
+### Via API
+
+Send a POST request to `/admin/gateways` with the `auth_headers` field as a JSON array:
+
+```json
+{
+  "name": "My Gateway",
+  "url": "http://mcp-server.example.com",
+  "auth_type": "authheaders",
+  "auth_headers": [
+    {"key": "X-API-Key", "value": "secret-key-123"},
+    {"key": "X-Client-ID", "value": "client-456"},
+    {"key": "X-Region", "value": "us-east-1"}
+  ]
+}
+```
+
+### Via Python SDK
+
+```python
+from mcpgateway.schemas import GatewayCreate
+
+gateway = GatewayCreate(
+    name="My Gateway",
+    url="http://mcp-server.example.com",
+    auth_type="authheaders",
+    auth_headers=[
+        {"key": "X-API-Key", "value": "secret-key-123"},
+        {"key": "X-Client-ID", "value": "client-456"},
+        {"key": "X-Region", "value": "us-east-1"}
+    ]
+)
+```
+
+## Backward Compatibility
+
+The gateway still supports the legacy single-header format for backward compatibility:
+
+```json
+{
+  "name": "My Gateway",
+  "url": "http://mcp-server.example.com",
+  "auth_type": "authheaders",
+  "auth_header_key": "X-API-Key",
+  "auth_header_value": "secret-key-123"
+}
+```
+
+If both `auth_headers` (multi) and `auth_header_key`/`auth_header_value` (single) are provided, the multi-header format takes precedence.
+
+## Security Considerations
+
+### Encryption
+All authentication headers are encrypted before being stored in the database using AES-256-GCM encryption. The encryption key is derived from the `AUTH_ENCRYPTION_SECRET` environment variable.
+
+### Header Validation
+- Empty header keys are ignored
+- Duplicate header keys will use the last provided value
+- Header values can be empty strings if required by your authentication scheme
+- Special characters in header keys and values are supported
+
+### Best Practices
+1. **Use HTTPS**: Always use HTTPS URLs for your MCP servers to prevent header interception
+2. **Rotate Keys**: Regularly rotate your API keys and update them in the gateway configuration
+3. **Minimal Headers**: Only include headers that are strictly necessary for authentication
+4. **Environment Variables**: Store sensitive values in environment variables when deploying
+
+## Common Patterns
+
+### Multiple API Keys
+```json
+{
+  "auth_headers": [
+    {"key": "X-Primary-Key", "value": "primary-secret"},
+    {"key": "X-Secondary-Key", "value": "secondary-secret"}
+  ]
+}
+```
+
+### API Key with Client Identification
+```json
+{
+  "auth_headers": [
+    {"key": "X-API-Key", "value": "api-secret"},
+    {"key": "X-Client-ID", "value": "client-123"},
+    {"key": "X-Client-Secret", "value": "client-secret"}
+  ]
+}
+```
+
+### Regional Configuration
+```json
+{
+  "auth_headers": [
+    {"key": "X-API-Key", "value": "api-secret"},
+    {"key": "X-Region", "value": "eu-west-1"},
+    {"key": "X-Environment", "value": "production"}
+  ]
+}
+```
+
+## Troubleshooting
+
+### Headers Not Being Sent
+1. Check that your gateway is using `auth_type: "authheaders"`
+2. Verify headers are properly formatted in the JSON array
+3. Ensure the gateway is enabled and reachable
+4. Check server logs to confirm headers are being received
+
+### Case Sensitivity
+HTTP headers are case-insensitive by specification. Some HTTP clients or servers may normalize header names to lowercase. Your MCP server should handle headers in a case-insensitive manner.
+
+### Validation Errors
+If you receive validation errors when saving:
+- Ensure at least one header is provided when using "Custom Headers" authentication
+- Check that your JSON is properly formatted if using the API
+- Verify that header keys don't contain invalid characters
+
+### Testing Your Configuration
+Use the "Test" button in the Admin UI to verify your gateway connection with the configured headers. The test will attempt to connect to your MCP server and validate that authentication is working correctly.
+
+## Migration from Single Headers
+
+If you have existing gateways using single header authentication, they will continue to work without modification. To migrate to multi-headers:
+
+1. Edit your gateway in the Admin UI
+2. Your existing single header will be displayed
+3. Add additional headers as needed
+4. Save the configuration
+
+The system will automatically convert your configuration to the multi-header format while preserving your existing authentication.
+
+## API Reference
+
+### GatewayCreate Schema
+```python
+{
+    "name": str,
+    "url": str,
+    "auth_type": "authheaders",
+    "auth_headers": [
+        {"key": str, "value": str},
+        ...
+    ]
+}
+```
+
+### GatewayUpdate Schema
+```python
+{
+    "auth_type": "authheaders",
+    "auth_headers": [
+        {"key": str, "value": str},
+        ...
+    ]
+}
+```
+
+## Related Documentation
+- [Gateway Authentication](./authentication.md)
+- [Security Best Practices](../security/best-practices.md)
+- [API Documentation](../api/gateways.md)

mcpgateway/admin.py

@@ -2585,6 +2585,26 @@ async def admin_add_gateway(request: Request, db: Session = Depends(get_db), use
         tags_str = form.get("tags", "")
         tags = [tag.strip() for tag in tags_str.split(",") if tag.strip()] if tags_str else []
 
+        # Parse auth_headers JSON if present
+        auth_headers_json = form.get("auth_headers")
+        auth_headers = []
+        if auth_headers_json:
+            try:
+                auth_headers = json.loads(auth_headers_json)
+            except (json.JSONDecodeError, ValueError):
+                auth_headers = []
+
+        # Handle passthrough_headers
+        passthrough_headers = form.get("passthrough_headers")
+        if passthrough_headers and passthrough_headers.strip():
+            try:
+                passthrough_headers = json.loads(passthrough_headers)
+            except (json.JSONDecodeError, ValueError):
+                # Fallback to comma-separated parsing
+                passthrough_headers = [h.strip() for h in passthrough_headers.split(",") if h.strip()]
+        else:
+            passthrough_headers = None
+
         gateway = GatewayCreate(
             name=form["name"],
             url=form["url"],
@@ -2597,6 +2617,8 @@ async def admin_add_gateway(request: Request, db: Session = Depends(get_db), use
             auth_token=form.get("auth_token", ""),
             auth_header_key=form.get("auth_header_key", ""),
             auth_header_value=form.get("auth_header_value", ""),
+            auth_headers=auth_headers if auth_headers else None,
+            passthrough_headers=passthrough_headers,
         )
     except KeyError as e:
         # Convert KeyError to ValidationError-like response
@@ -2741,6 +2763,26 @@ async def admin_edit_gateway(
         tags_str = form.get("tags", "")
         tags = [tag.strip() for tag in tags_str.split(",") if tag.strip()] if tags_str else []
 
+        # Parse auth_headers JSON if present
+        auth_headers_json = form.get("auth_headers")
+        auth_headers = []
+        if auth_headers_json:
+            try:
+                auth_headers = json.loads(auth_headers_json)
+            except (json.JSONDecodeError, ValueError):
+                auth_headers = []
+
+        # Handle passthrough_headers
+        passthrough_headers = form.get("passthrough_headers")
+        if passthrough_headers and passthrough_headers.strip():
+            try:
+                passthrough_headers = json.loads(passthrough_headers)
+            except (json.JSONDecodeError, ValueError):
+                # Fallback to comma-separated parsing
+                passthrough_headers = [h.strip() for h in passthrough_headers.split(",") if h.strip()]
+        else:
+            passthrough_headers = None
+
         gateway = GatewayUpdate(  # Pydantic validation happens here
             name=form.get("name"),
             url=form["url"],
@@ -2753,6 +2795,8 @@ async def admin_edit_gateway(
             auth_token=form.get("auth_token", None),
             auth_header_key=form.get("auth_header_key", None),
             auth_header_value=form.get("auth_header_value", None),
+            auth_headers=auth_headers if auth_headers else None,
+            passthrough_headers=passthrough_headers,
         )
         await gateway_service.update_gateway(db, gateway_id, gateway)
         return JSONResponse(

mcpgateway/handlers/sampling.py

@@ -218,7 +218,7 @@ async def create_message(self, db: Session, request: Dict[str, Any]) -> CreateMe
                 if not self._validate_message(msg):
                     raise SamplingError(f"Invalid message format: {msg}")
 
-            # TODO: Sample from selected model
+            # FIXME: Implement actual model sampling - currently returns mock response
             # For now return mock response
             response = self._mock_sample(messages=messages)
 
@@ -357,7 +357,7 @@ async def _add_context(self, _db: Session, messages: List[Dict[str, Any]], _cont
             >>> len(result)
             2
         """
-        # TODO: Implement context gathering based on type
+        # FIXME: Implement context gathering based on type - currently no-op
         # For now return original messages
         return messages