fix(docs/auth): support basic auth (#640)

* fix(docs/auth): support basic auth

Signed-off-by: Guoqiang Ding <[email protected]>

* feat: add DOCS_BASIC_AUTH_ENABLED option which default value is False

Signed-off-by: Guoqiang Ding <[email protected]>

* test: add DOCS_BASIC_AUTH_ENABLED unit tests

Signed-off-by: Guoqiang Ding <[email protected]>

* Typo fix

Signed-off-by: Mihai Criveti <[email protected]>

* test

Signed-off-by: RAKHI DUTTA <[email protected]>

* updated doc_allow_basica-auth

Signed-off-by: RAKHI DUTTA <[email protected]>

* update readme

Signed-off-by: RAKHI DUTTA <[email protected]>

* update readme

Signed-off-by: RAKHI DUTTA <[email protected]>

* update readme

Signed-off-by: RAKHI DUTTA <[email protected]>

* formting change

Signed-off-by: RAKHI DUTTA <[email protected]>

---------

Signed-off-by: Guoqiang Ding <[email protected]>
Signed-off-by: Mihai Criveti <[email protected]>
Signed-off-by: RAKHI DUTTA <[email protected]>
Co-authored-by: Mihai Criveti <[email protected]>
Co-authored-by: RAKHI DUTTA <[email protected]>

Author: 3 people

.env.example

@@ -130,6 +130,10 @@ ALLOWED_ORIGINS='["http://localhost", "http://localhost:4444"]'
 # Enable CORS handling in the gateway
 CORS_ENABLED=true
 
+# Enable HTTP Basic Auth for docs endpoints (in addition to Bearer token auth)
+# Uses the same credentials as BASIC_AUTH_USER and BASIC_AUTH_PASSWORD
+DOCS_ALLOW_BASIC_AUTH=false
+
 #####################################
 # Retry Config for HTTP Requests
 #####################################
@@ -285,4 +289,4 @@ DEBUG=false
 
 # Gateway tool name separator
 GATEWAY_TOOL_NAME_SEPARATOR=-
-VALID_SLUG_SEPARATOR_REGEXP= r"^(-{1,2}|[_.])$"
+VALID_SLUG_SEPARATOR_REGEXP= r"^(-{1,2}|[_.])$"

README.md

@@ -1000,13 +1000,19 @@ You can get started by copying the provided [.env.example](.env.example) to `.en
 
 ### Security
 
-| Setting           | Description                    | Default                                        | Options    |
-| ----------------- | ------------------------------ | ---------------------------------------------- | ---------- |
-| `SKIP_SSL_VERIFY` | Skip upstream TLS verification | `false`                                        | bool       |
-| `ALLOWED_ORIGINS` | CORS allow-list                | `["http://localhost","http://localhost:4444"]` | JSON array |
-| `CORS_ENABLED`    | Enable CORS                    | `true`                                         | bool       |
+| Setting                   | Description                    | Default                                        | Options    |
+| ------------------------- | ------------------------------ | ---------------------------------------------- | ---------- |
+| `SKIP_SSL_VERIFY`         | Skip upstream TLS verification | `false`                                        | bool       |
+| `ALLOWED_ORIGINS`         | CORS allow-list                | `["http://localhost","http://localhost:4444"]` | JSON array |
+| `CORS_ENABLED`            | Enable CORS                    | `true`                                         | bool       |
+| `DOCS_ALLOW_BASIC_AUTH`   | Allow Basic Auth for docs (in addition to JWT)         | `false`                                        | bool       |
+
+> Note: do not quote the ALLOWED_ORIGINS values, this needs to be valid JSON, such as:
+> ALLOWED_ORIGINS=["http://localhost", "http://localhost:4444"]
+>
+> Documentation endpoints (`/docs`, `/redoc`, `/openapi.json`) are always protected by authentication.
+> By default, they require Bearer token authentication. Setting `DOCS_ALLOW_BASIC_AUTH=true` enables HTTP Basic Authentication as an additional method using the same credentials as `BASIC_AUTH_USER` and `BASIC_AUTH_PASSWORD`.
 
-> Note: do not quote the ALLOWED_ORIGINS values, this needs to be valid JSON, such as: `ALLOWED_ORIGINS=["http://localhost", "http://localhost:4444"]`
 
 ### Logging
 
@@ -2125,4 +2131,4 @@ Special thanks to our contributors for helping us improve ContextForge MCP Gatew
 [![Forks](https://img.shields.io/github/forks/ibm/mcp-context-forge?style=social)](https://github.com/ibm/mcp-context-forge/network/members) 
 [![Contributors](https://img.shields.io/github/contributors/ibm/mcp-context-forge)](https://github.com/ibm/mcp-context-forge/graphs/contributors) 
 [![Last Commit](https://img.shields.io/github/last-commit/ibm/mcp-context-forge)](https://github.com/ibm/mcp-context-forge/commits) 
-[![Open Issues](https://img.shields.io/github/issues/ibm/mcp-context-forge)](https://github.com/ibm/mcp-context-forge/issues) 
+[![Open Issues](https://img.shields.io/github/issues/ibm/mcp-context-forge)](https://github.com/ibm/mcp-context-forge/issues) 

mcpgateway/config.py

@@ -20,6 +20,7 @@
 - AUTH_REQUIRED: Require authentication (default: True)
 - TRANSPORT_TYPE: Transport mechanisms (default: "all")
 - FEDERATION_ENABLED: Enable gateway federation (default: True)
+- DOCS_ALLOW_BASIC_AUTH: Allow basic auth for docs (default: False)
 - FEDERATION_DISCOVERY: Enable auto-discovery (default: False)
 - FEDERATION_PEERS: List of peer gateway URLs (default: [])
 - RESOURCE_CACHE_SIZE: Max cached resources (default: 1000)
@@ -98,6 +99,7 @@ class Settings(BaseSettings):
     app_name: str = "MCP_Gateway"
     host: str = "127.0.0.1"
     port: int = 4444
+    docs_allow_basic_auth: bool = False  # Allow basic auth for docs
     database_url: str = "sqlite:///./mcp.db"
     templates_dir: Path = Path("mcpgateway/templates")
     # Absolute paths resolved at import-time (still override-able via env vars)

mcpgateway/main.py

@@ -332,6 +332,10 @@ class DocsAuthMiddleware(BaseHTTPMiddleware):
 
     If a request to one of these paths is made without a valid token,
     the request is rejected with a 401 or 403 error.
+
+    Note:
+        When DOCS_ALLOW_BASIC_AUTH is enabled, Basic Authentication
+        is also accepted using BASIC_AUTH_USER and BASIC_AUTH_PASSWORD credentials.
     """
 
     async def dispatch(self, request: Request, call_next):

mcpgateway/utils/verify_credentials.py

@@ -18,6 +18,7 @@
     ...     basic_auth_password = 'pass'
     ...     auth_required = True
     ...     require_token_expiration = False
+    ...     docs_allow_basic_auth = False
     >>> vc.settings = DummySettings()
     >>> import jwt
     >>> token = jwt.encode({'sub': 'alice'}, 'secret', algorithm='HS256')
@@ -40,6 +41,8 @@
 """
 
 # Standard
+from base64 import b64decode
+import binascii
 import logging
 from typing import Optional
 
@@ -89,6 +92,7 @@ async def verify_jwt_token(token: str) -> dict:
         ...     basic_auth_password = 'pass'
         ...     auth_required = True
         ...     require_token_expiration = False
+        ...     docs_allow_basic_auth = False
         >>> vc.settings = DummySettings()
         >>> import jwt
         >>> token = jwt.encode({'sub': 'alice'}, 'secret', algorithm='HS256')
@@ -199,6 +203,7 @@ async def verify_credentials(token: str) -> dict:
         ...     basic_auth_password = 'pass'
         ...     auth_required = True
         ...     require_token_expiration = False
+        ...     docs_allow_basic_auth = False
         >>> vc.settings = DummySettings()
         >>> import jwt
         >>> token = jwt.encode({'sub': 'alice'}, 'secret', algorithm='HS256')
@@ -240,6 +245,7 @@ async def require_auth(credentials: Optional[HTTPAuthorizationCredentials] = Dep
         ...     basic_auth_password = 'pass'
         ...     auth_required = True
         ...     require_token_expiration = False
+        ...     docs_allow_basic_auth = False
         >>> vc.settings = DummySettings()
         >>> import jwt
         >>> from fastapi.security import HTTPAuthorizationCredentials
@@ -305,6 +311,7 @@ async def verify_basic_credentials(credentials: HTTPBasicCredentials) -> str:
         ...     basic_auth_user = 'user'
         ...     basic_auth_password = 'pass'
         ...     auth_required = True
+        ...     docs_allow_basic_auth = False
         >>> vc.settings = DummySettings()
         >>> from fastapi.security import HTTPBasicCredentials
         >>> creds = HTTPBasicCredentials(username='user', password='pass')
@@ -354,6 +361,7 @@ async def require_basic_auth(credentials: HTTPBasicCredentials = Depends(basic_s
         ...     basic_auth_user = 'user'
         ...     basic_auth_password = 'pass'
         ...     auth_required = True
+        ...     docs_allow_basic_auth = False
         >>> vc.settings = DummySettings()
         >>> from fastapi.security import HTTPBasicCredentials
         >>> import asyncio
@@ -387,6 +395,103 @@ async def require_basic_auth(credentials: HTTPBasicCredentials = Depends(basic_s
     return "anonymous"
 
 
+async def require_docs_basic_auth(auth_header: str) -> str:
+    """Dedicated handler for HTTP Basic Auth for documentation endpoints only.
+
+    This function is ONLY intended for /docs, /redoc, or similar endpoints, and is enabled
+    via the settings.docs_allow_basic_auth flag. It should NOT be used for general API authentication.
+
+    Args:
+        auth_header: Raw Authorization header value (e.g. "Basic username:password").
+
+    Returns:
+        str: The authenticated username if credentials are valid.
+
+    Raises:
+        HTTPException: If credentials are invalid or malformed.
+        ValueError: If the basic auth format is invalid (missing colon).
+    """
+    """Dedicated handler for HTTP Basic Auth for documentation endpoints only.
+
+    This function is ONLY intended for /docs, /redoc, or similar endpoints, and is enabled
+    via the settings.docs_allow_basic_auth flag. It should NOT be used for general API authentication.
+
+    Args:
+        auth_header: Raw Authorization header value (e.g. "Basic dXNlcjpwYXNz").
+
+    Returns:
+        str: The authenticated username if credentials are valid.
+
+    Raises:
+        HTTPException: If credentials are invalid or malformed.
+
+    Examples:
+        >>> from mcpgateway.utils import verify_credentials as vc
+        >>> class DummySettings:
+        ...     jwt_secret_key = 'secret'
+        ...     jwt_algorithm = 'HS256'
+        ...     basic_auth_user = 'user'
+        ...     basic_auth_password = 'pass'
+        ...     auth_required = True
+        ...     require_token_expiration = False
+        ...     docs_allow_basic_auth = True
+        >>> vc.settings = DummySettings()
+        >>> import base64, asyncio
+        >>> userpass = base64.b64encode(b'user:pass').decode()
+        >>> auth_header = f'Basic {userpass}'
+        >>> asyncio.run(vc.require_docs_basic_auth(auth_header))
+        'user'
+
+        Test with invalid password:
+        >>> badpass = base64.b64encode(b'user:wrong').decode()
+        >>> bad_header = f'Basic {badpass}'
+        >>> try:
+        ...     asyncio.run(vc.require_docs_basic_auth(bad_header))
+        ... except vc.HTTPException as e:
+        ...     print(e.status_code, e.detail)
+        401 Invalid credentials
+
+        Test with malformed header:
+        >>> malformed = base64.b64encode(b'userpass').decode()
+        >>> malformed_header = f'Basic {malformed}'
+        >>> try:
+        ...     asyncio.run(vc.require_docs_basic_auth(malformed_header))
+        ... except vc.HTTPException as e:
+        ...     print(e.status_code, e.detail)
+        401 Invalid basic auth credentials
+
+        Test when docs_allow_basic_auth is False:
+        >>> vc.settings.docs_allow_basic_auth = False
+        >>> try:
+        ...     asyncio.run(vc.require_docs_basic_auth(auth_header))
+        ... except vc.HTTPException as e:
+        ...     print(e.status_code, e.detail)
+        401 Basic authentication not allowed or malformed
+        >>> vc.settings.docs_allow_basic_auth = True
+    """
+    scheme, param = get_authorization_scheme_param(auth_header)
+    if scheme.lower() == "basic" and param and settings.docs_allow_basic_auth:
+
+        try:
+            data = b64decode(param).decode("ascii")
+            username, separator, password = data.partition(":")
+            if not separator:
+                raise ValueError("Invalid basic auth format")
+            credentials = HTTPBasicCredentials(username=username, password=password)
+            return await require_basic_auth(credentials=credentials)
+        except (ValueError, UnicodeDecodeError, binascii.Error):
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Invalid basic auth credentials",
+                headers={"WWW-Authenticate": "Basic"},
+            )
+    raise HTTPException(
+        status_code=status.HTTP_401_UNAUTHORIZED,
+        detail="Basic authentication not allowed or malformed",
+        headers={"WWW-Authenticate": "Basic"},
+    )
+
+
 async def require_auth_override(
     auth_header: str | None = None,
     jwt_token: str | None = None,
@@ -407,6 +512,10 @@ async def require_auth_override(
         str | dict: The decoded JWT payload or the string "anonymous",
             same as require_auth.
 
+    Raises:
+        HTTPException: If authentication fails or credentials are invalid.
+        ValueError: If basic auth credentials are malformed.
+
     Note:
         This wrapper may propagate HTTPException raised by require_auth,
         but it does not raise anything on its own.
@@ -420,6 +529,7 @@ async def require_auth_override(
         ...     basic_auth_password = 'pass'
         ...     auth_required = True
         ...     require_token_expiration = False
+        ...     docs_allow_basic_auth = False
         >>> vc.settings = DummySettings()
         >>> import jwt
         >>> import asyncio
@@ -454,5 +564,7 @@ async def require_auth_override(
         scheme, param = get_authorization_scheme_param(auth_header)
         if scheme.lower() == "bearer" and param:
             credentials = HTTPAuthorizationCredentials(scheme=scheme, credentials=param)
-
+        elif scheme.lower() == "basic" and param and settings.docs_allow_basic_auth:
+            # Only allow Basic Auth for docs endpoints when explicitly enabled
+            return await require_docs_basic_auth(auth_header)
     return await require_auth(credentials=credentials, jwt_token=jwt_token)