feat: Experimental Oauth 2.0 support in gateway

.env.example

@@ -18,12 +18,41 @@ CACHE_TYPE=memory
 # CACHE_TYPE=redis
 # REDIS_URL=redis://localhost:6379/0
 
+
+# Maximum number of times to boot redis connection for cold start
+REDIS_MAX_RETRIES=3
+
+# Interval time for next retry of redis connection
+REDIS_RETRY_INTERVAL_MS=2000
+
+#####################################
+# Protocol Settings
+#####################################
+
+# MCP protocol version supported by this gateway
+PROTOCOL_VERSION=2025-03-26
+
+#####################################
+# Authentication
+#####################################
+
+# Admin UI basic-auth credentials
+# PRODUCTION: Change these to strong, unique values!
 # Authentication Configuration
 JWT_SECRET_KEY=my-test-key
 JWT_ALGORITHM=HS256
 BASIC_AUTH_USER=admin
 BASIC_AUTH_PASSWORD=changeme
 AUTH_REQUIRED=true
+
+# Secret used to sign JWTs (use long random value in prod)
+# PRODUCTION: Use a strong, random secret (minimum 32 characters)
+JWT_SECRET_KEY=my-test-key
+
+# Algorithm used to sign JWTs (e.g., HS256)
+JWT_ALGORITHM=HS256
+
+# Expiry time for generated JWT tokens (in minutes; e.g. 7 days)
 TOKEN_EXPIRY=10080
 REQUIRE_TOKEN_EXPIRATION=false
 
@@ -32,10 +61,134 @@ MCP_CLIENT_AUTH_ENABLED=true
 TRUST_PROXY_AUTH=false
 PROXY_USER_HEADER=X-Authenticated-User
 
+# Used to derive an AES encryption key for secure auth storage
+# Must be a non-empty string (e.g. passphrase or random secret)
+AUTH_ENCRYPTION_SECRET=my-test-salt
+
+#####################################
+# Admin UI and API Toggles
+#####################################
+
+# Enable the visual Admin UI (true/false)
+# PRODUCTION: Set to false for security
+MCPGATEWAY_UI_ENABLED=true
+
+# Enable the Admin API endpoints (true/false)
+# PRODUCTION: Set to false for security
+
 # UI/Admin Feature Flags
 MCPGATEWAY_UI_ENABLED=true
 MCPGATEWAY_ADMIN_API_ENABLED=true
 MCPGATEWAY_BULK_IMPORT_ENABLED=true
+
+# Maximum number of tools allowed per bulk import request
+MCPGATEWAY_BULK_IMPORT_MAX_TOOLS=200
+
+# Rate limiting for bulk import endpoint (requests per minute)
+MCPGATEWAY_BULK_IMPORT_RATE_LIMIT=10
+
+#####################################
+# Header Passthrough Configuration
+#####################################
+
+# SECURITY WARNING: Header passthrough is disabled by default for security.
+# Only enable if you understand the security implications and have reviewed
+# which headers should be passed through to backing MCP servers.
+# ENABLE_HEADER_PASSTHROUGH=false
+
+# Default headers to pass through (when feature is enabled)
+# JSON array format recommended: ["X-Tenant-Id", "X-Trace-Id"]
+# Comma-separated also supported: X-Tenant-Id,X-Trace-Id
+# NOTE: Authorization header removed from defaults for security
+# DEFAULT_PASSTHROUGH_HEADERS=["X-Tenant-Id", "X-Trace-Id"]
+
+#####################################
+# Security and CORS
+#####################################
+
+# Skip TLS certificate checks for upstream requests (not recommended in prod)
+SKIP_SSL_VERIFY=false
+
+# CORS origin allowlist (use JSON array of URLs)
+# Example: ["http://localhost:3000"]
+# Do not quote this value. Start with [] to ensure it's valid JSON.
+ALLOWED_ORIGINS='["http://localhost", "http://localhost:4444"]'
+
+# Enable CORS handling in the gateway
+CORS_ENABLED=true
+
+# CORS allow credentials (true/false)
+CORS_ALLOW_CREDENTIALS=true
+
+# Environment setting (development/production) - affects security defaults
+# development: Auto-configures CORS for localhost:3000, localhost:8080, etc.
+# production: Uses APP_DOMAIN for HTTPS origins, enforces secure cookies
+ENVIRONMENT=development
+
+# Domain configuration for production CORS origins
+# In production, automatically creates origins: https://APP_DOMAIN, https://app.APP_DOMAIN, https://admin.APP_DOMAIN
+# For production: set to your actual domain (e.g., mycompany.com)
+APP_DOMAIN=localhost
+
+# Security settings for cookies
+# production: Automatically enables secure cookies regardless of this setting
+# development: Set to false for HTTP development, true for HTTPS
+SECURE_COOKIES=true
+
+# Cookie SameSite attribute for CSRF protection
+# strict: Maximum security, may break some OAuth flows
+# lax: Good balance of security and compatibility (recommended)
+# none: Requires Secure=true, allows cross-site usage
+COOKIE_SAMESITE=lax
+
+#####################################
+# Security Headers Configuration
+#####################################
+
+# Enable security headers middleware (true/false)
+SECURITY_HEADERS_ENABLED=true
+
+# X-Frame-Options setting (DENY, SAMEORIGIN, or ALLOW-FROM uri)
+# DENY: Prevents all iframe embedding (recommended for security)
+# SAMEORIGIN: Allows embedding from same domain only
+# To disable: Set to empty string X_FRAME_OPTIONS=""
+X_FRAME_OPTIONS=DENY
+
+# Other security headers (true/false)
+X_CONTENT_TYPE_OPTIONS_ENABLED=true
+X_XSS_PROTECTION_ENABLED=true
+X_DOWNLOAD_OPTIONS_ENABLED=true
+
+# HSTS (HTTP Strict Transport Security) settings
+HSTS_ENABLED=true
+# HSTS max age in seconds (31536000 = 1 year)
+HSTS_MAX_AGE=31536000
+HSTS_INCLUDE_SUBDOMAINS=true
+
+# Remove server identification headers (true/false)
+REMOVE_SERVER_HEADERS=true
+
+# Enable HTTP Basic Auth for docs endpoints (in addition to Bearer token auth)
+# Uses the same credentials as BASIC_AUTH_USER and BASIC_AUTH_PASSWORD
+DOCS_ALLOW_BASIC_AUTH=false
+
+#####################################
+# Retry Config for HTTP Requests
+#####################################
+
+RETRY_MAX_ATTEMPTS=3
+# seconds
+RETRY_BASE_DELAY=1.0
+# seconds
+RETRY_MAX_DELAY=60.0
+# fraction of delay
+RETRY_JITTER_MAX=0.5
+
+#####################################
+# Logging
+#####################################
+
+# Logging verbosity level: DEBUG, INFO, WARNING, ERROR, CRITICAL
 MCPGATEWAY_BULK_IMPORT_MAX_TOOLS=200
 MCPGATEWAY_BULK_IMPORT_RATE_LIMIT=10
 
@@ -132,8 +285,8 @@ WELL_KNOWN_SECURITY_TXT=""
 # Example: {"ai.txt": "AI Usage: This service uses AI for tool orchestration...", "dnt-policy.txt": "We respect DNT headers..."}
 WELL_KNOWN_CUSTOM_FILES="{}"
 
-# Cache control for well-known files (seconds)
-WELL_KNOWN_CACHE_MAX_AGE=3600  # 1 hour
+# Cache control for well-known files (seconds) - 3600 = 1 hour
+WELL_KNOWN_CACHE_MAX_AGE=3600
 
 #####################################
 # Well-Known URI Examples