Add authentication for SSE and streaming gateway modes (#190)

* Add tool-name-prefix feature flag and Server.Prefix field

This commit implements tool name prefixing with the following features:

1. New feature flag 'tool-name-prefix':
   - When enabled, all tool names are prefixed with server_name:tool_name
   - Configured in Docker config file under features
   - Provides a default policy for tool name prefixing

2. New Server.Prefix field in catalog types:
   - Optional prefix field in ServerSpec
   - When set, overrides the default server name prefix
   - Applied even if tool-name-prefix feature flag is disabled
   - Provides per-server customization of tool naming

3. Implementation details:
   - Added getToolNamePrefix() helper to determine prefix based on:
     * Server.Prefix if set (highest priority)
     * Server name if ToolNamePrefix flag enabled
     * Empty string otherwise
   - Added prefixToolName() helper to apply prefix format (prefix:toolname)
   - Applied to both MCP server tools and POCI tool groups
   - Tool names are prefixed at registration time in listCapabilities()

Benefits:
- Avoids tool name conflicts when using multiple servers
- Allows disambiguation of tools with same names
- Per-server prefix customization via Server.Prefix field
- Global policy control via tool-name-prefix feature flag

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Add authentication for SSE and streaming gateway modes

Implement secure authentication for HTTP-based gateway transports (SSE and streaming) to protect MCP server access. The authentication system supports two methods: query parameter tokens and HTTP Basic Auth.

Key features:
- Auto-generates 50-character cryptographically secure tokens using lowercase letters and numbers
- Respects MCP_GATEWAY_AUTH_TOKEN environment variable for custom tokens
- Supports query parameter auth via ?MCP_GATEWAY_AUTH_TOKEN=<token>
- Supports HTTP Basic Auth with any username and token as password
- Health endpoint (/health) remains accessible without authentication
- Uses constant-time comparison to prevent timing attacks
- Outputs complete authenticated URLs on gateway startup

The gateway now displays the full URL with embedded token on startup, making it easy to copy and use in client configurations. Basic Auth credentials are also shown as an alternative authentication method.

This change prevents DNS rebinding attacks by forcing any local gateway runtime to run with an auth token, ensuring that malicious websites cannot exploit the locally-running gateway service.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Fix linter issues in authentication code

Address all golangci-lint warnings:
- Check error returns from w.Write() calls
- Use integer range syntax (Go 1.22+) in token generation loop
- Use context-aware HTTP requests in integration tests
- Rename unused parameters to underscore
- Remove unused parseAuthHeader function
- Use http.MethodGet constant instead of string literal

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Refactor: Extract addRemoteOAuthServer method

Extract lines 471-546 of dynamic_mcps.go into a separate method called
addRemoteOAuthServer for better code organization and reusability.

This method handles the complete OAuth setup flow for remote OAuth servers:
- Registers the DCR client
- Starts the OAuth provider
- Handles authorization via elicitation (if supported)
- Returns appropriate URLs for manual authorization (if needed)

No functional changes, purely a refactoring to improve maintainability.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* remove extra files

* Switch authentication from Basic Auth to Bearer token

Changes:
- Replace Basic Auth with Bearer token authentication in Authorization header
- Update authenticationMiddleware to validate "Bearer <token>" format
- Replace formatBasicAuthCredentials with formatBearerToken helper
- Update all tests to use Bearer token instead of Basic Auth
- Add tests for malformed Bearer token headers
- Update logging messages to reflect Bearer token usage
- Unhide --transport flag and document authentication in help text
- Remove unused base64 imports from auth code

Authentication now supports:
1. Bearer token: Authorization: Bearer <token>
2. Query parameter: ?MCP_GATEWAY_AUTH_TOKEN=<token>

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Remove query parameter authentication, use Bearer token only

Changes:
- Remove query parameter authentication from authenticationMiddleware
- Update formatGatewayURL to not include auth token in URL
- Update logging to show Bearer token usage without URL parameters
- Remove all query parameter auth tests from unit and integration tests
- Update test counts in SSE and streaming server tests

Authentication now only supports:
- Bearer token: Authorization: Bearer <token>

Query parameter authentication (?MCP_GATEWAY_AUTH_TOKEN=<token>) has been removed
for security reasons to prevent tokens from being logged in URLs.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* update docs

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: slimslenderslacks

CLAUDE.md

@@ -0,0 +1,145 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Overview
+
+This is the **Docker MCP Gateway** - a CLI plugin that enables easy and secure running of Model Context Protocol (MCP) servers through Docker containers. The plugin acts as a gateway between AI clients and containerized MCP servers, providing isolation, security, and management capabilities.
+
+## Architecture
+
+The codebase follows a gateway pattern where:
+- **AI Client** connects to the **MCP Gateway** 
+- **MCP Gateway** (this CLI) manages multiple **MCP Servers** running in Docker containers
+
+Key architectural components:
+- **Gateway**: Core routing and protocol translation (`cmd/docker-mcp/internal/gateway/`)
+- **Client Management**: Handles connections to AI clients (`cmd/docker-mcp/client/`)
+- **Server Management**: Manages MCP server lifecycle (`cmd/docker-mcp/server/`)
+- **Catalog System**: Manages available MCP servers (`cmd/docker-mcp/catalog/`)
+- **Security**: Secrets management and OAuth flows (`cmd/docker-mcp/secret-management/`, `cmd/docker-mcp/oauth/`)
+
+## Development Commands
+
+### Building
+```bash
+# Build the CLI plugin locally
+make docker-mcp
+
+# Cross-compile for all platforms
+make docker-mcp-cross
+```
+
+### Testing
+```bash
+# Run all tests
+make test
+
+# Run integration tests specifically
+make integration
+
+# Run long-lived integration tests
+go test -count=1 ./... -run 'TestLongLived'
+
+# Run specific tests by pattern
+go test -count=1 ./... -run 'TestIntegration'
+
+# Run a single test file
+go test ./cmd/docker-mcp/server/server_test.go
+
+# Run tests with coverage
+go test -cover ./...
+```
+
+### Code Quality
+```bash
+# Format code
+make format
+
+# Run linter
+make lint
+
+# Run linter for specific platform
+make lint-linux
+make lint-darwin
+
+# Run Go vet (static analysis)
+go vet ./...
+
+# Run Go mod tidy to clean dependencies
+go mod tidy
+```
+
+## Project Structure
+
+- `cmd/docker-mcp/` - Main CLI application entry point
+- `cmd/docker-mcp/internal/gateway/` - Core gateway implementation with client pooling, proxy management, and transport handling
+- `cmd/docker-mcp/internal/docker/` - Docker integration for container management
+- `cmd/docker-mcp/internal/mcp/` - MCP protocol implementations (stdio, SSE)
+- `cmd/docker-mcp/internal/desktop/` - Docker Desktop integration and authentication
+- `cmd/docker-mcp/catalog/` - Server catalog management commands
+- `cmd/docker-mcp/client/` - Client configuration and connection management
+- `cmd/docker-mcp/server/` - Server lifecycle management commands  
+- `cmd/docker-mcp/tools/` - Tool execution and management
+- `examples/` - Usage examples and compose configurations
+- `docs/` - Technical documentation
+
+## Key Configuration Files
+
+The CLI uses these configuration files (typically in `~/.docker/mcp/`):
+- `docker-mcp.yaml` - Server catalog definitions
+- `registry.yaml` - Registry of enabled servers  
+- `config.yaml` - Gateway configuration and options
+
+## Important Patterns
+
+### Transport Modes
+The gateway supports multiple transport modes:
+- `stdio` - Standard input/output (default)
+- `streaming` - HTTP streaming for multiple clients
+- `sse` - Server-sent events
+
+### Security Features
+- Container isolation for MCP servers
+- Secrets management via Docker Desktop
+- OAuth flow handling
+- API key and credential protection
+- Call interception and logging
+
+### Client Integration
+The system integrates with various AI clients:
+- VS Code / Cursor
+- Claude Desktop  
+- Continue Dev
+- Custom MCP clients
+
+Configuration files for different clients are automatically managed in `cmd/docker-mcp/client/testdata/`.
+
+## CLI Plugin Development
+
+This is a Docker CLI plugin written in Go 1.24+. Key development patterns:
+
+### Plugin Installation
+The plugin is installed as `docker-mcp` and becomes available as `docker mcp <command>`. The Makefile handles building and installing to the correct Docker CLI plugins directory (`~/.docker/cli-plugins/`).
+
+### Command Structure
+Commands follow the Cobra CLI pattern with the main command tree defined in `cmd/docker-mcp/commands/`. Each major command area (catalog, server, client, etc.) has its own file.
+
+### Configuration Management
+The CLI uses YAML configuration files stored in `~/.docker/mcp/`:
+- Server definitions are loaded from catalog files
+- Runtime configuration is managed through config.yaml
+- Server enablement tracked in registry.yaml
+
+### Container Lifecycle
+MCP servers run as Docker containers with proper lifecycle management:
+- Images are pulled and validated before use  
+- Containers have consistent naming patterns
+- Health checks and logging are built-in
+- Proper cleanup on shutdown
+
+### Testing Patterns
+- Integration tests require Docker daemon
+- Long-lived tests run actual container scenarios
+- Mock configurations in testdata directories
+- Use `go test -count=1` to disable test caching

cmd/docker-mcp/commands/gateway.go

@@ -77,6 +77,9 @@ func gatewayCommand(docker docker.Client, dockerCli command.Cli) *cobra.Command
 			// Check if dynamic tools feature is enabled
 			options.DynamicTools = isDynamicToolsFeatureEnabled(dockerCli)
 
+			// Check if tool name prefix feature is enabled
+			options.ToolNamePrefix = isToolNamePrefixFeatureEnabled(dockerCli)
+
 			// Update catalog URL based on mcp-oauth-dcr flag if using default Docker catalog URL
 			if len(options.CatalogPath) == 1 && (options.CatalogPath[0] == catalog.DockerCatalogURLV2 || options.CatalogPath[0] == catalog.DockerCatalogURLV3) {
 				options.CatalogPath[0] = catalog.GetDockerCatalogURL(options.McpOAuthDcrEnabled)
@@ -160,7 +163,7 @@ func gatewayCommand(docker docker.Client, dockerCli command.Cli) *cobra.Command
 	runCmd.Flags().StringArrayVar(&options.OciRef, "oci-ref", options.OciRef, "OCI image references to use")
 	runCmd.Flags().StringSliceVar(&mcpRegistryUrls, "mcp-registry", nil, "MCP registry URLs to fetch servers from (can be repeated)")
 	runCmd.Flags().IntVar(&options.Port, "port", options.Port, "TCP port to listen on (default is to listen on stdio)")
-	runCmd.Flags().StringVar(&options.Transport, "transport", options.Transport, "stdio, sse or streaming (default is stdio)")
+	runCmd.Flags().StringVar(&options.Transport, "transport", options.Transport, "stdio, sse or streaming. Uses MCP_GATEWAY_AUTH_TOKEN environment variable for localhost authentication to prevent dns rebinding attacks.")
 	runCmd.Flags().BoolVar(&options.LogCalls, "log-calls", options.LogCalls, "Log calls to the tools")
 	runCmd.Flags().BoolVar(&options.BlockSecrets, "block-secrets", options.BlockSecrets, "Block secrets from being/received sent to/from tools")
 	runCmd.Flags().BoolVar(&options.BlockNetwork, "block-network", options.BlockNetwork, "Block tools from accessing forbidden network resources")
@@ -176,7 +179,6 @@ func gatewayCommand(docker docker.Client, dockerCli command.Cli) *cobra.Command
 	runCmd.Flags().StringVar(&options.LogFilePath, "log", options.LogFilePath, "Path to log file for stderr output (relative or absolute)")
 
 	// Very experimental features
-	_ = runCmd.Flags().MarkHidden("transport")
 	_ = runCmd.Flags().MarkHidden("log")
 
 	cmd.AddCommand(runCmd)
@@ -303,3 +305,18 @@ func isDynamicToolsFeatureEnabled(dockerCli command.Cli) bool {
 
 	return value == "enabled"
 }
+
+// isToolNamePrefixFeatureEnabled checks if the tool-name-prefix feature is enabled
+func isToolNamePrefixFeatureEnabled(dockerCli command.Cli) bool {
+	configFile := dockerCli.ConfigFile()
+	if configFile == nil || configFile.Features == nil {
+		return false
+	}
+
+	value, exists := configFile.Features["tool-name-prefix"]
+	if !exists {
+		return false
+	}
+
+	return value == "enabled"
+}

docs/generator/reference/docker_mcp_gateway_run.yaml

@@ -275,9 +275,10 @@ options:
     - option: transport
       value_type: string
       default_value: stdio
-      description: stdio, sse or streaming (default is stdio)
+      description: |
+        stdio, sse or streaming. Uses MCP_GATEWAY_AUTH_TOKEN environment variable for localhost authentication to prevent dns rebinding attacks.
       deprecated: false
-      hidden: true
+      hidden: false
       experimental: false
       experimentalcli: false
       kubernetes: false

docs/generator/reference/mcp_gateway_run.md

@@ -32,6 +32,7 @@ Run the gateway
 | `--static`                  | `bool`        |                     | Enable static mode (aka pre-started servers)                                                                                                  |
 | `--tools`                   | `stringSlice` |                     | List of tools to enable                                                                                                                       |
 | `--tools-config`            | `stringSlice` | `[tools.yaml]`      | Paths to the tools files (absolute or relative to ~/.docker/mcp/)                                                                             |
+| `--transport`               | `string`      | `stdio`             | stdio, sse or streaming. Uses MCP_GATEWAY_AUTH_TOKEN environment variable for localhost authentication to prevent dns rebinding attacks.      |
 | `--verbose`                 | `bool`        |                     | Verbose output                                                                                                                                |
 | `--verify-signatures`       | `bool`        |                     | Verify signatures of the server images                                                                                                        |
 | `--watch`                   | `bool`        | `true`              | Watch for changes and reconfigure the gateway                                                                                                 |

pkg/catalog/types.go

@@ -31,6 +31,7 @@ type Server struct {
 	AllowHosts     []string `yaml:"allowHosts,omitempty" json:"allowHosts,omitempty"`
 	Tools          []Tool   `yaml:"tools,omitempty" json:"tools,omitempty"`
 	Config         []any    `yaml:"config,omitempty" json:"config,omitempty"`
+	Prefix         string   `yaml:"prefix,omitempty" json:"prefix,omitempty"`
 }
 
 type Secret struct {

pkg/gateway/auth.go

@@ -0,0 +1,97 @@
+package gateway
+
+import (
+	"crypto/rand"
+	"crypto/subtle"
+	"fmt"
+	"math/big"
+	"net/http"
+	"os"
+)
+
+const (
+	tokenLength = 50
+	// Characters to use for random token generation (lowercase letters and numbers)
+	tokenCharset = "abcdefghijklmnopqrstuvwxyz0123456789"
+)
+
+// generateAuthToken generates a random 50-character string using lowercase letters and numbers
+func generateAuthToken() (string, error) {
+	token := make([]byte, tokenLength)
+	charsetLen := big.NewInt(int64(len(tokenCharset)))
+
+	for i := range tokenLength {
+		num, err := rand.Int(rand.Reader, charsetLen)
+		if err != nil {
+			return "", fmt.Errorf("failed to generate random token: %w", err)
+		}
+		token[i] = tokenCharset[num.Int64()]
+	}
+
+	return string(token), nil
+}
+
+// getOrGenerateAuthToken retrieves the auth token from environment variable MCP_GATEWAY_AUTH_TOKEN
+// or generates a new one if not set or empty
+func getOrGenerateAuthToken() (string, bool, error) {
+	envToken := os.Getenv("MCP_GATEWAY_AUTH_TOKEN")
+	if envToken != "" {
+		return envToken, false, nil // false indicates token was from environment
+	}
+
+	token, err := generateAuthToken()
+	if err != nil {
+		return "", false, err
+	}
+	return token, true, nil // true indicates token was generated
+}
+
+// authenticationMiddleware creates an HTTP middleware that validates requests using
+// Bearer token in the Authorization header.
+//
+// The /health endpoint is excluded from authentication.
+func authenticationMiddleware(authToken string, next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Skip authentication for health check endpoint
+		if r.URL.Path == "/health" {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		authenticated := false
+
+		// Check for Bearer token in Authorization header
+		authHeader := r.Header.Get("Authorization")
+		if authHeader != "" {
+			// Extract Bearer token from "Bearer <token>" format
+			const bearerPrefix = "Bearer "
+			if len(authHeader) > len(bearerPrefix) && authHeader[:len(bearerPrefix)] == bearerPrefix {
+				bearerToken := authHeader[len(bearerPrefix):]
+				// Use constant-time comparison to prevent timing attacks
+				if subtle.ConstantTimeCompare([]byte(bearerToken), []byte(authToken)) == 1 {
+					authenticated = true
+				}
+			}
+		}
+
+		if !authenticated {
+			// Return 401 Unauthorized with WWW-Authenticate header
+			w.Header().Set("WWW-Authenticate", `Bearer realm="MCP Gateway"`)
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			return
+		}
+
+		// Authentication successful, proceed to next handler
+		next.ServeHTTP(w, r)
+	})
+}
+
+// formatGatewayURL formats the gateway URL without authentication info
+func formatGatewayURL(port int, endpoint string) string {
+	return fmt.Sprintf("http://localhost:%d%s", port, endpoint)
+}
+
+// formatBearerToken formats the Bearer token for display in the Authorization header
+func formatBearerToken(authToken string) string {
+	return fmt.Sprintf("Authorization: Bearer %s", authToken)
+}