[CHORE][TESTING]: Checklist for complete E2E validation testing

[crivetimihai]

📋 Overview

Complete comprehensive testing of input validation implementation across all MCP Gateway API endpoints, including both admin and non-admin APIs. Includes additional data validation steps to ensure all validation rules are working correctly and protecting against XSS, injection attacks, and data integrity issues.

Related PRs: #339 (admin endpoints), #340 (non-admin endpoints), #337 (UI escaping), #338 (lint fixes)

Copy/paste this checklist, and add [X] if a test passes, or ❌ if it failed, Add > why it failed info.

🚀 Pre-Test Setup

Setting up MCP Servers for Testing

• cd mcp-servers/go/fast-time-server; make build # Build the fast-time-server
• ./dist/fast-time-server -transport=dual --port 8101 # No auth /sse and /http endpoints
• ./dist/fast-time-server -transport=dual --port 8102 -auth-token=secret123 # Auth /sse and /http endpoints
• python3 -m mcpgateway.translate --stdio "uvx mcp-server-git" --port 8103 # Start the mcp-server-git via translate http://127.0.0.1:8103/sse

Environment Setup

• cp .env .env.backup; cp .env.example .env # start with fresh .env
• make compose-stop docker-stop # stop previous running containers
• make venv install install-dev # install using a fresh venv
• make serve # start a server using gunicorn
• Verify server starts on http://localhost:4444

Testing and Linting

• make test # All tests pass
• make lint # No linting issues
• make tomllint jsonlint yamllint # TOML, JSON and YAML validation passes
• make smoketest # Container build based smoketest passes
• make docker-run-ssl-host docker-logs # Start the container

Authentication Setup

• curl -sk https://localhost:4444/version # Test auth prevents access. Expected: {"detail":"Not authenticated"}
• export MCPGATEWAY_BEARER_TOKEN=$(python3 -m mcpgateway.utils.create_jwt_token -u admin --secret my-test-key)
• curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" https://localhost:4444/version # Test auth works

Health Checks

• curl -sk https://localhost:4444/health # Returns healthy
• curl -sk https://localhost:4444/ready # Returns ready
• curl -sk -o /dev/null -w "%{http_code}" https://localhost:4444/health # Returns 200

Container Testing (Compose)

• make docker-stop compose-down compose-rm compose-up # Stop single container with sqlite, start compose with Postgres and Redis. Database migration passes. Container is healthy.
• make compose-logs # No errors in compose logs

🌟 Happy Path Testing - Normal Operations

1️⃣ Register MCP Gateways

Register No-Auth Time Server (port 8101)

• Register gateway:

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       -H "Content-Type: application/json" \
       -d '{"name":"time_server_noauth","url":"http://127.0.0.1:8101/sse","transport":"SSE"}' \
       https://localhost:4444/gateways | jq

  Expected: ✅ Success (201), returns gateway with ID

• Verify gateway health:

  curl -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       https://localhost:4444/gateways | jq '.items[] | select(.name=="time_server_noauth") | {name, health_status}'

  Expected: ✅ health_status: "healthy"

Register Auth Time Server (port 8102)

• Register gateway with auth:

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       -H "Content-Type: application/json" \
       -d '{
         "name":"time_server_auth",
         "url":"http://127.0.0.1:8102/sse",
         "transport":"SSE",
         "headers":{"Authorization":"Bearer secret123"}
       }' \
       https://localhost:4444/gateways | jq

  Expected: ✅ Success (201)

Register Git Server (port 8103)

• Register git gateway:

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       -H "Content-Type: application/json" \
       -d '{"name":"git_server","url":"http://127.0.0.1:8103/sse","transport":"SSE"}' \
       https://localhost:4444/gateways | jq

  Expected: ✅ Success (201)

2️⃣ Verify Tool Discovery

• List all discovered tools:

  curl -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       https://localhost:4444/tools | jq '.items[] | {name, description, gateway}'

  Expected: ✅ Should see tools like: get_system_time, convert_time, list_commits, etc.

• Get specific tool details:

  curl -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       https://localhost:4444/tools | jq '.items[] | select(.name=="get_system_time")'

  Expected: ✅ Full tool schema with inputSchema

3️⃣ Test Tool Invocation

Test Time Tool (No Auth)

• Call get_system_time:

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       -H "Content-Type: application/json" \
       -d '{
         "jsonrpc": "2.0",
         "method": "get_system_time",
         "params": {"timezone": "Europe/Dublin"},
         "id": 1
       }' \
       https://localhost:4444/rpc | jq

  Expected: ✅ Returns current time in Dublin timezone

Test Time Tool (With Auth)

• Call convert_time:

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       -H "Content-Type: application/json" \
       -d '{
         "jsonrpc": "2.0",
         "method": "convert_time",
         "params": {
           "time": "2025-01-10T12:00:00Z",
           "source_timezone": "UTC",
           "target_timezone": "America/New_York"
         },
         "id": 2
       }' \
       https://localhost:4444/rpc | jq

  Expected: ✅ Returns converted time

Test Git Tool

• List commits:

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       -H "Content-Type: application/json" \
       -d '{
         "jsonrpc": "2.0",
         "method": "list_commits",
         "params": {"repo": "https://github.com/modelcontextprotocol/servers", "max_count": 5},
         "id": 3
       }' \
       https://localhost:4444/rpc | jq

  Expected: ✅ Returns last 5 commits

4️⃣ Create Virtual Servers

• Get tool IDs for virtual server:

  # Save tool IDs to variables
  TIME_TOOL_ID=$(curl -s -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    https://localhost:4444/tools | jq -r '.items[] | select(.name=="get_system_time") | .id')
  CONVERT_TOOL_ID=$(curl -s -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    https://localhost:4444/tools | jq -r '.items[] | select(.name=="convert_time") | .id')
  GIT_TOOL_ID=$(curl -s -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    https://localhost:4444/tools | jq -r '.items[] | select(.name=="list_commits") | .id')
  
  echo "Time Tool ID: $TIME_TOOL_ID"
  echo "Convert Tool ID: $CONVERT_TOOL_ID"
  echo "Git Tool ID: $GIT_TOOL_ID"

• Create time utilities virtual server:

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       -H "Content-Type: application/json" \
       -d "{
         \"name\": \"time_utilities\",
         \"description\": \"Time and timezone utilities\",
         \"associatedTools\": [\"$TIME_TOOL_ID\", \"$CONVERT_TOOL_ID\"]
       }" \
       https://localhost:4444/servers | jq

  Expected: ✅ Success (201), returns server with UUID

• Create development tools virtual server:

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       -H "Content-Type: application/json" \
       -d "{
         \"name\": \"dev_tools\",
         \"description\": \"Development and git tools\",
         \"associatedTools\": [\"$GIT_TOOL_ID\"]
       }" \
       https://localhost:4444/servers | jq

  Expected: ✅ Success (201)

5️⃣ Test Virtual Server SSE Endpoints

• Get server UUIDs:

  TIME_SERVER_UUID=$(curl -s -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    https://localhost:4444/servers | jq -r '.items[] | select(.name=="time_utilities") | .id')
  DEV_SERVER_UUID=$(curl -s -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    https://localhost:4444/servers | jq -r '.items[] | select(.name=="dev_tools") | .id')
  
  echo "Time Server UUID: $TIME_SERVER_UUID"
  echo "Dev Server UUID: $DEV_SERVER_UUID"

• Test SSE endpoint exists:

  curl -N -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       "https://localhost:4444/servers/$TIME_SERVER_UUID/sse" \
       --max-time 2 2>&1 | head -5

  Expected: ✅ SSE stream starts (will see "data:" events)

6️⃣ Create Additional Resources and Prompts

Create Resources

• Create README resource:

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       -H "Content-Type: application/json" \
       -d '{
         "uri": "docs/readme",
         "name": "readme",
         "description": "Project README",
         "mimeType": "text/markdown",
         "content": "# MCP Gateway\n\nWelcome to the MCP Gateway!"
       }' \
       https://localhost:4444/resources | jq

  Expected: ✅ Success (201)

• Create config resource:

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       -H "Content-Type: application/json" \
       -d '{
         "uri": "config/app",
         "name": "app_config",
         "mimeType": "application/json",
         "content": "{\"version\": \"1.0.0\", \"debug\": false}"
       }' \
       https://localhost:4444/resources | jq

  Expected: ✅ Success (201)

Create Prompts

• Create analysis prompt:

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       -H "Content-Type: application/json" \
       -d '{
         "name": "code_analysis",
         "description": "Analyze code quality",
         "template": "Analyze the following {{ language }} code:\n\n{{ code }}\n\nFocus on: {{ focus_areas }}",
         "arguments": {
           "language": {"type": "string", "required": true},
           "code": {"type": "string", "required": true},
           "focus_areas": {"type": "string", "required": false}
         }
       }' \
       https://localhost:4444/prompts | jq

  Expected: ✅ Success (201)

7️⃣ Test REST Tool Creation

• Create a REST API tool:

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       -H "Content-Type: application/json" \
       -d '{
         "name": "weather_api",
         "url": "https://api.openweathermap.org/data/2.5/weather",
         "description": "Get current weather data",
         "integrationType": "REST",
         "requestType": "GET",
         "headers": {"X-API-Key": "demo-key"},
         "inputSchema": {
           "type": "object",
           "properties": {
             "q": {"type": "string", "description": "City name"},
             "units": {"type": "string", "enum": ["metric", "imperial"]}
           },
           "required": ["q"]
         }
       }' \
       https://localhost:4444/tools | jq

  Expected: ✅ Success (201)

8️⃣ Test Wrapper Integration

• Export server catalog URL:

  export MCP_SERVER_CATALOG_URLS="https://localhost:4444/servers/$TIME_SERVER_UUID"
  export MCP_AUTH_TOKEN=$MCPGATEWAY_BEARER_TOKEN

• Test wrapper initialization:

  echo '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"test","version":"1.0"}}}' | \
    python3 -m mcpgateway.wrapper 2>/dev/null | jq

  Expected: ✅ Returns capabilities including tools

9️⃣ Verify Everything Works

• Summary check:

  echo "=== System Status ==="
  echo "Gateways: $(curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" https://localhost:4444/gateways | jq '.total')"
  echo "Tools: $(curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" https://localhost:4444/tools | jq '.total')"
  echo "Resources: $(curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" https://localhost:4444/resources | jq '.total')"
  echo "Prompts: $(curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" https://localhost:4444/prompts | jq '.total')"
  echo "Servers: $(curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" https://localhost:4444/servers | jq '.total')"

  Expected: ✅ All counts > 0

📊 Admin API Validation Testing (/admin/*)

Tools - Admin Endpoints

Valid Input Tests

• Create MCP tool with valid data:

  curl -X POST http://localhost:4444/admin/tools \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "name": "valid_mcp_tool",
      "url": "https://example.com/mcp",
      "description": "Valid MCP tool for testing",
      "integrationType": "MCP",
      "requestType": "SSE",
      "headers": {"Content-Type": "application/json"},
      "inputSchema": {"type": "object", "properties": {"input": {"type": "string"}}}
    }'

  Expected: ✅ Success (201)

• Create REST tool with valid data:

  curl -X POST http://localhost:4444/admin/tools \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "name": "valid_rest_tool",
      "url": "https://api.example.com/v1/endpoint",
      "description": "Valid REST API tool",
      "integrationType": "REST",
      "requestType": "POST",
      "headers": {"Authorization": "Bearer token"}
    }'

  Expected: ✅ Success (201)

Invalid Input Tests

• XSS attempt in name:

  curl -X POST http://localhost:4444/admin/tools \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"name": "<script>alert(1)</script>", "url": "https://example.com"}'

  Expected: ❌ 422 - "Tool name cannot contain HTML special characters"

• SQL injection pattern:

  curl -X POST http://localhost:4444/admin/tools \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"name": "tool\"; DROP TABLE tools; --", "url": "https://example.com"}'

  Expected: ❌ 422 - "Special characters not allowed"

• Invalid URL scheme:

  curl -X POST http://localhost:4444/admin/tools \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"name": "test_tool", "url": "javascript:alert(1)"}'

  Expected: ❌ 422 - "URL contains unsupported or potentially dangerous protocol"

• Name too long (>255 chars):

  curl -X POST http://localhost:4444/admin/tools \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"name": "'"$(printf 'a%.0s' {1..300})"'", "url": "https://example.com"}'

  Expected: ❌ 422 - "Tool name exceeds maximum length of 255"

• Wrong request type for MCP:

  curl -X POST http://localhost:4444/admin/tools \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "name": "test_tool",
      "url": "https://example.com",
      "integrationType": "MCP",
      "requestType": "POST"
    }'

  Expected: ❌ 422 - "Request type 'POST' not allowed for MCP integration"

Resources - Admin Endpoints

Valid Input Tests

• Create markdown resource:

  curl -X POST http://localhost:4444/admin/resources \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "uri": "docs/guide",
      "name": "user_guide",
      "description": "Comprehensive user guide",
      "mimeType": "text/markdown",
      "content": "# User Guide\n\nWelcome to our application!"
    }'

  Expected: ✅ Success (201)

• Create JSON resource:

  curl -X POST http://localhost:4444/admin/resources \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "uri": "config/settings",
      "name": "app_config",
      "description": "Application configuration",
      "mimeType": "application/json",
      "content": "{\"version\": \"1.0.0\", \"features\": {\"auth\": true}}"
    }'

  Expected: ✅ Success (201)

Invalid Input Tests

• Directory traversal in URI:

  curl -X POST http://localhost:4444/admin/resources \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"uri": "../../etc/passwd", "name": "test", "content": "data"}'

  Expected: ❌ 422 - "directory traversal"

• HTML injection in content:

  curl -X POST http://localhost:4444/admin/resources \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "uri": "test",
      "name": "test",
      "content": "<iframe src=\"evil.com\"></iframe>"
    }'

  Expected: ❌ 422 - "contains HTML tags"

• Invalid MIME type:

  curl -X POST http://localhost:4444/admin/resources \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "uri": "test",
      "name": "test",
      "mimeType": "not/a/mime"
    }'

  Expected: ❌ 422 - "Invalid MIME type format"

Prompts - Admin Endpoints

Valid Input Tests

• Create prompt with arguments:

  curl -X POST http://localhost:4444/admin/prompts \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "name": "greeting_prompt",
      "description": "Personalized greeting template",
      "template": "Hello {{ name }}, welcome to {{ company }}!",
      "arguments": {
        "name": {"type": "string", "required": true},
        "company": {"type": "string", "required": true}
      }
    }'

  Expected: ✅ Success (201)

Invalid Input Tests

• Script tag in template:

  curl -X POST http://localhost:4444/admin/prompts \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "name": "test_prompt",
      "template": "<script>alert(1)</script>"
    }'

  Expected: ❌ 422 - "Template contains HTML tags"

• Event handler in template:

  curl -X POST http://localhost:4444/admin/prompts \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "name": "test_prompt",
      "template": "<div onclick=\"alert(1)\">Click me</div>"
    }'

  Expected: ❌ 422 - "Template contains event handlers"

Gateways - Admin Endpoints

Valid Input Tests

• Create SSE gateway:

  curl -X POST http://localhost:4444/admin/gateways \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "name": "time_server",
      "url": "http://127.0.0.1:8002/sse",
      "description": "Time server gateway",
      "transport": "SSE"
    }'

  Expected: ✅ Success (201)

Invalid Input Tests

• Invalid transport type:

  curl -X POST http://localhost:4444/admin/gateways \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "name": "test_gateway",
      "url": "http://example.com",
      "transport": "INVALID"
    }'

  Expected: ❌ 422 - "Invalid transport type"

Servers - Admin Endpoints

Valid Input Tests

• Create server with associations:

  curl -X POST http://localhost:4444/admin/servers \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "name": "github_server",
      "description": "GitHub integration server",
      "icon": "https://github.githubassets.com/assets/GitHub-Mark-ea2971cee799.png",
      "associatedTools": ["valid_mcp_tool"],
      "associatedResources": ["user_guide"],
      "associatedPrompts": ["greeting_prompt"]
    }'

  Expected: ✅ Success (201)

Invalid Input Tests

• Invalid icon URL:

  curl -X POST http://localhost:4444/admin/servers \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "name": "test_server",
      "icon": "javascript:alert(1)"
    }'

  Expected: ❌ 422 - "Icon URL contains unsupported protocol"

🌐 Non-Admin API Validation Testing

Tools - Public Endpoints

• Test POST /tools with XSS:

  curl -X POST http://localhost:4444/tools \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "name": "<script>",
      "url": "hello_world",
      "integration_type": "REST",
      "request_type": "GET"
    }'

  Expected: ❌ 422 - Validation error

• Test PUT /tools/{tool_id} with valid update:

  curl -X PUT http://localhost:4444/tools/valid_rest_tool \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"description": "Updated description"}'

  Expected: ✅ Success

Resources - Public Endpoints

• Test POST /resources with same valid/invalid payloads as admin
• Test PUT /resources/{uri:path} with path traversal:

  curl -X PUT "http://localhost:4444/resources/../../etc/passwd" \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"content": "hacked"}'

  Expected: ❌ 400 - "Invalid URI"

Prompts - Public Endpoints

• Test prompt execution with args:

  curl -X POST http://localhost:4444/prompts/greeting_prompt \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "args": {
        "name": "Alice",
        "company": "Acme Corp"
      }
    }'

  Expected: ✅ "Hello Alice, welcome to Acme Corp!"

• Test with XSS in args:

  curl -X POST http://localhost:4444/prompts/greeting_prompt \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "args": {
        "name": "Alice<script>alert(1)</script>",
        "company": "Acme Corp"
      }
    }'

  Expected: ❌ 422 - Args should be sanitized

Gateways - Public Endpoints

• Test POST /gateways with invalid name (from your test):

  curl -X POST http://localhost:4444/gateways \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "name": "<script>",
      "url": "hello_world",
      "transport_type": "SSE"
    }'

  Expected: ❌ 422 - Validation error

• Test with invalid URL:

  curl -X POST http://localhost:4444/gateways \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "name": "test",
      "url": "hello_world",
      "transport_type": "SSE"
    }'

  Expected: ❌ 422 - Invalid URL format

• Test with excessively long name (from your test):

  curl -X POST http://localhost:4444/gateways \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "name": "g7@LaPX#8qcz2MUEYwK(0R^4tnJZidBb+ol5DFVeN[Wpm93A1hI{O*}xG6vCTHsSQkfj!ry]-u=|>L8Z`$aXz(mY+B#R5c92nPUVW%Jd0MEhxA>oGwfqNevKg3s^F[Ht@L1bC)!=j4}TDQpIMlSZuNKOGm7~yRxJ9Bv+W>XizCkf(nlY&82#oqr5PA$JU}a*M-Z=@wEgphdL3VKI]CtNYX^69bmfT{+es0!u7~FWrOHv1LRydGC2qx]jz#n<BkDMU@8V(PZ&%)aA$T5hXowmiEgYl!J^bfM=NQcu7StdKCrx{4I}-vO3p9Bn+LzWYkjPQe@Hm%NXI!ow2^vTuCc5z#RYg9Bh(03LdaP=F&bZUJ-E+n4x$NKrsK{1t)V8MyidGLqj7AQhCmWR^pOs6ewXF2nlUYz!#@g0}93b&dT5K+%vH=[INBOMZra)*yLqxEJpCWfUhoR7twYnm+VX*ikgtUZP@#LAd1&cw29H^qOjbs5eyR~KlFC63MVnXpG%uWTdN(B!m+=rzJY4{aoE}-x7I9lf^UQKT5Xyw3C$gBAOHpN0RJqEk7dPGn4vztMbXCl%V!&L[uWYrosTI@9j=1ZKh3fxca}+-5NOM^PYUgFEG!bpLXqHd7Am]T#o*KWn{u0CJrszv2yt&934VXUIljMC",
      "url": "http://localhost:8000/sse",
      "transport_type": "SSE"
    }'

  Expected: ❌ 422 - Name too long

RPC Endpoint

• Valid RPC request:

  curl -X POST http://localhost:4444/rpc \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "jsonrpc": "2.0",
      "method": "tools.list",
      "params": {},
      "id": 1
    }'

  Expected: ✅ Success

• Invalid method name:

  curl -X POST http://localhost:4444/rpc \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "jsonrpc": "2.0",
      "method": "<script>alert(1)</script>",
      "id": 1
    }'

  Expected: ❌ 422 - "Invalid method name format"

📊 API Verification from Post-Deployment Checklist

• curl -sk https://localhost:4444/tools | jq '.total' # Lists tools
• curl -sk https://localhost:4444/resources | jq '.total' # Lists resources
• curl -sk https://localhost:4444/prompts | jq '.total' # Lists prompts
• curl -sk https://localhost:4444/gateways | jq '.total' # Lists gateways
• curl -sk https://localhost:4444/servers | jq '.total' # Lists servers
• curl -sk https://localhost:4444/admin/tools | jq '.total' # Admin tools endpoint
• curl -sk https://localhost:4444/admin/resources | jq '.total' # Admin resources endpoint
• curl -sk https://localhost:4444/admin/prompts | jq '.total' # Admin prompts endpoint

📚 OpenAPI & Documentation

• curl -sk https://localhost:4444/openapi.json | jq '.info.title' # Returns "MCP Gateway"
• curl -sk https://localhost:4444/docs | grep -q "MCP Gateway" && echo "✓ Swagger UI loads"
• curl -sk https://localhost:4444/redoc | grep -q "ReDoc" && echo "✓ ReDoc loads"

🔍 Edge Case Testing

Empty/Whitespace Values

• Empty string for required field:

  curl -X POST http://localhost:4444/tools \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"name": "", "url": "https://example.com"}'

  Expected: ❌ 422 - "cannot be empty"

• Only whitespace:

  curl -X POST http://localhost:4444/tools \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"name": "   ", "url": "https://example.com"}'

  Expected: ❌ 422 - Should be stripped and fail

Unicode Characters

• Unicode in name:

  curl -X POST http://localhost:4444/tools \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"name": "test_tool_🚀", "url": "https://example.com"}'

  Expected: ❌ 422 - Non-alphanumeric characters

JSON Depth Limits

• Deeply nested JSON (>10 levels):

  DEEP_JSON='{"a":{"b":{"c":{"d":{"e":{"f":{"g":{"h":{"i":{"j":{"k":"too deep"}}}}}}}}}}}'
  curl -X POST http://localhost:4444/tools \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d "{
      \"name\": \"test_tool\",
      \"url\": \"https://example.com\",
      \"inputSchema\": $DEEP_JSON
    }"

Error Handling Verification

• curl -sk https://localhost:4444/tools/nonexistent | jq '.detail' # Returns 404 "Tool not found"
• curl -sk -X POST https://localhost:4444/tools -H "Content-Type: application/json" -d '{}' | jq '.detail[0].msg' # 422 validation error
• curl -sk https://localhost:4444/invalid-endpoint | jq '.detail' # 404 "Not Found"

🗄️ Database & Migrations

• make db-current # Shows current revision (no pending migrations)
• sqlite3 data/mcpgateway.db ".tables" | grep -E "(tools|resources|prompts)" | wc -l # Should show 3+ tables
• sqlite3 data/mcpgateway.db "SELECT COUNT(*) FROM tools;" | grep -E "[0-9]+" # Has tools

📝 Log Verification

• tail -n 20 logs/mcpgateway.log | grep -c ERROR # Should be 0
• grep "Application startup complete" logs/mcpgateway.log | tail -1 # Startup logged
• grep "Created.*tool.*valid_mcp_tool" logs/mcpgateway.log # Tool creation logged

🔍 Process & Port Checks

• lsof -i :4444 | grep LISTEN | wc -l # Port 4444 is listening (should be ≥1)
• ps aux | grep "[m]cpgateway.server" | wc -l # Process running (should be ≥1)
• netstat -tuln | grep 4444 # Shows listening on port 4444

🐳 Container Health (if using Docker)

• docker ps --filter name=mcpgateway --format "table {{.Names}}\t{{.Status}}" | grep healthy # Container healthy
• docker logs mcpgateway 2>&1 | tail -10 | grep -c ERROR # Should be 0
• docker exec mcpgateway curl -s localhost:8000/health | jq '.status' # Internal health "healthy"
• docker inspect mcpgateway | jq '.[0].State.Health.Status' # Should be "healthy"

🎭 UI Verification (Admin Interface)

• Navigate to http://localhost:4444/admin/
• Verify all existing data displays correctly (no broken layouts)
• Create entities through UI with special characters
• Verify HTML entities are escaped in display: <>&"'/
• Check browser console for JavaScript errors
• Test "Test Server Connectivity" feature # Note: Currently has issue "Error: Invalid URL: URL is required"

✅ Final Integration Test

• List all created entities:

  echo "=== Created Entities ==="
  echo "Tools: $(curl -sk https://localhost:4444/tools | jq -r '.items[] | select(.name | test("valid_mcp_tool|valid_rest_tool|weather_api")) | .name' | tr '\n' ', ')"
  echo "Resources: $(curl -sk https://localhost:4444/resources | jq -r '.items[] | select(.name | test("readme|app_config|user_guide")) | .name' | tr '\n' ', ')"
  echo "Prompts: $(curl -sk https://localhost:4444/prompts | jq -r '.items[] | select(.name | test("code_analysis|greeting_prompt")) | .name' | tr '\n' ', ')"
  echo "Gateways: $(curl -sk https://localhost:4444/gateways | jq -r '.items[] | select(.name | test("time_server|git_server")) | .name' | tr '\n' ', ')"
  echo "Servers: $(curl -sk https://localhost:4444/servers | jq -r '.items[] | select(.name | test("time_utilities|dev_tools|github_server")) | .name' | tr '\n' ', ')"

• All entities should be listed and active

🧹 Cleanup (Optional)

• Delete test data if needed:

  # Delete validation test entities
  curl -sk -X DELETE https://localhost:4444/tools/valid_mcp_tool
  curl -sk -X DELETE https://localhost:4444/tools/valid_rest_tool
  curl -sk -X DELETE https://localhost:4444/tools/weather_api
  curl -sk -X DELETE https://localhost:4444/prompts/greeting_prompt
  curl -sk -X DELETE https://localhost:4444/servers/github_server
  
  # Delete happy path entities
  curl -sk -X DELETE https://localhost:4444/gateways/time_server_noauth
  curl -sk -X DELETE https://localhost:4444/gateways/time_server_auth
  curl -sk -X DELETE https://localhost:4444/gateways/git_server
  curl -sk -X DELETE https://localhost:4444/resources/docs/readme
  curl -sk -X DELETE https://localhost:4444/resources/config/app
  curl -sk -X DELETE https://localhost:4444/prompts/code_analysis
  curl -sk -X DELETE https://localhost:4444/servers/time_utilities
  curl -sk -X DELETE https://localhost:4444/servers/dev_tools

🚀 Performance Testing

• Measure response time for validation (should be < 10ms):

  time curl -X POST http://localhost:4444/tools \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"name": "perf_test", "url": "https://example.com"}'

🏁 Final Steps

• make pre-commit # All pre-commit hooks pass
• make ci # Full CI pipeline passes locally
• make clean build # Can build fresh from scratch
• Test with both make serve and make serve-prod

✅ Sign-off Criteria

• All validation rules working as expected
• No XSS or injection vulnerabilities
• Error messages helpful for users
• Performance within acceptable limits (<10ms)
• UI displays all data safely # Note: "Test Server Connectivity" has known issue
• No regression in existing functionality
• All test scenarios pass

[madhav165]

Issues observed while testing

1. Resources - All data going into content - Resources
2. Gateways, Resources, Prompts - Edit screens not populating fields -
3. Resources and Prompts - Space after line number in text boxes
4. Tools annotations in Edit tool - Not editable, do not follow dark mode
5. Tools - Unsafe URL shows big red ribbon in UI
6. Prompts - Unsafe template goes to Internal Server Error
7. Resources - Unsafe URI or Name shows red box in UI

[crivetimihai]

📋 Overview

Complete comprehensive testing of input validation implementation across all MCP Gateway API endpoints, including both admin and non-admin APIs. Includes additional data validation steps to ensure all validation rules are working correctly and protecting against XSS, injection attacks, and data integrity issues.

Related PRs: #339 (admin endpoints), #340 (non-admin endpoints), #337 (UI escaping), #338 (lint fixes)

Copy/paste this checklist, and add [X] if a test passes, or ❌ if it failed, Add > why it failed info.

🚀 Pre-Test Setup

Setting up an MCP Server for use in testing

• cd mcp-servers/go/fast-time-server; make build # Build the fast-time-server # Build the fast-time-server
• ./dist/fast-time-server -transport=dual --port 8101 # No auth /sse and /http endpoints
• ./dist/fast-time-server -transport=dual --port 8102 -auth-token=secret123 # Auth /sse and /http endpoints
• curl http://localhost:8101/health # Expected something like: {"status":"healthy","uptime_seconds":2171}
• curl http://localhost:8102/health # Needs auth
• curl -H "Authorization: Bearer secret123" http://127.0.0.1:8102/sse # Auth works ^C after
• curl http://localhost:8103/sse # ^C to exit

TODO: Build a sample REST endpoint as well.

Environment Setup

• make clean; cp .env .env.backup; cp .env.example .env # start with fresh .env
• make compose-stop docker-stop # stop previous running containers
• make venv install install-dev # install using a fresh venv
• make serve # start a server using gunicorn
• Verify server starts on http://localhost:4444

Testing and linting

• make test # All tests pass
  ❌ Failed 2 tests

  FAILED tests/unit/mcpgateway/test_main.py::TestHealthAndInfrastructure::test_root_redirect - assert 200 == 303
  FAILED tests/unit/mcpgateway/test_ui_version.py::test_admin_ui_contains_version_tab - assert 404 == 200
  

  This is likely because the UI was turned off in .env, but need to make the test check that this is OK.
  Also means we need a LOT more /admin API tests if only 2 fail :-)

• make lint # No linting issues ✏️ Note: no new issues, some known pylint/mypy issues
• make tomllint jsonlint yamllint # TOML, JSON and YAML validation passes ✏️ Note: yamllint should ignore node_modules. Add make clean to template..
• make smoketest # Container build based smoketest passes
• make docker-run-ssl-host docker-logs # Start the container in a new terminal and monitor logs during test

Authentication Setup

• curl -sk https://localhost:4444/version # Test auth prevents access. Expected: {"detail":"Not authenticated"}
• export MCPGATEWAY_BEARER_TOKEN=$(python3 -m mcpgateway.utils.create_jwt_token -u admin --secret my-test-key)
• curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" https://localhost:4444/version # Test auth

Health Checks

• curl -sk https://localhost:4444/health # Returns healthy
• curl -sk https://localhost:4444/ready # Returns ready
• curl -sk -o /dev/null -w "%{http_code}" https://localhost:4444/health # Returns 200

Container Testing (Compose)

• make docker-stop compose-down compose-rm compose-up # Stop single container with sqlite, start compose with Postgres and Redis. Database migration passes. Container is healthy.
• make compose-logs # No errors in compose logs
• make stop # Stop compose. We'll start make serve for next tests

🌟 Happy Path Testing - Normal Operations

Setup:

• make serve # Run locally (http, and outside the container so it can connect to our local MCP Servers)

1️⃣ Register MCP Gateways

Register No-Auth Time Server (port 8101)

• Register gateway:

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       -H "Content-Type: application/json" \
       -d '{"name":"time_server_noauth","url":"http://127.0.0.1:8101/sse","transport":"SSE"}' \
       http://localhost:4444/gateways | jq

  Expected: ✅ Success (201), returns gateway with ID

• Verify gateway health:

  curl -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       http://localhost:4444/gateways | jq

  Expected: ✅ "reachable": true

Register Auth Time Server (port 8102)

• Register gateway with auth:

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
        -H "Content-Type: application/json" \
        -d '{
          "name":"time_server_auth",
          "url":"http://127.0.0.1:8102/sse",
          "transport":"SSE", 
          "auth_type":"bearer", 
          "auth_token": "secret123"
        }' \
        http://localhost:4444/gateways | jq 

  Expected: ✅ Success (201)

Register Git Server (port 8103)

• Register git gateway:

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       -H "Content-Type: application/json" \
       -d '{"name":"git_server","url":"http://127.0.0.1:8103/sse","transport":"SSE"}' \
       http://localhost:4444/gateways | jq

  Expected: ✅ Success (201)
  Note: trying to register the same server twice results in "message": "Unexpected error" - maybe this should be "already exists"

2️⃣ Verify Tool Discovery

• List all discovered tools:

  curl -sH "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
     http://localhost:4444/tools | jq '.[].originalName'

  Expected: ✅ Should see tools like: get_system_time, convert_time, list_commits, etc.

• Get specific tool details (refer to a tool UUID from above):

  curl -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       http://localhost:4444/tools/0aa05ae5946549d3bb4af97b8ce3e142 | jq

  Expected: ✅ Full tool schema with inputSchema

3️⃣ Test Tool Invocation

Test Time Tool (No Auth)

• Call get_system_time:

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       -H "Content-Type: application/json" \
       -d '{
         "jsonrpc": "2.0",
         "method": "time-server-noauth-get-system-time",
         "params": {"timezone": "Europe/Dublin"},
         "id": 1
       }' \
       http://localhost:4444/rpc | jq

  Expected: ✅ Returns current time in Dublin timezone

Test Time Tool (With Auth)

• Call convert_time:

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       -H "Content-Type: application/json" \
       -d '{
         "jsonrpc": "2.0",
         "method": "time-server-noauth-convert-time",
         "params": {
           "time": "2025-01-10T12:00:00Z",
           "source_timezone": "UTC",
           "target_timezone": "America/New_York"
         },
         "id": 2
       }' \
       http://localhost:4444/rpc | jq

  Expected: ✅ Returns converted time

Test Git Tool

• List commits:

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       -H "Content-Type: application/json" \
       -d '{
         "jsonrpc": "2.0",
         "method": "git-server-git-log",
         "params": {"repo_path": "../../../"},
         "id": 3
       }' \
       http://localhost:4444/rpc | jq

  Expected: ✅ Return git log

4️⃣ Create Virtual Servers

• Get tool IDs for virtual server:

  # Save tool IDs to variables
  TIME_TOOL_ID=$(curl -s -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    http://localhost:4444/tools \
    | jq -r '.[] | select(.originalName=="get_system_time") | .id')
  
  CONVERT_TOOL_ID=$(curl -s -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    http://localhost:4444/tools \
    | jq -r '.[] | select(.originalName=="convert_time") | .id')
  
  GIT_TOOL_ID=$(curl -s -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    http://localhost:4444/tools \
    | jq -r '.[] | select(.originalName=="git_log") | .id')
  
  echo "Time Tool ID: $TIME_TOOL_ID"
  echo "Convert Tool ID: $CONVERT_TOOL_ID"
  echo "Git Tool ID: $GIT_TOOL_ID"

• Create time utilities virtual server:

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       -H "Content-Type: application/json" \
       -d "{
         \"name\": \"time_utilities\",
         \"description\": \"Time and timezone utilities\",
         \"associatedTools\": [\"$TIME_TOOL_ID\", \"$CONVERT_TOOL_ID\"]
       }" \
       http://localhost:4444/servers | jq

  Expected: ✅ Success (201), returns server with UUID

• Create development tools virtual server:

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       -H "Content-Type: application/json" \
       -d "{
         \"name\": \"dev_tools\",
         \"description\": \"Development and git tools\",
         \"associatedTools\": [\"$GIT_TOOL_ID\"]
       }" \
       http://localhost:4444/servers | jq

  Expected: ✅ Success (201)

5️⃣ Test Virtual Server SSE Endpoints

• Get server UUIDs:

  # Get the UUID for the “time_utilities” server
  TIME_SERVER_UUID=$(curl -s -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    http://localhost:4444/servers \
    | jq -r '.[] | select(.name=="time_utilities") | .id')
  
  # Get the UUID for the “dev_tools” server
  DEV_SERVER_UUID=$(curl -s -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    http://localhost:4444/servers \
    | jq -r '.[] | select(.name=="dev_tools") | .id')
  
  echo "Time Server UUID: $TIME_SERVER_UUID"
  echo "Dev Server UUID: $DEV_SERVER_UUID"

  Expected:

  Time Server UUID: 3b5c69a683ea4a0c94f1883bf58eead6
  Dev Server UUID: 7308ac3f023f4c16a24ec7a2225f85db
  

• Test SSE endpoint exists:

  curl -N -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       "http://localhost:4444/servers/$TIME_SERVER_UUID/sse" \
       --max-time 2 2>&1 | head -5

  Expected: ✅ SSE stream starts (will see "data:" events)

6️⃣ Create Additional Resources and Prompts

Create Resources

• Create README resource:

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       -H "Content-Type: application/json" \
       -d '{
         "uri": "docs/readme",
         "name": "readme",
         "description": "Project README",
         "mimeType": "text/markdown",
         "content": "# MCP Gateway\n\nWelcome to the MCP Gateway!"
       }' \
       http://localhost:4444/resources | jq

  Expected: ✅ Success (201)

• Create config resource:

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       -H "Content-Type: application/json" \
       -d '{
         "uri": "config/app",
         "name": "app_config",
         "mimeType": "application/json",
         "content": "{\"version\": \"1.0.0\", \"debug\": false}"
       }' \
       http://localhost:4444/resources | jq

  Expected: ✅ Success (201)

Create Prompts

• Create analysis prompt:

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
      -H "Content-Type: application/json" \
      -d '{
        "name": "code_analysis",
        "description": "Analyze code quality",
        "template": "Analyze the following {{ language }} code:\n\n{{ code }}\n\nFocus on: {{ focus_areas }}",
        "arguments": [
          {"name": "language", "description": "Programming language", "required": true},
          {"name": "code", "description": "Code to analyze", "required": true},
          {"name": "focus_areas", "description": "Specific areas to focus on", "required": false}
        ]
      }' \
      http://localhost:4444/prompts | jq

  Expected: ✅ Success (201)

• Summary prompt (no arguments):

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
      -H "Content-Type: application/json" \
      -d '{
        "name": "system_summary",
        "description": "System status summary",
        "template": "MCP Gateway is running and ready to process requests. All systems operational.",
        "arguments": []
      }' \
      http://localhost:4444/prompts | jq

• Task reminder prompt:

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
      -H "Content-Type: application/json" \
      -d '{
        "name": "task_reminder",
        "description": "Create a task reminder",
        "template": "Remember to {{ task }} by {{ deadline }}.",
        "arguments": [
          {"name": "task", "description": "Task to remember", "required": true},
          {"name": "deadline", "description": "When to complete by", "required": true}
        ]
      }' \
      http://localhost:4444/prompts | jq

7️⃣ Test REST Tool Creation

• Create a REST API tool:

  curl -X POST -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
       -H "Content-Type: application/json" \
       -d '{
         "name": "weather_api",
         "url": "https://api.openweathermap.org/data/2.5/weather",
         "description": "Get current weather data",
         "integrationType": "REST",
         "requestType": "GET",
         "headers": {"X-API-Key": "demo-key"},
         "inputSchema": {
           "type": "object",
           "properties": {
             "q": {"type": "string", "description": "City name"},
             "units": {"type": "string", "enum": ["metric", "imperial"]}
           },
           "required": ["q"]
         }
       }' \
       http://localhost:4444/tools | jq

  Expected: ✅ Success (201)

8️⃣ Test Wrapper Integration

• Export server catalog URL:

  export MCP_SERVER_CATALOG_URLS="http://localhost:4444/servers/$TIME_SERVER_UUID"
  export MCP_AUTH_TOKEN=$MCPGATEWAY_BEARER_TOKEN

• Test wrapper initialization:

  echo '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"test","version":"1.0"}}}' | \
    python3 -m mcpgateway.wrapper 2>/dev/null | jq

  Expected: ✅ Returns capabilities including tools

9️⃣ Verify Everything Works

• Summary check:

  echo "=== System Status ==="
  echo "Gateways: $(curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/gateways)"
  echo "Tools: $(curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/tools)"
  echo "Resources: $(curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/resources)"
  echo "Prompts: $(curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/prompts)"
  echo "Servers: $(curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/servers)"

  Expected: ✅ All counts > 0

📊 Admin API Validation Testing (/admin/*)

Note: the Admin API and UI is disabled by default, ex: http://localhost:4444/ will return:

{"name":"MCP_Gateway","version":"1.0.0","description":"MCP_Gateway API - UI is disabled","ui_enabled":false,"admin_api_enabled":false}

Enable it in .env, then restart make serve:

# Enable the visual Admin UI (true/false)
MCPGATEWAY_UI_ENABLED=true

# Enable the Admin API endpoints (true/false)
MCPGATEWAY_ADMIN_API_ENABLED=true

Tools - Admin Endpoints

Valid Input Tests

• Create REST tool with valid data (Note: Admin endpoints use form data, not JSON):

  curl -X POST http://localhost:4444/admin/tools \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'name=valid_rest_tool&url=https://api.example.com/v1/endpoint&description=Valid REST API tool&integrationType=REST&requestType=POST&headers={"Authorization": "Bearer token"}'

  Expected: ✅ Success (200) with JSON response {"message": "Tool registered successfully!", "success": true}

Invalid Input Tests

• XSS attempt in name:

  curl -X POST http://localhost:4444/admin/tools \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'name=<script>alert(1)</script>&url=https://example.com&integrationType=REST&requestType=GET'

  Expected: ❌ 400/500 - Validation error in JSON response
  Actual: {"message":"1 validation error for ToolCreate\nname\n Value error, Tool name must start with a letter and contain only letters, numbers, and underscore [type=value_error, input_value='<script>alert(1)</script>', input_type=str]\n For further information visit https://errors.pydantic.dev/2.11/v/value_error","success":false}

• SQL injection pattern:

  curl -X POST http://localhost:4444/admin/tools \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'name=tool"; DROP TABLE tools; --&url=https://example.com&integrationType=REST&requestType=GET'

  Expected: ❌ 400/500 - Validation error
  Actual: {"message":"1 validation error for ToolCreate\nname\n Value error, Tool name must start with a letter and contain only letters, numbers, and underscore [type=value_error, input_value='tool\"; DROP TABLE tools; --', input_type=str]\n For further information visit https://errors.pydantic.dev/2.11/v/value_error","success":false}

• Invalid URL scheme:

  curl -X POST http://localhost:4444/admin/tools \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'name=test_tool&url=javascript:alert(1)&integrationType=REST&requestType=GET'

  Expected: ❌ 400/500 - URL validation error
  Actual: {"message":"1 validation error for ToolCreate\nurl\n Value error, Tool URL must start with one of: http://, https://, ws://, wss:// [type=value_error, input_value='javascript:alert(1)', input_type=str]\n For further information visit https://errors.pydantic.dev/2.11/v/value_error","success":false}

• Name too long (>255 chars):

  curl -X POST http://localhost:4444/admin/tools \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'name='"$(printf 'a%.0s' {1..300})"'&url=https://example.com&integrationType=REST&requestType=GET'

  Expected: ❌ 400/500 - Name too long error
  Actual: {"message":"1 validation error for ToolCreate\nname\n Value error, Tool name exceeds maximum length of 255 [type=value_error, input_value='aaaaaaaaaaaaaaaaaaaaaaaa...aaaaaaaaaaaaaaaaaaaaaaa', input_type=str]\n For further information visit https://errors.pydantic.dev/2.11/v/value_error","success":false}%

• Wrong request type for MCP:

  curl -X POST http://localhost:4444/admin/tools \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'name=test_tool&url=https://example.com&integrationType=MCP&requestType=POST'

  Expected: ❌ 400/500 - Invalid request type for MCP
  Actual: {"message":"1 validation error for ToolCreate\nrequest_type\n Value error, Request type 'POST' not allowed for MCP integration [type=value_error, input_value='POST', input_type=str]\n For further information visit https://errors.pydantic.dev/2.11/v/value_error","success":false}
  TODO: make these error codes etc.

Resources - Admin Endpoints

Valid Input Tests

• Create markdown resource (form data):

  curl -X POST http://localhost:4444/admin/resources \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'uri=docs/guide&name=user_guide&description=Comprehensive user guide&mimeType=text/markdown&content=# User Guide%0A%0AWelcome to our application!'

  Expected: ✅ Success (303 redirect)

• Create JSON resource:

  curl -X POST http://localhost:4444/admin/resources \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'uri=config/settings&name=app_config&description=Application configuration&mimeType=application/json&content={"version": "1.0.0", "features": {"auth": true}}'

  Expected: ✅ Success (303 redirect)
  Note: if I run it again I get Internal Server Error (behind I get mcpgateway.services.resource_service.ResourceError: Failed to register resource: Resource already exists with URI: config/settings) but need to make it more friendly

Invalid Input Tests

• Directory traversal in URI:

  curl -X POST http://localhost:4444/admin/resources \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'uri=../../etc/passwd&name=test&content=data'

  Expected: ❌ 303 redirect (error handled internally)
  Actual: Internal Server Error
  Server Logs: Value error, Resource URI cannot contain directory traversal sequences ('..') [type=value_error, input_value='../../etc/passwd', input_type=str]

• HTML injection in content:

  curl -X POST http://localhost:4444/admin/resources \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'uri=test&name=test&content=<iframe src="evil.com"></iframe>'

  Expected: ❌ 303 redirect (validation may occur at service level)

Prompts - Admin Endpoints

Valid Input Tests

• Create prompt with arguments:

  curl -X POST http://localhost:4444/admin/prompts \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'name=greeting_prompt&description=Personalized greeting template&template=Hello {{ name }}, welcome to {{ company }}!&arguments=[{"name": "name", "description": "User name", "required": true}, {"name": "company", "description": "Company name", "required": true}]'

  Expected: ✅ Success (303 redirect)
  Server Logs: 127.0.0.1:43684 - "POST /admin/prompts HTTP/1.1" 303

Invalid Input Tests

• Script tag in template:

  curl -X POST http://localhost:4444/admin/prompts \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'name=test_prompt&template=<script>alert(1)</script>&arguments=[]'

  Expected: ❌ 303 redirect (validation at service level)
  Received: Internal Server Error
  Server Logs: Value error, Template contains HTML tags that may interfere with proper display [type=value_error, input_value='<script>alert(1)</script>', input_type=str]
  Note: this should be a different error?

Gateways - Admin Endpoints

Valid Input Tests

• Create SSE gateway:

  curl -X POST http://localhost:4444/admin/gateways \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'name=time_server_admin&url=http://127.0.0.1:8101/sse&description=Time server gateway&transport=SSE'

  Expected: ✅ Success (200) with JSON response
  Actual: {"message":"(sqlite3.IntegrityError) UNIQUE constraint failed: gateways.url\n[SQL: INSERT INTO gateways (id, name, slug, url, description, transport, capabilities, created_at, updated_at, enabled, reachable, last_seen, auth_type, auth_value) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)]\n[parameters: ('4f16d5b979f1453dacb4821c57b11d8d', 'time_server_admin', 'time-server-admin', 'http://127.0.0.1:8101/sse', 'Time server gateway', 'SSE', '{\"logging\": {}, \"tools\": {}}', '2025-07-10 22:24:44.032936', '2025-07-10 22:24:44.032937', 1, 1, '2025-07-10 22:24:44.032019', '', 'null')]\n(Background on this error at: https://sqlalche.me/e/20/gkpj)","success":false}
  ❌ Note: this should really not show the sqlite error.
  Yes this test would succeed if it did it the first time, as you're creating a gateway that exists, but we should cleanup these errors and not show the full sql log. Perhaps have additional validation before. Should just say it already exists.

Invalid Input Tests

• Invalid transport type:

  curl -X POST http://localhost:4444/admin/gateways \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'name=test_gateway&url=http://example.com&transport=INVALID'

  Expected: ❌ 400/500 - JSON error response
  Received: {"message":"Gateway registered successfully!","success":true}
  Tried again: {"message":"Gateway already exists with name: test_gateway","success":false}
  ❌ test failed

Servers - Admin Endpoints

Valid Input Tests

• Create server with associations:

  curl -X POST http://localhost:4444/admin/servers \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'name=github_server&description=GitHub integration server&icon=https://github.githubassets.com/assets/GitHub-Mark-ea2971cee799.png'

  Expected: ✅ Success (303 redirect)

Invalid Input Tests

• Invalid icon URL:

  curl -X POST http://localhost:4444/admin/servers \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'name=test_server&icon=javascript:alert(1)'

  Expected: ❌ 303 redirect (validation at service level)
  Server Logs: Value error, Icon URL must start with one of: http://, https://, ws://, wss:// [type=value_error, input_value='javascript:alert(1)', input_type=str]

Test Gateway Connectivity

• Test gateway connectivity endpoint:

  curl -X POST http://localhost:4444/admin/gateways/test \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "base_url": "http://localhost:8101",
      "path": "/health",
      "method": "GET",
      "headers": {},
      "body": null
    }'

  Expected: ✅ Success (200) with status_code, latency_ms, and body

🌐 Non-Admin API Validation Testing

Tools - Public Endpoints

• Test POST /tools with XSS:

  curl -X POST http://localhost:4444/tools \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "name": "<script>",
      "url": "hello_world",
      "integration_type": "REST",
      "request_type": "GET"
    }'

  Expected: ❌ 422 - Validation error
  Actual: {"detail":[{"type":"value_error","loc":["body","name"],"msg":"Value error, Tool name must start with a letter and contain only letters, numbers, and underscore","input":"<script>","ctx":{"error":{}}},{"type":"value_error","loc":["body","url"],"msg":"Value error, Tool URL must start with one of: http://, https://, ws://, wss://","input":"hello_world","ctx":{"error":{}}}]}

• Test PUT /tools/{tool_id} with valid update valid-rest-tool:

  curl -X PUT http://localhost:4444/tools/eeb4a825daf145238fa902625ead8fb4 \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"description": "Updated description"}'

  Expected: ✅ Success
  Actual: {"id":"eeb4a825daf145238fa902625ead8fb4","originalName":"valid_rest_tool","url":"https://api.example.com/v1/endpoint","description":"Updated description","requestType":"POST","integrationType":"REST","headers":{"Authorization":"Bearer token"},"inputSchema":{"type":"object","properties":{}},"annotations":{},"jsonpathFilter":"","auth":null,"createdAt":"2025-07-10T22:18:26.029783","updatedAt":"2025-07-10T22:31:20.706839","enabled":true,"reachable":true,"gatewayId":null,"executionCount":0,"metrics":{"totalExecutions":0,"successfulExecutions":0,"failedExecutions":0,"failureRate":0.0,"minResponseTime":null,"maxResponseTime":null,"avgResponseTime":null,"lastExecutionTime":null},"name":"valid-rest-tool","gatewaySlug":"","originalNameSlug":"valid-rest-tool"}

Resources - Public Endpoints

• Test POST /resources with same valid/invalid payloads as admin
• Test PUT /resources/{uri:path} with path traversal:

  curl -X PUT "http://localhost:4444/resources/../../etc/passwd" \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"content": "hacked"}'

  Expected: ❌ 400 - "Invalid URI"
  Actual: {"detail":"Not Found"}
  Server: 127.0.0.1:37082 - "PUT /etc/passwd HTTP/1.1" 404

Prompts - Public Endpoints

• Test prompt execution with args:

  curl -X POST http://localhost:4444/prompts/greeting_prompt \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "name": "Alice",
      "company": "Acme Corp"
    }'

  Expected: ✅ "Hello Alice, welcome to Acme Corp!"
  {"messages":[{"role":"user","content":{"type":"text","text":"Hello Alice, welcome to Acme Corp!"}}],"description":"Personalized greeting template"}

• Test with XSS in args:

  curl -X POST http://localhost:4444/prompts/greeting_prompt \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "name": "Alice<script>alert(1)</script>",
      "company": "Acme Corp"
    }'

  Status: ❌ FAIL
  Expected: ❌ 422 - Args should be sanitized
  Actual: {"messages":[{"role":"user","content":{"type":"text","text":"Hello Alice<script>alert(1)</script>, welcome to Acme Corp!"}}],"description":"Personalized greeting template"}

Gateways - Public Endpoints

• Test POST /gateways with invalid name

  curl -X POST http://localhost:4444/gateways \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "name": "<script>",
      "url": "hello_world",
      "transport": "SSE"
    }'

  Expected: ❌ 422 - Validation error
  Actual: {"detail":[{"type":"value_error","loc":["body","name"],"msg":"Value error, Gateway name can only contain letters, numbers, underscore, and hyphen. Special characters like <, >, quotes are not allowed.","input":"<script>","ctx":{"error":{}}},{"type":"value_error","loc":["body","url"],"msg":"Value error, Gateway URL must start with one of: http://, https://, ws://, wss://","input":"hello_world","ctx":{"error":{}}}]}

• Test with invalid URL:

  curl -X POST http://localhost:4444/gateways \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "name": "test",
      "url": "hello_world",
      "transport": "SSE"
    }'

  Expected: ❌ 422 - Invalid URL format
  Actual: {"detail":[{"type":"value_error","loc":["body","url"],"msg":"Value error, Gateway URL must start with one of: http://, https://, ws://, wss://","input":"hello_world","ctx":{"error":{}}}]}

• Test with excessively long name:

  curl -X POST http://localhost:4444/gateways \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "name": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
      "url": "http://localhost:8000/sse",
      "transport_type": "SSE"
    }'

  Expected: ❌ 422 - Name too long
  Actual: {"detail":[{"type":"value_error","loc":["body","name"],"msg":"Value error, Gateway name exceeds maximum length of 255","input":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","ctx":{"error":{}}}]}

RPC Endpoint

• Valid RPC request:

  curl -X POST http://localhost:4444/rpc \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "jsonrpc": "2.0",
      "method": "tools/list",
      "params": {},
      "id": 1
    }'

  Expected: ✅ Success

• Invalid method name:

  curl -X POST http://localhost:4444/rpc \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{
      "jsonrpc": "2.0",
      "method": "<script>alert(1)</script>",
      "id": 1
    }'

  Expected: ❌ 422 - "Invalid method name format"
  Actual: {"jsonrpc":"2.0","error":{"code":-32000,"message":"Internal error","data":"Tool not found: <script>alert(1)</script>"},"id":1}

📊 API Verification from Post-Deployment Checklist

• curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/tools | jq # Lists tools
• curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/resources | jq # Lists resources
• curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/prompts | jq # Lists prompts
• curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/gateways | jq # Lists gateways
• curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/servers | jq # Lists servers
• curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/admin/tools | jq # Admin tools endpoint
• curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/admin/resources | jq # Admin resources endpoint
• curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/admin/prompts | jq # Admin prompts endpoint

📚 OpenAPI & Documentation

• curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/openapi.json | jq '.info.title' # Returns "MCP Gateway"
• curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/docs | grep -q "MCP Gateway" && echo "✓ Swagger UI loads"
• curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/redoc | grep -q "ReDoc" && echo "✓ ReDoc loads"

🔍 Edge Case Testing

Empty/Whitespace Values

• Empty string for required field:

  curl -X POST http://localhost:4444/tools \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"name": "", "url": "https://example.com"}'

  Expected: ❌ 422 - "cannot be empty"
  Actual: {"detail":[{"type":"value_error","loc":["body","name"],"msg":"Value error, Tool name cannot be empty","input":"","ctx":{"error":{}}}]}

• Only whitespace:

  curl -X POST http://localhost:4444/tools \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"name": "   ", "url": "https://example.com"}'

  Expected: ❌ 422 - Should be stripped and fail
  Actual: {"detail":[{"type":"value_error","loc":["body","name"],"msg":"Value error, Tool name cannot be empty","input":" ","ctx":{"error":{}}}]}

Unicode Characters

• Unicode in name:

  curl -X POST http://localhost:4444/tools \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"name": "test_tool_🚀", "url": "https://example.com"}'

  Expected: ❌ 422 - Non-alphanumeric characters
  Actual: {"detail":[{"type":"value_error","loc":["body","name"],"msg":"Value error, Tool name must start with a letter and contain only letters, numbers, and underscore","input":"test_tool_🚀","ctx":{"error":{}}}]}

JSON Depth Limits

• Deeply nested JSON (>10 levels):

  DEEP_JSON='{"a":{"b":{"c":{"d":{"e":{"f":{"g":{"h":{"i":{"j":{"k":"too deep"}}}}}}}}}}}'
  curl -X POST http://localhost:4444/tools \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d "{
      \"name\": \"test_tool\",
      \"url\": \"https://example.com\",
      \"inputSchema\": $DEEP_JSON
    }"

  TODO: need to make the nesting level CONFIGURABLE in the .env

Error Handling Verification

• curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/tools/nonexistent | jq '.detail' # Returns 404 "Tool not found"
• curl -sk -X POST http://localhost:4444/tools -H "Content-Type: application/json" -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" -d '{}' | jq '.detail[0].msg' # "Field required" (422 validation error)
• curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/invalid-endpoint | jq '.detail' # 404 "Not Found"

🗄️ Database & Migrations

• make db-current # Shows current revision (no pending migrations) FIXME: FAILED: No 'script_location' key found in configuration.

  alembic -c mcpgateway/alembic.ini current
  INFO  [alembic.runtime.migration] Context impl SQLiteImpl.
  INFO  [alembic.runtime.migration] Will assume non-transactional DDL.
  e75490e949b1 (head)

  FIXME: add -c mcpgateway/alembic.ini to Makefile for db-current

• sqlite3 mcp.db ".tables" | grep -E "(tools|resources|prompts)" | wc -l # Should show 3+ tables

• sqlite3 mcp.db "SELECT COUNT(*) FROM tools;" | grep -E "[0-9]+" # Has tools

📝 Log Verification

• tail -n 20 logs/mcpgateway.log | grep -c ERROR # Should be 0

  FIXME: this doesn't exist, need to add support for writing a log to a directory

• grep "Application startup complete" logs/mcpgateway.log | tail -1 # Startup logged
• grep "Created.*tool.*valid_mcp_tool" logs/mcpgateway.log # Tool creation logged

🔍 Process & Port Checks

• lsof -i :4444 | grep LISTEN | wc -l # Port 4444 is listening (should be ≥1)
• ps aux | grep "[m]cpgateway" | wc -l # Process running (should be ≥1)
• netstat -tuln | grep 4444 # Shows listening on port 4444

🐳 Container Health (if using Docker)

• make docker-run # After stopping make serve
• docker ps --filter name=mcpgateway --format "table {{.Names}}\t{{.Status}}" | grep health # Container healthy, may take 1m

  TODO: stuck in health: starting for 2m, then moves to unhealthy

• docker logs mcpgateway 2>&1 | tail -10 | grep -c ERROR # Should be 0
• docker inspect mcpgateway | jq '.[0].State.Health.Status' # Should be "healthy"

  TODO: it's unhealthy for some reason, maybe Containerfile.lite is missing a HEALTH probe for Docker.. container image has no curl

🎭 UI Verification (Admin Interface)

Test with: Chrome, Firefox, Brave, Safari, Mobile. Click all buttons, on all themes.

• Navigate to http://localhost:4444/admin/
• Verify all existing data displays correctly (no broken layouts)
• Create entities through UI with special characters
• Verify HTML entities are escaped in display: <>&"'/
• Check browser console for JavaScript errors

  Warnings: Element with id "metrics-loading" not found

• Test "Test Server Connectivity" feature # Note: FIXME: Currently has issue "Error: Invalid URL: URL is required"

Notes: hard to see the input box for a tool on dark theme.

TODO:

• Disable some prompts, etc. see if they still show up.
• Edit everything
• Activate/Deactivate tests
• Delete tests
• Browse the database, see how that looks
• Fix the /version to add version not just git revision. Fix git revision inside a container.
• Under metrics, add virtual servers/tools/resources/prompts/gateways/roots
• Add top 5 to each box as a table
• Reachable vs available. Also, why does Redis say reachable when I'm running without redis?
• The time tool shows destructive annotation. Why?!
• Add picker for associated resources and asociated prompts
• Add file upload for icon?

✅ Final Integration Test

• List all created entities:

  echo "=== Created Entities ==="
  echo "Tools: $(curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/tools | jq -r '.items[] | select(.name | test("valid_mcp_tool|valid_rest_tool|weather_api")) | .name' | tr '\n' ', ')"
  echo "Resources: $(curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/resources | jq -r '.items[] | select(.name | test("readme|app_config|user_guide")) | .name' | tr '\n' ', ')"
  echo "Prompts: $(curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/prompts | jq -r '.items[] | select(.name | test("code_analysis|greeting_prompt")) | .name' | tr '\n' ', ')"
  echo "Gateways: $(curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/gateways | jq -r '.items[] | select(.name | test("time_server|git_server")) | .name' | tr '\n' ', ')"
  echo "Servers: $(curl -sk -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/servers | jq -r '.items[] | select(.name | test("time_utilities|dev_tools|github_server")) | .name' | tr '\n' ', ')"

• All entities should be listed and active

🧹 Cleanup (Optional)

• Delete test data if needed:

  # Delete validation test entities
  curl -sk -X DELETE -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/tools/valid_mcp_tool
  curl -sk -X DELETE -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/tools/valid_rest_tool
  curl -sk -X DELETE -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/tools/weather_api
  curl -sk -X DELETE -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/prompts/greeting_prompt
  curl -sk -X DELETE -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/servers/github_server
  
  # Delete happy path entities
  curl -sk -X DELETE -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/gateways/time_server_noauth
  curl -sk -X DELETE -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/gateways/time_server_auth
  curl -sk -X DELETE -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/gateways/git_server
  curl -sk -X DELETE -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/resources/docs/readme
  curl -sk -X DELETE -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/resources/config/app
  curl -sk -X DELETE -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/prompts/code_analysis
  curl -sk -X DELETE -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/servers/time_utilities
  curl -sk -X DELETE -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" http://localhost:4444/servers/dev_tools

🚀 Performance Testing

• Measure response time for validation (should be < 10ms):

  time curl -X POST http://localhost:4444/tools \
    -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"name": "perf_test", "url": "https://example.com"}'

  Actual: jq 0.00s user 0.00s system 10% cpu 0.012 total

🚀 Helm Chart Deployment

• Deploy with helm works

  make minikube-install minikube-start minikube-dashboard
  cd charts/mcp-stack
  cp values.yaml my-values.yaml
  
  # 1. Verify the release name and namespace
  helm list -A | grep mcp-stack
  
  # 2. Uninstall the Helm release (removes Deployments, Services, Secrets created by the chart)
  helm uninstall mcp-stack -n mcp-private
  
  # 3. Delete any leftover PersistentVolumeClaims *if* you don't need the data
  kubectl delete pvc --all -n mcp-private
  
  # 4. Remove the namespace itself (skips if you want to keep it)
  kubectl delete namespace mcp-private
  
  # 5. Optional: confirm nothing is left
  helm list -A | grep mcp-stack   # should return nothing
  kubectl get ns | grep mcp-private  # should return nothing
  
  # 6. Re-create the namespace (if you deleted it)
  kubectl create namespace mcp-private
  
  # 7. Re-install the chart with your values file
  helm upgrade --install mcp-stack . \
    --namespace mcp-private \
    -f my-values.yaml \
    --wait --timeout 15m --debug
  
  # 8. Check status
  kubectl get all -n mcp-private
  helm status mcp-stack -n mcp-private --show-desc

  Note: the volume names for postgresql clash, maybe this needs to be unique!

• Deploy with ArgoCD works

  make argocd-password argocd-forward
  

🏁 Final Steps

• make pre-commit # All pre-commit hooks pass
• All GitHub Actions passed

✅ Sign-off Criteria

• All validation rules working as expected
• No XSS or injection vulnerabilities
• Error messages helpful for users
• Performance within acceptable limits (<10ms)
• UI displays all data safely # Note: "Test Server Connectivity" has known issue
• No regression in existing functionality
• All test scenarios pass

[madhav165]

Working on branch validate-admin-inputs for fixes.

[crivetimihai]

MCP Gateway Test Failures and Issues Report

🚀 Pre-Test Setup

TODOs

• Build a sample REST endpoint as well

📋 Testing and Linting

Failed Tests

• make test - ❌ Failed 2 tests:

  FAILED tests/unit/mcpgateway/test_main.py::TestHealthAndInfrastructure::test_root_redirect - assert 200 == 303
  FAILED tests/unit/mcpgateway/test_ui_version.py::test_admin_ui_contains_version_tab - assert 404 == 200
  

Notes

• This is likely because the UI was turned off in .env, but need to make the test check that this is OK
• Also means we need a LOT more /admin API tests if only 2 fail :-)
• make lint has known pylint/mypy issues
• make tomllint jsonlint yamllint - yamllint should ignore node_modules. Add make clean to template

🌟 Happy Path Testing

Notes

• Register Git Server: Trying to register the same server twice results in "message": "Unexpected error" - maybe this should be "already exists"

📊 Admin API Validation Testing

Failed Tests

Tools - Admin Endpoints

• All XSS/injection tests passed but TODO: make these error codes etc. (currently returns verbose Pydantic errors)

Resources - Admin Endpoints

• Create JSON resource (duplicate): If run again, get Internal Server Error with ResourceError: Failed to register resource: Resource already exists with URI: config/settings - need to make it more friendly
• Directory traversal: Returns generic "Internal Server Error" instead of proper validation
• Script tag in template: Returns "Internal Server Error" - this should be a different error?

Gateways - Admin Endpoints

• Create SSE gateway (duplicate): ❌ Shows raw SQL error instead of friendly message:

  {"message":"(sqlite3.IntegrityError) UNIQUE constraint failed: gateways.url\n[SQL: INSERT INTO gateways...]","success":false}
  

  • Should not show the sqlite error
  • Should just say it already exists

• Invalid transport type: ❌ FAILED - Accepted invalid transport "INVALID" and returned success

🌐 Non-Admin API Validation Testing

Failed Tests

Resources - Public Endpoints

• Path traversal: Returns 404 "Not Found" instead of expected 400 "Invalid URI"

Prompts - Public Endpoints

• XSS in args: ❌ FAILED - Expected 422 validation error but got 200 success (HTML was escaped but no validation error)

RPC Endpoint

• Invalid method name with XSS: ❌ FAILED - Expected 422 "Invalid method name format" but got "Tool not found: <script>alert(1)</script>"

📊 API Verification

Incomplete

• Admin prompts endpoint: Not tested

🔍 Edge Case Testing

TODOs

• JSON Depth Limits: Need to make the nesting level CONFIGURABLE in the .env

🗄️ Database & Migrations

FIXME

• make db-current: ❌ FAILED - "No 'script_location' key found in configuration"
  • Need to add -c mcpgateway/alembic.ini to Makefile for db-current

📝 Log Verification

FIXME

• Log file tests: ❌ All failed - logs/mcpgateway.log doesn't exist
  • Need to add support for writing a log to a directory

🐳 Container Health

TODOs

• Docker health check: ❌ Container stuck in "starting" then goes to "unhealthy"
  • Maybe Containerfile.lite is missing a HEALTH probe for Docker
  • Container image has no curl

🎭 UI Verification

Issues

• Test Server Connectivity: ❌ FIXME - Currently has issue "Error: Invalid URL: URL is required"
• Browser console: Warnings - Element with id "metrics-loading" not found
• Dark theme: Hard to see the input box for a tool on dark theme

TODOs

• Disable some prompts, etc. see if they still show up
• Edit everything
• Activate/Deactivate tests
• Delete tests
• Browse the database, see how that looks
• Fix the /version to add version not just git revision. Fix git revision inside a container
• Under metrics, add virtual servers/tools/resources/prompts/gateways/roots
• Add top 5 to each box as a table
• Reachable vs available. Also, why does Redis say reachable when I'm running without redis?
• The time tool shows destructive annotation. Why?!
• Add picker for associated resources and associated prompts
• Add file upload for icon?

🚀 Helm Chart Deployment

Notes

• The volume names for postgresql clash, maybe this needs to be unique!

📊 Summary of Critical Issues

High Priority

1. Gateway validation accepting invalid transport types
2. Prompt XSS validation not returning errors when it should
3. RPC validation not validating method names properly
4. SQL errors exposed in responses (security issue)
5. Docker container health failing

Medium Priority

1. Error messages need to be more user-friendly (not raw Pydantic/SQL errors)
2. Log file support missing
3. Database migration command broken in Makefile
4. UI dark theme visibility issues
5. Test Server Connectivity feature broken

Low Priority

1. Unit tests need updating for UI-disabled mode
2. JSON nesting depth should be configurable
3. Duplicate resource error handling improvements
4. Various UI TODOs for better user experience

[crivetimihai]

Documented here https://ibm.github.io/mcp-context-forge/testing/acceptance/ - this can be closed.