Add Bearer token authentication for HTTP transport security

[0x5un5h1n3]

Summary

DBHub currently lacks authentication for HTTP transport, which means anyone with the server URL can access the database. This poses a significant security risk if URLs are leaked or exposed.

Problem

• HTTP MCP endpoints are completely unprotected
• Database access is available to anyone with the URL
• No way to secure database connections in production environments
• Risk of data exposure if URLs leak

Proposed Solution

Implement Bearer token authentication following industry standards:

• Authorization: Bearer <token> header validation
• Support for CLI arguments, environment variables, and file-based tokens
• Backwards compatible (optional by default, required with --require-auth)
• Constant-time token comparison to prevent timing attacks
• Proper HTTP status codes (401/403)

Implementation Details

• Add token configuration functions in src/config/env.ts
• Implement authentication middleware in src/server.ts
• Update CORS headers to support Authorization header
• Add comprehensive tests for all authentication scenarios
• Update documentation with security best practices

Usage Examples

# Optional authentication
npx @bytebase/dbhub --transport http --auth-token "secret123"

# Required authentication
npx @bytebase/dbhub --transport http --auth-token "secret123" --require-auth

# Token from file
npx @bytebase/dbhub --transport http --auth-token-file "/path/token.txt"

MCP Client Configuration

{
  "mcpServers": {
    "secure-dbhub": {
      "type": "http",
      "url": "http://localhost:8080/message",
      "headers": {
        "Authorization": "Bearer secret123"
      }
    }
  }
}

Security Benefits

• Prevents unauthorized database access
• Protects against URL leakage vulnerabilities
• Industry-standard Bearer token implementation
• Compatible with all MCP clients
• Production-ready security

Environment

• DBHub version: 0.9.0
• Node.js version: 18+
• Affects: HTTP transport only (STDIO uses process-level security)

Priority

High - This is a critical security feature needed for production deployments.

[tianzhou]

The MCP spec about auth is still in progress https://modelcontextprotocol.io/specification/draft/basic/authorization

We will hold off on any auth related implementation.

[tianzhou]

dbhub interacts with the underlying DB via raw SQL directly instead of using API. Thus there is no bear token like authentication mechanism (unless dbhub goes through a API middleware like PostgREST for PG).

The latest MCP spec (2025-06-18) mentioned Authorization is optional https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization. For dbhub, we don't plan to implement it, and instead delegate this to other middleware such as fastmcp.