[BUG]: Gateway validation accepts invalid transport types

[crivetimihai]

Priority: High (Security/Data Integrity)

Description:
The gateway creation endpoint (/admin/gateways) does not properly validate the transport field, allowing invalid values to be accepted and stored in the database. This can lead to runtime errors when attempting to use the gateway.

Steps to Reproduce:

1. Start the MCP Gateway server with admin API enabled:

   # In .env file:
   MCPGATEWAY_UI_ENABLED=true
   MCPGATEWAY_ADMIN_API_ENABLED=true
   
   make serve

2. Generate authentication token:

   export MCPGATEWAY_BEARER_TOKEN=$(python3 -m mcpgateway.utils.create_jwt_token -u admin --secret my-test-key)

3. Send a request with an invalid transport type:

   curl -X POST http://localhost:4444/admin/gateways \
     -H "Authorization: Bearer $MCPGATEWAY_BEARER_TOKEN" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d 'name=test_gateway&url=http://example.com&transport=INVALID'

Expected Behavior:

• Should return HTTP 400 or 422 status code
• Error message should indicate that "INVALID" is not a valid transport type
• Valid transport types should be: "SSE", "HTTP", "STDIO" (per MCP spec)
• Consider extending with custom (ws for example, that we added).

Actual Behavior:

• Returns HTTP 200 with success message:

  {"message":"Gateway registered successfully!","success":true}

• Invalid transport type is stored in database
• Subsequent attempts return duplicate error (correctly):

  {"message":"Gateway already exists with name: test_gateway","success":false}

Impact:

• Gateways with invalid transport types cannot function properly
• May cause runtime errors when attempting to connect to the gateway
• Data integrity issues in the database
• Violates MCP protocol specification

Root Cause Analysis:
The GatewayCreate schema in mcpgateway/schemas/gateway.py likely doesn't have proper validation for the transport field enum values.

Suggested Fix:

1. Add transport type validation to GatewayCreate schema:

   from enum import Enum
   from pydantic import field_validator
   
   class TransportType(str, Enum):
       SSE = "SSE"
       HTTP = "HTTP"
       STDIO = "STDIO"
   
   class GatewayCreate(BaseModel):
       transport: TransportType = TransportType.SSE
       
       @field_validator('transport')
       @classmethod
       def validate_transport(cls, v: str) -> str:
           if v not in [t.value for t in TransportType]:
               raise ValueError(f"Invalid transport type: {v}. Must be one of: {', '.join([t.value for t in TransportType])}")
           return v

2. Apply the same validation to SecureGatewayCreate if using the validation framework from [Security]: Add input validation for /admin endpoints #339

Additional Context:

• This issue was discovered during comprehensive input validation testing
• The same validation should be applied to both admin (/admin/gateways) and non-admin (/gateways) endpoints
• Test case already exists in the test suite but is currently failing

Related Issues:

• [Security]: Add input validation for /admin endpoints #339 (Admin API input validation)
• [Security]: Add input validation for main API endpoints (depends on #339 /admin API validation) #340 (Non-admin API input validation)

---

Would you like me to continue with the next high-priority bug report?

[madhav165]

@TS0713 working on this

[crivetimihai]

Closed by #572