fix: #1370 Custom Headers now are visible when editing saved servers

Signed-off-by: Aakash <[email protected]>

Author: aakashH242

CHANGELOG.md

@@ -234,6 +234,9 @@ This release delivers **REST API Passthrough Capabilities**, **API & UI Paginati
 * **Non-root Container Users** (#1231) - Added non-root user to scratch Go containers
 * **Container Runtime Detection** - Improved Docker/Podman detection in Makefile
 
+#### **💻 Admin UI Fixes** (#1370)
+* **Saved custom headers not visible** (#1370) - Fixed custom headers not visible to Admins when editing a MCP server using custom headers for auth.
+
 ### Changed
 
 #### **🗄️ Database Schema & Multi-Tenancy Enhancements** (#1246, #1273)

mcpgateway/schemas.py

@@ -3011,6 +3011,8 @@ class GatewayRead(BaseModelWithConfigDict):
     # Authorizations
     auth_type: Optional[str] = Field(None, description="auth_type: basic, bearer, headers, oauth, or None")
     auth_value: Optional[str] = Field(None, description="auth value: username/password or token or custom headers")
+    auth_headers: Optional[List[Dict[str, str]]] = Field(default=None, description="List of custom headers for authentication")
+    auth_headers_unmasked: Optional[List[Dict[str, str]]] = Field(default=None, description="Unmasked custom headers for administrative views")
 
     # OAuth 2.0 configuration
     oauth_config: Optional[Dict[str, Any]] = Field(None, description="OAuth 2.0 configuration including grant_type, client_id, encrypted client_secret, URLs, and scopes")
@@ -3023,6 +3025,10 @@ class GatewayRead(BaseModelWithConfigDict):
     auth_header_value: Optional[str] = Field(None, description="vallue for custom headers authentication")
     tags: List[str] = Field(default_factory=list, description="Tags for categorizing the gateway")
 
+    auth_password_unmasked: Optional[str] = Field(default=None, description="Unmasked password for basic authentication")
+    auth_token_unmasked: Optional[str] = Field(default=None, description="Unmasked bearer token for authentication")
+    auth_header_value_unmasked: Optional[str] = Field(default=None, description="Unmasked single custom header value")
+
     # Team scoping fields for resource organization
     team_id: Optional[str] = Field(None, description="Team ID this gateway belongs to")
     team: Optional[str] = Field(None, description="Name of the team that owns this resource")
@@ -3135,19 +3141,30 @@ def _populate_auth(self) -> Self:
             if not u or not p:
                 raise ValueError("basic auth requires both username and password")
             self.auth_username, self.auth_password = u, p
+            self.auth_password_unmasked = p
 
         elif auth_type == "bearer":
             auth = auth_value.get("Authorization")
             if not (isinstance(auth, str) and auth.startswith("Bearer ")):
                 raise ValueError("bearer auth requires an Authorization header of the form 'Bearer <token>'")
             self.auth_token = auth.removeprefix("Bearer ")
+            self.auth_token_unmasked = self.auth_token
 
         elif auth_type == "authheaders":
             # For backward compatibility, populate first header in key/value fields
-            if len(auth_value) == 0:
+            if not isinstance(auth_value, dict) or len(auth_value) == 0:
                 raise ValueError("authheaders requires at least one key/value pair")
+            self.auth_headers = [
+                {"key": str(key), "value": "" if value is None else str(value)}
+                for key, value in auth_value.items()
+            ]
+            self.auth_headers_unmasked = [
+                {"key": str(key), "value": "" if value is None else str(value)}
+                for key, value in auth_value.items()
+            ]
             k, v = next(iter(auth_value.items()))
             self.auth_header_key, self.auth_header_value = k, v
+            self.auth_header_value_unmasked = v
 
         return self
 
@@ -3182,7 +3199,23 @@ def masked(self) -> "GatewayRead":
         masked_data["auth_password"] = settings.masked_auth_value if masked_data.get("auth_password") else None
         masked_data["auth_token"] = settings.masked_auth_value if masked_data.get("auth_token") else None
         masked_data["auth_header_value"] = settings.masked_auth_value if masked_data.get("auth_header_value") else None
-
+        if masked_data.get("auth_headers"):
+            masked_data["auth_headers"] = [
+                {
+                    "key": header.get("key"),
+                    "value": settings.masked_auth_value if header.get("value") else header.get("value"),
+                }
+                for header in masked_data["auth_headers"]
+            ]
+
+        masked_data["auth_password_unmasked"] = self.auth_password_unmasked
+        masked_data["auth_token_unmasked"] = self.auth_token_unmasked
+        masked_data["auth_header_value_unmasked"] = self.auth_header_value_unmasked
+        masked_data["auth_headers_unmasked"] = (
+            [header.copy() for header in self.auth_headers_unmasked]
+            if self.auth_headers_unmasked
+            else None
+        )
         return GatewayRead.model_validate(masked_data)
 
 

mcpgateway/services/gateway_service.py

@@ -1192,7 +1192,27 @@ async def update_gateway(
 
                 # Support multiple custom headers on update
                 if hasattr(gateway_update, "auth_headers") and gateway_update.auth_headers:
-                    header_dict = {h["key"]: h["value"] for h in gateway_update.auth_headers if h.get("key")}
+                    existing_auth_raw = getattr(gateway, "auth_value", {}) or {}
+                    if isinstance(existing_auth_raw, str):
+                        try:
+                            existing_auth = decode_auth(existing_auth_raw)
+                        except Exception:
+                            existing_auth = {}
+                    elif isinstance(existing_auth_raw, dict):
+                        existing_auth = existing_auth_raw
+                    else:
+                        existing_auth = {}
+
+                    header_dict: Dict[str, str] = {}
+                    for header in gateway_update.auth_headers:
+                        key = header.get("key")
+                        if not key:
+                            continue
+                        value = header.get("value", "")
+                        if value == settings.masked_auth_value and key in existing_auth:
+                            header_dict[key] = existing_auth[key]
+                        else:
+                            header_dict[key] = value
                     gateway.auth_value = header_dict  # Store as dict for DB JSON field
                 elif settings.masked_auth_value not in (token, password, header_value):
                     # Check if values differ from existing ones or if setting for first time