mcp-any-rest

1. Critical: Web Configuration Server Lacks Authentication/Authorization: The /config endpoints exposed by WebServer in src/config/web.rs (e.g., /config, /config/presets, /config/modules, /config/server) do not appear to implement any authentication or authorization. This means anyone with network access to the server (default 127.0.0.1:8082) can read, modify, and delete all server configurations, including sensitive upstream API credentials, module enablement, and server settings, allowing arbitrary control over the gateway. 2. High: Disables SSL Certificate Validation: `danger_accept_invalid_certs(true)` is explicitly used in `reqwest` clients (`src/services/auth_service/auth_factory.rs`, `src/services/auth_service/unified_auth_service.rs`). This is a severe vulnerability as it allows for trivial man-in-the-middle attacks, compromising the confidentiality and integrity of communication with upstream APIs. This should never be enabled in production. 3. Sensitive Data in Configuration Files: Authentication credentials (tokens, API keys, usernames/passwords) can be stored directly in `config.json` or module configuration files. Without encryption at rest or secure access controls for these files, they are vulnerable to local compromise. 4. Error Message Disclosure: Login failure messages in `LoginAuthStrategyImpl` can expose internal details (`Login failed with status {}: {}`) potentially aiding attackers.