[Performance]Add complete Token, JWT, OAuth authentication system (#52)

* 0.5.1 Version

* fix 0.5.1 schema async bug

* fix security bug

* fix security bug

* Add complete Token, JWT, OAuth authentication system

* Add complete Token, JWT, OAuth authentication system

* Add complete Token, JWT, OAuth authentication system

* Add complete Token, JWT, OAuth authentication system

.env.example

@@ -36,8 +36,145 @@ DORIS_MAX_CONNECTION_AGE=3600
 # Security Configuration
 # ===================================================================
 
-# Authentication configuration
+# Independent Authentication Switches - NEW DESIGN!
+# Each authentication method can be enabled/disabled independently
+# Any enabled method that succeeds will allow access
+# If all methods are disabled, anonymous access is allowed
+
+# Legacy configuration - kept for backward compatibility
+# AUTH_TYPE is now deprecated - use individual switches above
 AUTH_TYPE=token
+
+# Token Authentication (Default method - simple and effective)
+ENABLE_TOKEN_AUTH=false
+
+# JWT Authentication (For stateless applications)
+ENABLE_JWT_AUTH=false
+
+# OAuth 2.0/OIDC Authentication (For enterprise integration)
+ENABLE_OAUTH_AUTH=false
+
+# ===================================================================
+# Token Authentication Configuration (Enable with ENABLE_TOKEN_AUTH=true)
+# ===================================================================
+
+# Basic token authentication settings
+TOKEN_FILE_PATH=tokens.json
+ENABLE_TOKEN_EXPIRY=true
+DEFAULT_TOKEN_EXPIRY_HOURS=720
+TOKEN_HASH_ALGORITHM=sha256
+
+# ===================================================================
+# JWT Authentication Configuration (Enable with ENABLE_JWT_AUTH=true)
+# ===================================================================
+
+# JWT token settings (when ENABLE_JWT_AUTH=true)
+JWT_SECRET_KEY=your_jwt_secret_key_here_change_in_production
+JWT_ALGORITHM=HS256
+JWT_EXPIRATION_HOURS=24
+JWT_ISSUER=doris-mcp-server
+JWT_AUDIENCE=doris-mcp-client
+
+# JWT token validation settings
+JWT_VERIFY_SIGNATURE=true
+JWT_VERIFY_EXPIRATION=true
+JWT_VERIFY_AUDIENCE=true
+JWT_VERIFY_ISSUER=true
+
+# JWT refresh token settings
+ENABLE_JWT_REFRESH=true
+JWT_REFRESH_EXPIRATION_DAYS=30
+JWT_REFRESH_SECRET_KEY=your_jwt_refresh_secret_key_here
+
+# JWT user claims configuration
+JWT_USER_ID_CLAIM=user_id
+JWT_ROLES_CLAIM=roles
+JWT_PERMISSIONS_CLAIM=permissions
+JWT_SECURITY_LEVEL_CLAIM=security_level
+
+# ===================================================================
+# OAuth 2.0 / OpenID Connect Configuration (Enable with ENABLE_OAUTH_AUTH=true)
+# ===================================================================
+
+# OAuth provider settings (when ENABLE_OAUTH_AUTH=true)
+OAUTH_PROVIDER_TYPE=generic
+OAUTH_CLIENT_ID=your_oauth_client_id
+OAUTH_CLIENT_SECRET=your_oauth_client_secret
+OAUTH_REDIRECT_URI=http://localhost:3000/auth/callback
+
+# OAuth endpoints (for generic provider)
+OAUTH_AUTHORIZATION_URL=https://your-provider.com/auth
+OAUTH_TOKEN_URL=https://your-provider.com/token
+OAUTH_USERINFO_URL=https://your-provider.com/userinfo
+OAUTH_JWKS_URL=https://your-provider.com/.well-known/jwks.json
+
+# OAuth scope and claims
+OAUTH_SCOPE=openid profile email
+OAUTH_USER_ID_CLAIM=sub
+OAUTH_USERNAME_CLAIM=preferred_username
+OAUTH_EMAIL_CLAIM=email
+OAUTH_ROLES_CLAIM=roles
+OAUTH_GROUPS_CLAIM=groups
+
+# OAuth session settings
+OAUTH_SESSION_SECRET=your_oauth_session_secret_here
+OAUTH_SESSION_EXPIRY=3600
+OAUTH_STATE_EXPIRY=300
+
+# Popular OAuth providers presets (uncomment and configure as needed)
+
+# Google OAuth Configuration
+# OAUTH_PROVIDER_TYPE=google
+# OAUTH_CLIENT_ID=your_google_client_id.apps.googleusercontent.com
+# OAUTH_CLIENT_SECRET=your_google_client_secret
+# OAUTH_AUTHORIZATION_URL=https://accounts.google.com/o/oauth2/auth
+# OAUTH_TOKEN_URL=https://oauth2.googleapis.com/token
+# OAUTH_USERINFO_URL=https://www.googleapis.com/oauth2/v1/userinfo
+# OAUTH_JWKS_URL=https://www.googleapis.com/oauth2/v3/certs
+# OAUTH_SCOPE=openid profile email
+
+# Microsoft Azure AD Configuration
+# OAUTH_PROVIDER_TYPE=azure
+# OAUTH_CLIENT_ID=your_azure_client_id
+# OAUTH_CLIENT_SECRET=your_azure_client_secret
+# OAUTH_TENANT_ID=your_tenant_id
+# OAUTH_AUTHORIZATION_URL=https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
+# OAUTH_TOKEN_URL=https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
+# OAUTH_USERINFO_URL=https://graph.microsoft.com/v1.0/me
+# OAUTH_JWKS_URL=https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys
+# OAUTH_SCOPE=openid profile email
+
+# GitHub OAuth Configuration
+# OAUTH_PROVIDER_TYPE=github
+# OAUTH_CLIENT_ID=your_github_client_id
+# OAUTH_CLIENT_SECRET=your_github_client_secret
+# OAUTH_AUTHORIZATION_URL=https://github.com/login/oauth/authorize
+# OAUTH_TOKEN_URL=https://github.com/login/oauth/access_token
+# OAUTH_USERINFO_URL=https://api.github.com/user
+# OAUTH_SCOPE=user:email
+
+# GitLab OAuth Configuration
+# OAUTH_PROVIDER_TYPE=gitlab
+# OAUTH_CLIENT_ID=your_gitlab_client_id  
+# OAUTH_CLIENT_SECRET=your_gitlab_client_secret
+# OAUTH_AUTHORIZATION_URL=https://gitlab.com/oauth/authorize
+# OAUTH_TOKEN_URL=https://gitlab.com/oauth/token
+# OAUTH_USERINFO_URL=https://gitlab.com/api/v4/user
+# OAUTH_SCOPE=read_user
+
+# Keycloak OAuth Configuration
+# OAUTH_PROVIDER_TYPE=keycloak
+# OAUTH_CLIENT_ID=your_keycloak_client_id
+# OAUTH_CLIENT_SECRET=your_keycloak_client_secret
+# OAUTH_REALM=your_realm
+# OAUTH_SERVER_URL=https://your-keycloak-server.com
+# OAUTH_AUTHORIZATION_URL=https://your-keycloak-server.com/auth/realms/{realm}/protocol/openid-connect/auth
+# OAUTH_TOKEN_URL=https://your-keycloak-server.com/auth/realms/{realm}/protocol/openid-connect/token
+# OAUTH_USERINFO_URL=https://your-keycloak-server.com/auth/realms/{realm}/protocol/openid-connect/userinfo
+# OAUTH_JWKS_URL=https://your-keycloak-server.com/auth/realms/{realm}/protocol/openid-connect/certs
+# OAUTH_SCOPE=openid profile email
+
+# Legacy token settings (for backward compatibility)
 TOKEN_SECRET=your_secret_key_here
 TOKEN_EXPIRY=3600
 
@@ -172,7 +309,13 @@ TEMP_FILES_DIR=tmp
 #    - LOG_CLEANUP_INTERVAL_HOURS: Check frequency, recommended 24 hours
 
 # 2. Security Best Practices:
-#    - Must change TOKEN_SECRET in production environment
+#    - NEW: Enable individual authentication methods using ENABLE_TOKEN_AUTH, ENABLE_JWT_AUTH, ENABLE_OAUTH_AUTH
+#    - When all methods are disabled, ALL requests are allowed with anonymous access
+#    - Authentication methods work independently - any one succeeding allows access
+#    - Token Auth: Change default tokens (DEFAULT_ADMIN_TOKEN, etc.) in production
+#    - JWT Auth: Change JWT_SECRET_KEY and JWT_REFRESH_SECRET_KEY in production
+#    - OAuth Auth: Configure OAuth provider settings and secure client secrets
+#    - Must change TOKEN_SECRET in production environment (legacy compatibility)
 #    - Adjust BLOCKED_KEYWORDS according to business needs
 #    - Enable ENABLE_SECURITY_CHECK and ENABLE_MASKING
 
@@ -193,4 +336,43 @@ TEMP_FILES_DIR=tmp
 #    - ADBC_DEFAULT_RETURN_FORMAT: Default return format (arrow/pandas/dict, recommended: arrow)
 #    - ADBC_CONNECTION_TIMEOUT: Connection timeout for ADBC (recommended: 30)
 #    - ADBC_ENABLED: Enable or disable ADBC tools (true/false)
-#    - Prerequisites: Install adbc_driver_manager, adbc_driver_flightsql, pyarrow packages 
+#    - Prerequisites: Install adbc_driver_manager, adbc_driver_flightsql, pyarrow packages
+
+# 6. Authentication Configuration Guide - UPDATED DESIGN!
+#    
+#    Independent Authentication Control (NEW):
+#    - ENABLE_TOKEN_AUTH=false (default): Disable token authentication
+#    - ENABLE_JWT_AUTH=false (default): Disable JWT authentication  
+#    - ENABLE_OAUTH_AUTH=false (default): Disable OAuth authentication
+#    - When all methods are disabled, no authentication is required (anonymous access)
+#    - When multiple methods are enabled, any one succeeding allows access
+#    - Recommended for development/testing: all false, production: enable needed methods
+#    
+#    Token Authentication (ENABLE_TOKEN_AUTH=true) - Recommended for most use cases:
+#    - Simple and secure token-based authentication
+#    - Configurable default tokens via environment variables
+#    - Support for custom tokens via TOKEN_* environment variables
+#    - Token file configuration via tokens.json
+#    - Built-in token management HTTP endpoints
+#    - No user management complexity - pure API access control
+#    
+#    JWT Authentication (ENABLE_JWT_AUTH=true) - For stateless applications:
+#    - JSON Web Token based authentication
+#    - Configurable token expiration and refresh
+#    - Support for standard JWT claims
+#    - RSA/ECDSA/HS256 algorithm support
+#    - Suitable for microservices and distributed systems
+#    
+#    OAuth 2.0/OIDC (ENABLE_OAUTH_AUTH=true) - For enterprise integration:
+#    - Integration with external identity providers
+#    - Support for popular providers (Google, Microsoft, GitHub, GitLab, Keycloak)
+#    - OpenID Connect compatibility
+#    - Automatic user provisioning from provider
+#    - Secure authorization code flow
+#    
+#    Authentication Method Selection Guide:
+#    - No Auth (all switches false): Development, testing, trusted networks
+#    - Token Auth only: Small teams, simple deployment, direct API access
+#    - JWT Auth only: Stateless apps, microservices, mobile clients
+#    - OAuth Auth only: Enterprise SSO, large teams, external identity providers
+#    - Multiple methods: Flexible access, different client types, migration scenarios