Skip to content

feat(auth-extension): annotate links with auth:refs if#138

Merged
alukach merged 1 commit intomainfrom
fix/auth-refs-links
Apr 23, 2026
Merged

feat(auth-extension): annotate links with auth:refs if#138
alukach merged 1 commit intomainfrom
fix/auth-refs-links

Conversation

@alukach
Copy link
Copy Markdown
Member

@alukach alukach commented Mar 7, 2026
edited
Loading

What I'm changing

Links in STAC responses now receive auth:refs annotations when they point to endpoints protected by a CQL2 filter (items_filter or collections_filter), even when default_public=true. Previously, filter-protected endpoints were advertised as public in link metadata, misleading clients about which requests require authentication.

This PR also renames MatchResult.is_private to MatchResult.uses_auth, which better describes the semantics — an endpoint may be nominally public yet still invoke the auth pipeline because a filter is applied.

How I did it

  • Added items_filter_path and collections_filter_path parameters to the shared find_match() utility in utils/requests.py. When a path matches either pattern, find_match now returns MatchResult(uses_auth=True) regardless of default_public.
  • Threaded the two filter paths through app.py into AuthenticationExtensionMiddleware, so link annotation uses the same matching logic as the OpenAPI middleware.
  • Replaced match.is_private checks with match.uses_auth in AuthenticationExtensionMiddleware and EnforceAuthMiddleware.
  • Removed the duplicated _path_has_filter helper from UpdateOpenApiMiddleware; that logic now lives in find_match().
  • Added a TestFilterPathAnnotation test class covering: items-filter match, collections-filter match, both filters together, non-matching links, no filters configured, and absolute-URL hrefs.

How you can test it

  1. Configure the proxy with default_public=true and set items_filter (and/or collections_filter) to a CQL2 filter generator.
  2. Request a collection document, e.g. GET /collections/{id}.
  3. Confirm that the items link in the response now includes "auth:refs": ["<your auth scheme name>"], while unprotected links (e.g. self, root) do not.
  4. Repeat against the catalog root (GET /) with collections_filter configured and confirm the data link carries auth:refs.
  5. Run pytest tests/test_auth_extension.py -k TestFilterPathAnnotation to exercise the new test cases.

@github-actions github-actions Bot added the fix label Mar 7, 2026
@alukach alukach changed the title fix(auth-extension): annotate links with auth:refs if feat(auth-extension): annotate links with auth:refs if Apr 23, 2026
@alukach alukach marked this pull request as ready for review April 23, 2026 21:07
@github-actions github-actions Bot added feat and removed fix labels Apr 23, 2026
@alukach alukach merged commit 2109a4b into main Apr 23, 2026
8 checks passed
@alukach alukach deleted the fix/auth-refs-links branch April 23, 2026 21:07
@ds-release-bot ds-release-bot Bot mentioned this pull request Apr 23, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

feat

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alukach