Basic auth

[pedro-cf]

Related Issue(s):

• https://github.com/stac-utils/stac-fastapi-elasticsearch-opensearch/issues/225

Description:

• Basic authentication for stac-fastapi-elasticsearch-opensearch
• Basic authentication tests
• docker-compose examples for basic authentication

  Basic Auth

Environment Variable Configuration

Basic authentication is an optional feature. You can enable it by setting the environment variable BASIC_AUTH as a JSON string.

Example:

BASIC_AUTH={"users":[{"username":"user","password":"pass","permissions":"*"}]}

User Permissions Configuration

In order to set endpoints with specific access permissions, you can configure the users key with a list of user objects. Each user object should contain the username, password, and their respective permissions.

Example: This example illustrates the configuration for two users: an admin user with full permissions (*) and a reader user with limited permissions to specific read-only endpoints.

{
    "users": [
        {
            "username": "admin",
            "password": "admin",
            "permissions": "*"
        },
        {
            "username": "reader",
            "password": "reader",
            "permissions": [
                {"path": "/", "method": ["GET"]},
                {"path": "/conformance", "method": ["GET"]},
                {"path": "/collections/{collection_id}/items/{item_id}", "method": ["GET"]},
                {"path": "/search", "method": ["GET", "POST"]},
                {"path": "/collections", "method": ["GET"]},
                {"path": "/collections/{collection_id}", "method": ["GET"]},
                {"path": "/collections/{collection_id}/items", "method": ["GET"]},
                {"path": "/queryables", "method": ["GET"]},
                {"path": "/queryables/collections/{collection_id}/queryables", "method": ["GET"]},
                {"path": "/_mgmt/ping", "method": ["GET"]}
            ]
        }
    ]
}

Public Endpoints Configuration

In order to set endpoints with public access, you can configure the public_endpoints key with a list of endpoint objects. Each endpoint object should specify the path and method of the endpoint.

Example: This example demonstrates the configuration for public endpoints, allowing access without authentication to read-only endpoints.

{
    "public_endpoints": [
        {"path": "/", "method": "GET"},
        {"path": "/conformance", "method": "GET"},
        {"path": "/collections/{collection_id}/items/{item_id}", "method": "GET"},
        {"path": "/search", "method": "GET"},
        {"path": "/search", "method": "POST"},
        {"path": "/collections", "method": "GET"},
        {"path": "/collections/{collection_id}", "method": "GET"},
        {"path": "/collections/{collection_id}/items", "method": "GET"},
        {"path": "/queryables", "method": "GET"},
        {"path": "/queryables/collections/{collection_id}/queryables", "method": "GET"},
        {"path": "/_mgmt/ping", "method": "GET"}
    ],
    "users": [
        {
            "username": "admin",
            "password": "admin",
            "permissions": "*"
        }
    ]
}

Docker Compose Configurations

See docker-compose.basic_auth_protected.yml and docker-compose.basic_auth_public.yml for basic authentication configurations.

PR Checklist:

• [x] Code is formatted and linted (run pre-commit run --all-files)
• [x] Tests pass (run make test)
• [x] Documentation has been updated to reflect changes, if applicable
• [x] Changes are added to the changelog