bcgov · braydencstratusadv · Mar 1, 2026 · Jan 19, 2026 · Jan 20, 2026 · Jan 20, 2026
diff --git a/.github/github_settings.py b/.github/github_settings.py
@@ -617,9 +617,22 @@ def get_env_variable(var_name, default=None):
 # This is the default if source isn't set as a parameter in the request
 TILESERVER_URL = "https://openmaps.gov.bc.ca/"
 BC_TILESERVER_URLS = {
-    "maps": "https://maps.gov.bc.ca/",
-    "openmaps": TILESERVER_URL,
-    "local": "http://localhost:7800/",
+    "maps": {
+        "url": "https://maps.gov.bc.ca/",
+        "use_outbound_proxy": True,  # Use outbound proxy for this source
+    },
+    "openmaps": {
+        "url": TILESERVER_URL,
+        "use_outbound_proxy": True,  # Use outbound proxy for this source
+    },
+    "local": {
+        "url": get_env_variable("TILESERVER_LOCAL_URL"),
+        "use_outbound_proxy": False,  # Local doesn't need outbound proxy
+    },
+    "local-feature": {
+        "url": get_env_variable("FEATURESERVER_LOCAL_URL"),
+        "use_outbound_proxy": False,  # Local doesn't need outbound proxy
+    },
 }
 
 AUTH_BYPASS_HOSTS = get_env_variable("AUTH_BYPASS_HOSTS", default="localhost")

diff --git a/README.QGIS.md b/README.QGIS.md
@@ -0,0 +1,94 @@
+## Using Arches w/ QGIS
+### Strategy
+1. Use `pg_tileserv` for general site / site visit visibility. This can't be used to push geometries back to server
+2. Use `pg_featureserv` to get actual GeoJSON geometry for editing / pushing back to the server.
+3. Modify app proxy to host `pg_featuresrf`
+
+### 1. Installing 
+1. Download qgis_testing_package.zip file
+2. Uncompress qgis_testing_package.zip file this will have several files in it:
+   1. arches_project.zip - Arches plugin 
+   1. basemap_config.xml - WMS config for the BC Roads basemap and Borden Grid
+   2. bcap_wfs_config.xml - WFS config for BCAP features - both DLVR & TEST
+   3. oauth_config.xml - OAuth config for DLVR & TEST
+2. Install the Arches Plugin:
+   1. Start QGIS
+   2. Select Plugins -> Manage and Install Plugins...
+   3. Select Install from ZIP from LHS menu
+   4. Select the arches_project.zip file in the ZIP file box
+   5. Press Install Plugin button
+      1. Select "Yes" when the security warning comes up
+   6. Click "Installed" from the LHS menu and ensure "Arches Project" checkbox is checked
+   7. Close Window
+3. Install OAuth configuration (password required)
+   1. Select Settings -> Options... from top menu
+   2. Select Authentication on the LHS menu
+   3. Click Utilities button in the bottom right
+   4. Select Import Authentication Configurations from File...
+   5. Navigate to `qgis_testing_package/oauth_config.xml` and select the file
+   6. Click the Open button
+   7. Enter password provided
+   8. Click OK
+   9. NB - nothing will show up in the window. You can re-open the Autentication settings to confirm they are there. There should be 2 - One for TEST and one for DLVR
+4. Import the BCAP WFS configurations
+   1. Open the Layer -> Data Source Manager menu item
+   2. Select the WFS / OGC API - Features in the LHS menu
+   3. Press the Load button in the top right
+   4. Navigate to the `qgis_testing_package/bcap_wfs_config.xml` file and select it
+   5. Click the Open button
+   6. Press the Select All button in the popup window
+   7. Press the Import button
+   8. You will see the Server connections dropdown list populated with those two connections
+   9. Select the BCAP Features - DLVR option
+   10. Press the Edit button
+   11. In the Authentication -> Configurations tab select the BCAP - Django OAuth Toolkit - DLVR (OAuth2) option
+   12. Press OK
+   13. Repeat steps ix->xii, substituting TEST for DLVR in all steps
+5. Import the WMS configurations
+   1. Select WMS/WMTS in the LHS menu
+   2. Press the Load button in the top right of the window
+   3. Navigate to the `qgis_testing_package/basemap_config.xml` file and select it
+   4. Click the Open button
+   5. Press the Select All button in the popup window
+   6. Press the Import button
+   7. You will see the Server connections dropdown list populated with those two connections
+6. You're done!
+
+### 2. Logging into QGIS plugin using OAuth
+1. Login to Arches in your _default_ web browser (QGIS will )
+2. Click Arches from plugin
+3. Select Authentication method from list
+4. Browser window should appear for OAuth process
+5. You should see auth window with your information
+
+### 2. Map layers
+- pg_tileserv layer (Vector Tile): `http://<hostname>/bcap/bctileserver/public.geojson_geometries/{z}/{x}/{y}.pbf?source=local`
+- pg_featureserv layer (OGC API): `http://<hostname>/bcap/bctileserver/?source=local-feature`
+- Borden Grid (Vector Tile): `https://openmaps.gov.bc.ca/geo/pub/WHSE_ARCHAEOLOGY.RAAD_BORDENGRID/ows?service=WMS&request=GetCapabilities`
+- BC Roads Basemap (WMS):  `https://maps.gov.bc.ca/arcserver/services/Province/roads_wm/MapServer/WMSServer`
+
+### 3. How to copy feature to push back to server
+    1. Select feature from pg_featureserv layer
+    2. Copy feature
+    3. Paste feature as -> Temporary Scratch layer
+    4. Toggle "Make layer editable"
+    4. Edit feature
+    5. Select feature
+    6. In Arches Project tab, confirm the feature selected matches the one you want to update
+    7. Click "Replace geometry"
+
+### 4. TO DO
+1. confirm tileserv and featuresrv authentiation/authorization
+2. Can we (they) create an Action on the featuresrv to automate the copy?
+8. Confirm edits are logged w/ user that made the changes
+
+### 4. Issues
+- Can't download full Site / Site Visit set of geometries - way too big
+- More than one feature is being copied back to the server? Need to look at copy geometry process.
+- featuresrv and tileserv are displaying project boundary geometry.
+- OAuth access token is currently valid for a week. Can this be configured to be e24h?
+- Can't currently create resources because geometries aren't top-level objects. Maybe we can do a different endpoint for this?
+- When pushing a geometry up to BCAP, if the tile isn't in a state that it can be saved, a 500 error is returned. Maybe we can put a card-level trigger to set the edit type?
+
+### 6. Other notes / findings / Gotchas 
+- Filters can't be used directly on the Layer, it must be done on the Connection otherwise the OAuth config is lost
diff --git a/bcap/management/commands/ensure_bcrhp_oauth.py b/bcap/management/commands/ensure_bcrhp_oauth.py
diff --git a/bcap/management/commands/oauth_provider_config.py b/bcap/management/commands/oauth_provider_config.py
@@ -0,0 +1,126 @@
+"""
+ARCHES - a program developed to inventory and manage immovable cultural heritage.
+Copyright (C) 2013 J. Paul Getty Trust and World Monuments Fund
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see <http://www.gnu.org/licenses/>.
+"""
+
+import os
+from django.core.management import CommandError
+from django.core.management.base import BaseCommand
+from oauth2_provider.models import Application
+
+
+class Command(BaseCommand):
+    """
+    Commands for adding the BCAP API OAuth2 provider configuration.
+    This requires the following environment variables to be set:
+    1. BCRHP_API_CLIENT_ID
+    2. BCRHP_API_CLIENT_SECRET (only if the config doesn't exist yet)
+
+    """
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "-cid",
+            "--client-id",
+            action="store",
+            dest="client_id",
+            help="Well known client id for the OAUTH2 provider.",
+        )
+        parser.add_argument(
+            "-cn",
+            "--config-name",
+            action="store",
+            dest="config_name",
+            help="Name of the OAuth2 provider configuration. Must be unique in the configurations.",
+        )
+        parser.add_argument(
+            "-ct",
+            "--client-type",
+            action="store",
+            dest="client_type",
+            default="confidential",
+            help="Client type. One of 'confidential' or 'public'.",
+        )
+        parser.add_argument(
+            "-gt",
+            "--grant-type",
+            action="store",
+            dest="grant_type",
+            default="confidential",
+            help="Authorization grant type. One of 'authorization-code', 'client-credentials', ...",
+        )
+        parser.add_argument(
+            "-ru",
+            "--redirect-uris",
+            action="store",
+            dest="redirect_uris",
+            default="",
+            help="Valid redirect URIs for the OAuth2 provider. Comma separated.",
+        )
+        parser.add_argument(
+            "-ao",
+            "--allowed_origins",
+            action="store",
+            dest="allowed_origins",
+            default="",
+            help="Allowed origins for CORS requests. Comma separated.",
+        )
+        parser.add_argument(
+            "-ha",
+            "--hash",
+            action="store_true",
+            dest="hash_secret",
+            default=True,
+            help="Whether to hash the client secret.",
+        )
+
+    def handle(self, *args, **options):
+        client_secret = os.environ.get("CLIENT_SECRET")
+        if not client_secret:
+            print(
+                "CLIENT_SECRET environment variable must be set to create new OAuth2 provider configuration."
+            )
+            raise CommandError(
+                "CLIENT_SECRET environment variable must be set to create new OAuth2 provider configuration."
+            )
+        apps = Application.objects.filter(name=options["config_name"]).all()
+        if len(apps) == 0:
+            add_oauth_config(client_secret, options)
+        elif len(apps) > 1:
+            print(
+                "More than one BCRHP API application found. Please delete the extra applications."
+            )
+        else:
+            update_oauth_secret(apps[0], client_secret)
+
+
+def add_oauth_config(client_secret, options):
+    app = Application()
+    app.name = options["config_name"]
+    app.client_id = options["client_id"]
+    app.client_type = options["client_type"]
+    app.authorization_grant_type = options["grant_type"]
+    app.redirect_uris = options["redirect_uris"]
+    app.allowed_origins = options["allowed_origins"]
+    app.client_secret = client_secret
+    app.skip_authorization = False
+    app.hash_client_secret = True
+    app.save()
+
+
+def update_oauth_secret(app, client_secret):
+    app.client_secret = client_secret
+    app.save()
diff --git a/bcap/migrations/855_add_qgis_views.py b/bcap/migrations/855_add_qgis_views.py
@@ -0,0 +1,34 @@
+# Generated by Django 5.2.5 on 2026-01-21 00:29
+
+import django_migrate_sql.operations
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("bcap", "1182c_add_cross_model_advanced_search"),
+    ]
+
+    operations = [
+        django_migrate_sql.operations.CreateSQL(
+            name="bc_labelled_site_visit_geometries",
+            sql="create or replace view public.bc_labelled_site_visit_geometries as\n(\nselect re.name ->> 'en' resource_name, g.*\nfrom geojson_geometries g\n         join (select re2.*\n               from resource_instances re2\n                        join graphs g on re2.graphid = g.graphid and\n                                         g.slug = 'site_visit') re\n              on g.resourceinstanceid = re.resourceinstanceid);\n",
+            reverse_sql="drop view bc_labelled_site_visit_geometries;",
+        ),
+        django_migrate_sql.operations.CreateSQL(
+            name="bc_labelled_geojson_geometries",
+            sql="create or replace view public.bc_labelled_geojson_geometries as\n(\nselect re.name ->> 'en' resource_name, g.*\nfrom geojson_geometries g\n         join (select re2.*\n               from resource_instances re2\n                        join graphs g on re2.graphid = g.graphid and\n                                         g.slug in ('archaeological_site', 'site_visit', 'sandcastle')) re\n              on g.resourceinstanceid = re.resourceinstanceid);\n",
+            reverse_sql="drop view bc_labelled_geojson_geometries;",
+        ),
+        django_migrate_sql.operations.CreateSQL(
+            name="bc_labelled_sandcastle_geometries",
+            sql="create or replace view public.bc_labelled_sandcastle_geometries as\n(\nselect re.name ->> 'en' resource_name, g.*\nfrom geojson_geometries g\n         join (select re2.*\n               from resource_instances re2\n                        join graphs g on re2.graphid = g.graphid and\n                                         g.slug = 'sandcastle') re\n              on g.resourceinstanceid = re.resourceinstanceid);\n",
+            reverse_sql="drop view bc_labelled_sandcastle_geometries;",
+        ),
+        django_migrate_sql.operations.CreateSQL(
+            name="bc_labelled_site_geometries",
+            sql="create or replace view public.bc_labelled_site_geometries as\n(\nselect re.name ->> 'en' resource_name, g.*\nfrom geojson_geometries g\n         join (select re2.*\n               from resource_instances re2\n                        join graphs g on re2.graphid = g.graphid and\n                                         g.slug = 'archaeological_site') re\n              on g.resourceinstanceid = re.resourceinstanceid);\n",
+            reverse_sql="drop view bc_labelled_site_geometries;",
+        ),
+    ]
diff --git a/bcap/migrations/sql/views/bc_labelled_geojson_geometries.sql b/bcap/migrations/sql/views/bc_labelled_geojson_geometries.sql
@@ -0,0 +1,9 @@
+create or replace view public.bc_labelled_geojson_geometries as
+(
+select re.name ->> 'en' resource_name, g.*
+from geojson_geometries g
+         join (select re2.*
+               from resource_instances re2
+                        join graphs g on re2.graphid = g.graphid and
+                                         g.slug in ('archaeological_site', 'site_visit', 'sandcastle')) re
+              on g.resourceinstanceid = re.resourceinstanceid);
diff --git a/bcap/migrations/sql/views/bc_labelled_sandcastle_geometries.sql b/bcap/migrations/sql/views/bc_labelled_sandcastle_geometries.sql
@@ -0,0 +1,9 @@
+create or replace view public.bc_labelled_sandcastle_geometries as
+(
+select re.name ->> 'en' resource_name, g.*
+from geojson_geometries g
+         join (select re2.*
+               from resource_instances re2
+                        join graphs g on re2.graphid = g.graphid and
+                                         g.slug = 'sandcastle') re
+              on g.resourceinstanceid = re.resourceinstanceid);
diff --git a/bcap/migrations/sql/views/bc_labelled_site_geometries.sql b/bcap/migrations/sql/views/bc_labelled_site_geometries.sql
@@ -0,0 +1,9 @@
+create or replace view public.bc_labelled_site_geometries as
+(
+select re.name ->> 'en' resource_name, g.*
+from geojson_geometries g
+         join (select re2.*
+               from resource_instances re2
+                        join graphs g on re2.graphid = g.graphid and
+                                         g.slug = 'archaeological_site') re
+              on g.resourceinstanceid = re.resourceinstanceid);