fix: prevent sending automatic accept-encoding headers upstream

alukach · alukach · commit 1189f9736f71 · 2025-03-18T23:23:21.000-07:00
diff --git a/src/stac_auth_proxy/handlers/reverse_proxy.py b/src/stac_auth_proxy/handlers/reverse_proxy.py
@@ -44,6 +44,12 @@ async def proxy_request(self, request: Request) -> httpx.Response:
             headers=headers,
             content=request.stream(),
         )
+
+        # NOTE: HTTPX adds headers, so we need to trim them before sending request
+        for h in rp_req.headers:
+            if h not in headers:
+                del rp_req.headers[h]
+
         logger.debug(f"Proxying request to {rp_req.url}")
 
         start_time = time.perf_counter()
diff --git a/tests/test_authn.py b/tests/test_authn.py
@@ -112,79 +112,3 @@ def test_scopes(
     )
     expected_status_code = 200 if expected_permitted else 401
     assert response.status_code == expected_status_code
-
-
-# @pytest.mark.parametrize(
-#     "is_valid, path, method",
-#     [
-#         *[
-#             [True, *endpoint_method]
-#             for endpoint_method in [
-#                 ["/collections", "POST"],
-#                 ["/collections/foo", "PUT"],
-#                 ["/collections/foo", "PATCH"],
-#                 ["/collections/foo/items", "POST"],
-#                 ["/collections/foo/items/bar", "PUT"],
-#                 ["/collections/foo/items/bar", "PATCH"],
-#             ]
-#         ],
-#         *[
-#             [False, *endpoint_method]
-#             for endpoint_method in [
-#                 ["/collections/foo", "DELETE"],
-#                 ["/collections/foo/items/bar", "DELETE"],
-#             ]
-#         ],
-#     ],
-# )
-# def test_scopes(source_api_server, token_builder, is_valid, path, method):
-#     """Private endpoints permit access with a valid token."""
-#     test_app = app_factory(
-#         upstream_url=source_api_server,
-#         default_public=True,
-#         private_endpoints={
-#             r"^/collections$": [
-#                 ("POST", ["collections:create"]),
-#             ],
-#             r"^/collections/([^/]+)$": [
-#                 # ("PUT", ["collections:update"]),
-#                 # ("PATCH", ["collections:update"]),
-#                 ("DELETE", ["collections:delete"]),
-#             ],
-#             r"^/collections/([^/]+)/items$": [
-#                 ("POST", ["items:create"]),
-#             ],
-#             r"^/collections/([^/]+)/items/([^/]+)$": [
-#                 # ("PUT", ["items:update"]),
-#                 # ("PATCH", ["items:update"]),
-#                 ("DELETE", ["items:delete"]),
-#             ],
-#             r"^/collections/([^/]+)/bulk_items$": [
-#                 ("POST", ["items:create"]),
-#             ],
-#         },
-#     )
-#     valid_auth_token = token_builder(
-#         {
-#             "scopes": " ".join(
-#                 [
-#                     "collection:create",
-#                     "items:create",
-#                     "collections:update",
-#                     "items:update",
-#                 ]
-#             )
-#         }
-#     )
-#     client = TestClient(test_app)
-
-#     response = client.request(
-#         method=method,
-#         url=path,
-#         headers={"Authorization": f"Bearer {valid_auth_token}"},
-#         json={} if method != "DELETE" else None,
-#     )
-#     if is_valid:
-#         assert response.status_code == 200
-#     else:
-#         assert response.status_code == 403
diff --git a/tests/test_filters_jinja2.py b/tests/test_filters_jinja2.py
@@ -1,14 +1,11 @@
 """Tests for Jinja2 CQL2 filter (simplified for readability)."""
 
 import json
-from typing import cast
-from unittest.mock import MagicMock
 
 import cql2
 import pytest
 from fastapi.testclient import TestClient
-from httpx import Request
-from utils import AppFactory, parse_query_string
+from utils import AppFactory, get_upstream_request
 
 FILTER_EXPR_CASES = [
     pytest.param(
@@ -148,14 +145,6 @@ def _build_client(
     return TestClient(app, headers=headers)
 
 
-async def _get_upstream_request(mock_upstream: MagicMock):
-    """Fetch the raw body and query params from the single upstream request."""
-    assert mock_upstream.call_count == 1
-    [request] = cast(list[Request], mock_upstream.call_args[0])
-    req_body = request._streamed_body
-    return req_body.decode(), parse_query_string(request.url.query.decode("utf-8"))
-
-
 @pytest.mark.parametrize(
     "filter_template_expr, expected_auth_filter, expected_anon_filter",
     FILTER_EXPR_CASES,
@@ -182,8 +171,8 @@ async def test_search_post(
     response.raise_for_status()
 
     # Retrieve the JSON body that was actually sent upstream
-    proxied_body_str = (await _get_upstream_request(mock_upstream))[0]
-    proxied_body = json.loads(proxied_body_str)
+    proxied_request = await get_upstream_request(mock_upstream)
+    proxied_body = json.loads(proxied_request.body)
 
     # Determine the expected combined filter
     proxy_filter = cql2.Expr(
@@ -231,8 +220,8 @@ async def test_search_get(
     response.raise_for_status()
 
     # For GET, we expect the upstream body to be empty, but URL params to be appended
-    proxied_body, upstream_query = await _get_upstream_request(mock_upstream)
-    assert proxied_body == ""
+    proxied_request = await get_upstream_request(mock_upstream)
+    assert proxied_request.body == ""
 
     # Determine the expected combined filter
     proxy_filter = cql2.Expr(
@@ -253,7 +242,7 @@ async def test_search_get(
         "filter-lang": filter_lang,
     }
     assert (
-        upstream_query == expected_output
+        proxied_request.query_params == expected_output
     ), "GET query should combine filter expressions."
 
 
@@ -284,15 +273,15 @@ async def test_items_list(
     response.raise_for_status()
 
     # For GET items, we also expect an empty body and appended querystring
-    proxied_body, proxied_query = await _get_upstream_request(mock_upstream)
-    assert proxied_body == ""
+    proxied_request = await get_upstream_request(mock_upstream)
+    assert proxied_request.body == ""
 
     # Only the appended filter (no input_filter merges in these particular tests),
     # but you could do similar merging logic if needed.
     proxy_filter = cql2.Expr(
         expected_auth_filter if is_authenticated else expected_anon_filter
     )
-    assert proxied_query == {
+    assert proxied_request.query_params == {
         "filter-lang": "cql2-text",
         "filter": (
             proxy_filter + cql2.Expr(qs_filter)
diff --git a/tests/test_proxy.py b/tests/test_proxy.py
@@ -0,0 +1,40 @@
+"""Test authentication cases for the proxy app."""
+
+from fastapi.testclient import TestClient
+from utils import AppFactory, get_upstream_request
+
+app_factory = AppFactory(
+    oidc_discovery_url="https://example-stac-api.com/.well-known/openid-configuration",
+    default_public=True,
+    public_endpoints={},
+    private_endpoints={},
+)
+
+
+async def test_proxied_headers_no_encoding(source_api_server, mock_upstream):
+    """Clients that don't accept encoding should not receive it."""
+    test_app = app_factory(upstream_url=source_api_server)
+
+    client = TestClient(test_app)
+    req = client.build_request(method="GET", url="/", headers={})
+    for h in req.headers:
+        if h in ["accept-encoding"]:
+            del req.headers[h]
+    client.send(req)
+
+    proxied_request = await get_upstream_request(mock_upstream)
+    assert "accept-encoding" not in proxied_request.headers
+
+
+async def test_proxied_headers_with_encoding(source_api_server, mock_upstream):
+    """Clients that do accept encoding should receive it."""
+    test_app = app_factory(upstream_url=source_api_server)
+
+    client = TestClient(test_app)
+    req = client.build_request(
+        method="GET", url="/", headers={"accept-encoding": "gzip"}
+    )
+    client.send(req)
+
+    proxied_request = await get_upstream_request(mock_upstream)
+    assert proxied_request.headers.get("accept-encoding") == "gzip"
diff --git a/tests/utils.py b/tests/utils.py
@@ -2,10 +2,12 @@
 
 import json
 from dataclasses import dataclass
-from typing import Callable
+from typing import Callable, cast
+from unittest.mock import MagicMock
 from urllib.parse import parse_qs, unquote
 
 import httpx
+from httpx import Headers, Request
 
 from stac_auth_proxy import Settings, create_app
 
@@ -68,3 +70,24 @@ def parse_query_string(qs: str) -> dict:
             result[key] = unquote(value)
 
     return result
+
+
+async def get_upstream_request(mock_upstream: MagicMock) -> "UpstreamRequest":
+    """Fetch the raw body and query params from the single upstream request."""
+    assert mock_upstream.call_count == 1
+    [request] = cast(list[Request], mock_upstream.call_args[0])
+    req_body = request._streamed_body
+    return UpstreamRequest(
+        body=req_body.decode(),
+        query_params=parse_query_string(request.url.query.decode("utf-8")),
+        headers=request.headers,
+    )
+
+
+@dataclass
+class UpstreamRequest:
+    """The raw body and query params from the single upstream request."""
+
+    body: str
+    query_params: dict
+    headers: Headers
