Update OIDC augmentation to ensure options requests don't require auth

Author: alukach

src/stac_auth_proxy/middleware/UpdateOpenApiMiddleware.py

@@ -62,6 +62,9 @@ def transform_json(self, data: dict[str, Any], request: Request) -> dict[str, An
         # Add security to private endpoints
         for path, method_config in data["paths"].items():
             for method, config in method_config.items():
+                # if method == "options":
+                #     # OPTIONS requests are not authenticated, https://fetch.spec.whatwg.org/#cors-protocol-and-credentials
+                #     continue
                 match = find_match(
                     path,
                     method,

tests/test_openapi.py

@@ -140,16 +140,23 @@ def test_oidc_in_openapi_spec_public_endpoints(
 
     openapi = client.get(source_api.openapi_url).raise_for_status().json()
 
-    expected_auth = {"/queryables": ["GET"]}
+    expected_required_auth = {"/queryables": ["GET"]}
     for path, method_config in openapi["paths"].items():
         for method, config in method_config.items():
             security = config.get("security")
-            if security:
-                assert path not in expected_auth
+            if method == "options":
+                assert not security, "OPTIONS requests should not be authenticated"
+            elif security:
+                assert (
+                    path not in expected_required_auth
+                ), f"Path {path} should not require authentication"
             else:
-                assert path in expected_auth
+                assert (
+                    path in expected_required_auth
+                ), f"Path {path} should require authentication"
                 assert any(
-                    method.casefold() == m.casefold() for m in expected_auth[path]
+                    method.casefold() == m.casefold()
+                    for m in expected_required_auth[path]
                 )