You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
-**`HEALTHZ_PREFIX`**, path prefix for health check endpoints
88
-
-**Type:** string
89
-
-**Required:** No, defaults to `/healthz`
90
-
-**Example:**`''` (disabled)
91
-
-**`OVERRIDE_HOST`**, override the host header for the upstream API
92
-
-**Type:** boolean
93
-
-**Required:** No, defaults to `true`
94
-
-**Example:**`false`, `1`, `True`
95
-
-**`ROOT_PATH`**, path prefix for the proxy API
96
-
-**Type:** string
97
-
-**Required:** No, defaults to `''` (root path)
98
-
-**Example:**`/api/v1`
99
-
-**Note:** This is independent of the upstream API's path. The proxy will handle removing this prefix from incoming requests and adding it to outgoing links.
- **`PUBLIC_ENDPOINTS`**, endpoints explicitly marked as not requiring authentication, used when `DEFAULT_PUBLIC == False`
126
-
- **Type:** JSON object mapping regex patterns to HTTP methods
127
-
- **Required:** No, defaults to the following:
128
-
```json
129
-
{
130
-
"^/api.html$": ["GET"],
131
-
"^/api$": ["GET"],
132
-
"^/docs/oauth2-redirect": ["GET"],
133
-
"^/healthz": ["GET"]
134
-
}
135
-
```
136
-
- **`ENABLE_AUTHENTICATION_EXTENSION`**, enable authentication extension in STAC API responses
137
-
- **Type:** boolean
138
-
- **Required:** No, defaults to `true`
139
-
- **Example:** `false`, `1`, `True`
140
-
- OpenAPI / Swagger UI
141
-
- **`OPENAPI_SPEC_ENDPOINT`**, path of OpenAPI specification, used for augmenting spec response with auth configuration
142
-
- **Type:** string or null
143
-
- **Required:** No, defaults to `null` (disabled)
144
-
- **Example:** `/api`
145
-
- **`OPENAPI_AUTH_SCHEME_NAME`**, name of the auth scheme to use in the OpenAPI spec
146
-
- **Type:** string
147
-
- **Required:** No, defaults to `oidcAuth`
148
-
- **Example:** `jwtAuth`
149
-
- **`OPENAPI_AUTH_SCHEME_OVERRIDE`**, override for the auth scheme in the OpenAPI spec
150
-
- **Type:** JSON object
151
-
- **Required:** No, defaults to `null` (disabled)
152
-
- **Example:** `{"type": "http", "scheme": "bearer", "bearerFormat": "JWT", "description": "Paste your raw JWT here. This API uses Bearer token authorization.\n"}`
153
-
- **`SWAGGER_UI_ENDPOINT`**, path of Swagger UI, used to indicate that a custom Swagger UI should be hosted, typically useful when providing accompanying `SWAGGER_UI_INIT_OAUTH` arguments
154
-
- **Type:** string or null
155
-
- **Required:** No, defaults to `null` (disabled)
156
-
- **Example:** `/api.html`
157
-
- **`SWAGGER_UI_INIT_OAUTH`**, initialization options for the [Swagger UI OAuth2 configuration](https://swagger.io/docs/open-source-tools/swagger-ui/usage/oauth2/) on custom Swagger UI
|`HEALTHZ_PREFIX`| Path prefix for health check endpoints | string | No |`/healthz`|`''` (disabled) |
79
+
|`OVERRIDE_HOST`| Override the host header for the upstream API | boolean | No |`true`|`false`, `1`, `True`|
80
+
|`ROOT_PATH`| Path prefix for the proxy API. **Note:**`ROOT_PATH` is independent of the upstream API's path. The proxy will handle removing this prefix from incoming requests and adding it to outgoing links. | string | No |`''` (root path) |`/api/v1`|
81
+
82
+
#### Authentication
83
+
84
+
| Variable | Description | Type | Required | Default | Example |
|`OIDC_DISCOVERY_INTERNAL_URL`| Internal network OpenID Connect discovery document URL | HTTP(S) URL | No | Value of `OIDC_DISCOVERY_URL`|`http://auth/.well-known/openid-configuration`|
88
+
|`DEFAULT_PUBLIC`| Default access policy for endpoints | boolean | No |`false`|`false`, `1`, `True`|
89
+
|`PRIVATE_ENDPOINTS`| Endpoints explicitly marked as requiring authentication and possibly scopes | JSON object mapping regex patterns to HTTP methods OR tuples of an HTTP method and string representing required scopes | No | See below | - |
90
+
|`PUBLIC_ENDPOINTS`| Endpoints explicitly marked as not requiring authentication, used when `DEFAULT_PUBLIC == False`| JSON object mapping regex patterns to HTTP methods | No | See below | - |
91
+
|`ENABLE_AUTHENTICATION_EXTENSION`| Enable authentication extension in STAC API responses | boolean | No |`true`|`false`, `1`, `True`|
|`OPENAPI_SPEC_ENDPOINT`| Path of OpenAPI specification, used for augmenting spec response with auth configuration | string or null | No |`null` (disabled) |`/api`|
121
+
|`OPENAPI_AUTH_SCHEME_NAME`| Name of the auth scheme to use in the OpenAPI spec | string | No |`oidcAuth`|`jwtAuth`|
122
+
|`OPENAPI_AUTH_SCHEME_OVERRIDE`| Override for the auth scheme in the OpenAPI spec | JSON object | No |`null` (disabled) |`{"type": "http", "scheme": "bearer", "bearerFormat": "JWT", "description": "Paste your raw JWT here. This API uses Bearer token authorization.\n"}`|
123
+
|`SWAGGER_UI_ENDPOINT`| Path of Swagger UI, used to indicate that a custom Swagger UI should be hosted, typically useful when providing accompanying `SWAGGER_UI_INIT_OAUTH` arguments | string or null | No |`null` (disabled) |`/api.html`|
124
+
|`SWAGGER_UI_INIT_OAUTH`| Initialization options for the [Swagger UI OAuth2 configuration](https://swagger.io/docs/open-source-tools/swagger-ui/usage/oauth2/) on custom Swagger UI | JSON object | No |`null` (disabled) |`{"clientId": "stac-auth-proxy", "usePkceWithAuthorizationCodeGrant": true}`|
125
+
126
+
#### Filtering
127
+
128
+
| Variable | Description | Type | Required | Default | Example |
|`ITEMS_FILTER_CLS`| CQL2 expression generator for item-level filtering | JSON object with class configuration | No |`null` (disabled) |`stac_auth_proxy.filters:Opa`, `stac_auth_proxy.filters:Template`, `my_package:OrganizationFilter`|
131
+
|`ITEMS_FILTER_ARGS`| Positional arguments for CQL2 expression generator | List of positional arguments used to initialize the class | No |`[]`|`["org1"]`|
132
+
|`ITEMS_FILTER_KWARGS`| Keyword arguments for CQL2 expression generator | Dictionary of keyword arguments used to initialize the class | No |`{}`|`{"field_name": "properties.organization"}`|
133
+
|`ITEMS_FILTER_PATH`| Regex pattern used to identify request paths that require the application of the items filter | Regex string | No |`^(/collections/([^/]+)/items(/[^/]+)?$\|/search$)`|`^(/collections/([^/]+)/items(/[^/]+)?$\|/search$\|/custom$)`|
134
+
|`COLLECTIONS_FILTER_CLS`| CQL2 expression generator for collection-level filtering | JSON object with class configuration | No |`null` (disabled) |`stac_auth_proxy.filters:Opa`, `stac_auth_proxy.filters:Template`, `my_package:OrganizationFilter`|
135
+
|`COLLECTIONS_FILTER_ARGS`| Positional arguments for CQL2 expression generator | List of positional arguments used to initialize the class | No |`[]`|`["org1"]`|
136
+
|`COLLECTIONS_FILTER_KWARGS`| Keyword arguments for CQL2 expression generator | Dictionary of keyword arguments used to initialize the class | No |`{}`|`{"field_name": "properties.organization"}`|
137
+
|`COLLECTIONS_FILTER_PATH`| Regex pattern used to identify request paths that require the application of the collections filter | Regex string | No |`^/collections(/[^/]+)?$`|`^.*?/collections(/[^/]+)?$`|
0 commit comments