Update for non-dev environments

.pre-commit-config.yaml

@@ -33,8 +33,9 @@ repos:
           - "@api.route"
           # Ignore names of attrs in a ctx object in python_script.py that
           # vulture incorrectly believes are unused.
+          # Also ignore typechecker imports in reverse_proxy.py.
           - "--ignore-names"
-          - "check_hostname,verify_mode"
+          - "check_hostname,verify_mode,StartResponse,WSGIApplication,WSGIEnvironment,api_root"
 
   - repo: https://github.com/codespell-project/codespell
     rev: "v2.4.1"

README.md

@@ -67,8 +67,16 @@ scripts/run_tests.sh
 
 An example deep-link to initiate EDD downloads:
 
+In dev:
+
+```
+earthdata-download://startDownload?getLinks=https://dev.hermes.trst2284.dev.int.nsidc.org/api/get-links?cmr_request_params=foo&downloadId=atl06_06&clientId=data_access_tool&authUrl=https://dev.hermes.trst2284.dev.int.nsidc.org/api/earthdata/auth?eddRedirect=earthdata-download%3A%2F%2FauthCallback
+```
+
+In integration:
+
 ```
-earthdata-download://startDownload?getLinks=https://dev.hermes.trst2284.dev.int.nsidc.org/api/get-links?cmr_request_params=foo&downloadId=atl06_06&clientId=data_access_tool&authUrl=https://dev.hermes.trst2284.dev.int.nsidc.org/api/earthdata/auth/?eddRedirect=earthdata-download%3A%2F%2FauthCallback
+earthdata-download://startDownload?getLinks=https://integration.nsidc.org/apps/data-access-tool/api/get-links?cmr_request_params=foo&downloadId=atl06_06&clientId=data_access_tool&authUrl=https://integration.nsidc.org/apps/data-access-tool/api/earthdata/auth?eddRedirect=earthdata-download%3A%2F%2FauthCallback
 ```
 
 A button needs to be added to the Data Access Tool that will issue a GET request

docker-compose.yml

@@ -13,6 +13,7 @@ services:
       - EARTHDATA_APP_USERNAME
       - EARTHDATA_APP_PASSWORD
       - EARTHDATA_APP_CLIENT_ID
+      - DAT_FLASK_SECRET_KEY
     networks:
       - dat
     dns_search: .

nginx/dat.conf

@@ -32,7 +32,7 @@ server {
 
   sendfile off;
 
-  location "/api" {
+  location "/" {
     proxy_pass            https://api;
     proxy_read_timeout    90;
     proxy_connect_timeout 90;

src/dat_backend/app.py

@@ -22,15 +22,17 @@
 from werkzeug.wrappers import Response
 
 from dat_backend.get_links import get_links
+from dat_backend.reverse_proxy import ReverseProxied
 
 
 app = Flask(__name__)
 api = frx.Api(app)
 
+app.wsgi_app = ReverseProxied(app.wsgi_app)  # type: ignore[method-assign]
+
 app.logger.setLevel(logging.INFO)
 
-# TODO: regenerate and move into secrets storage.
-secret_key = "87b8af58ade1d827860a52c25c55b0f75c8286195c62531a4cdc4bd152fe6116"
+secret_key = os.environ.get("DAT_FLASK_SECRET_KEY")
 app.secret_key = secret_key
 
 RESPONSE_CODES = {
@@ -199,7 +201,7 @@ def post(self) -> Any:
 # )
 
 
-@api.route("/api/get-links/")
+@api.route("/api/get-links")
 class GetLinks(frx.Resource):  # type: ignore[misc]
 
     @api.response(200, "Success")
@@ -252,7 +254,7 @@ def get(self):
     EARTHDATA_APP_PASSWORD = os.environ.get("EARTHDATA_APP_PASSWORD")
 
 
-@api.route("/api/earthdata/auth/")
+@api.route("/api/earthdata/auth")
 class EarthdataAuth(frx.Resource):  # type: ignore[misc]
     @api.response(*RESPONSE_CODES[302])  # type: ignore[misc]
     @api.response(*RESPONSE_CODES[500])  # type: ignore[misc]
@@ -269,10 +271,13 @@ def get(self) -> Response:
         earthdata_authorize_url = "https://urs.earthdata.nasa.gov/oauth/authorize"
         earthdata_authorize_url += "?client_id={0}".format(EARTHDATA_APP_CLIENT_ID)
         earthdata_authorize_url += "&response_type=code"
-        edl_auth_finish_redirect_uri = url_for("earthdata_auth_finish", _external=True)
-        app.logger.info(f"Using {edl_auth_finish_redirect_uri=}")
+        edl_auth_callback_redirect_uri = url_for(
+            "earthdata_auth_callback",
+            _external=True,
+        )
+        app.logger.info(f"Using {edl_auth_callback_redirect_uri=}")
         earthdata_authorize_url += "&redirect_uri={0}".format(
-            edl_auth_finish_redirect_uri
+            edl_auth_callback_redirect_uri
         )
 
         response = redirect(earthdata_authorize_url, code=302)
@@ -292,7 +297,7 @@ def earthdata_token_exchange(authorization_code: Optional[str]) -> Dict[str, Any
     # TODO: This URL maybe needs to be parametrized like in Constants.py
     earthdata_token_api = "https://urs.earthdata.nasa.gov/oauth/token"
     grant_type = "authorization_code"
-    redirect_uri = url_for("earthdata_auth_finish", _external=True)
+    redirect_uri = url_for("earthdata_auth_callback", _external=True)
 
     credentials = f"{EARTHDATA_APP_UID}:{EARTHDATA_APP_PASSWORD}"
     auth = base64.b64encode(credentials.encode("ascii")).decode("ascii")
@@ -319,9 +324,8 @@ def earthdata_token_exchange(authorization_code: Optional[str]) -> Dict[str, Any
     return authorization_result_json
 
 
-# TODO: Consider renaming to `/login_callback/` or `/auth_callback/`
-@api.route("/api/earthdata/auth_finish/")
-class EarthdataAuthFinish(frx.Resource):  # type: ignore[misc]
+@api.route("/api/earthdata/auth_callback")
+class EarthdataAuthCallback(frx.Resource):  # type: ignore[misc]
     @api.response(*RESPONSE_CODES[302])  # type: ignore[misc]
     @api.response(*RESPONSE_CODES[500])  # type: ignore[misc]
     def get(self) -> Response:

src/dat_backend/reverse_proxy.py

@@ -0,0 +1,53 @@
+from typing import Iterable, TYPE_CHECKING
+
+# https://git.io/fhHMJ
+if TYPE_CHECKING:
+    from wsgiref.types import StartResponse, WSGIApplication, WSGIEnvironment
+
+
+class ReverseProxied(object):
+    """Adapted from Flask Snippets.
+
+        https://web.archive.org/web/20190523102024/http://flask.pocoo.org/snippets/35/
+
+    Wrap the application in this middleware and configure the
+    front-end server to add these headers, to let you quietly bind
+    this to a URL other than / and to an HTTP scheme that is
+    different than what is used locally.
+
+    In nginx:
+    location /myprefix {
+        proxy_pass http://192.168.0.1:5001;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Script-Name /myprefix;
+        }
+
+    :param app: the WSGI application
+    """
+
+    def __init__(self, app: "WSGIApplication"):
+        self.app = app
+        self.api_root = "/"
+
+    def __call__(
+        self, environ: "WSGIEnvironment", start_response: "StartResponse"
+    ) -> Iterable[bytes]:
+        script_name = environ.get("HTTP_X_SCRIPT_NAME", "")
+        if script_name:
+            self.api_root = script_name
+            environ["SCRIPT_NAME"] = script_name
+            path_info = environ["PATH_INFO"]
+            if path_info.startswith(script_name):
+                environ["PATH_INFO"] = path_info[len(script_name) :]
+
+        scheme = environ.get("HTTP_X_FORWARDED_PROTO", "")
+        if scheme:
+            environ["wsgi.url_scheme"] = scheme
+
+        server = environ.get("HTTP_X_FORWARDED_HOST", "")
+        if server:
+            environ["HTTP_HOST"] = server
+
+        return self.app(environ, start_response)