fix: Adding a key for technical/private data in SFEOS

Author: Yuri Zmytrakov

stac_fastapi/core/stac_fastapi/core/serializers.py

@@ -10,7 +10,7 @@
 
 from stac_fastapi.core.datetime_utils import now_to_rfc3339_str
 from stac_fastapi.core.models.links import CollectionLinks
-from stac_fastapi.core.utilities import get_bool_env
+from stac_fastapi.core.utilities import get_bool_env, hide_private_data
 from stac_fastapi.types import stac as stac_types
 from stac_fastapi.types.links import ItemLinks, resolve_links
 
@@ -108,7 +108,7 @@ def db_to_stac(cls, item: dict, base_url: str) -> stac_types.Item:
         else:
             assets = item.get("assets", {})
 
-        return stac_types.Item(
+        stac_item = stac_types.Item(
             type="Feature",
             stac_version=item.get("stac_version", ""),
             stac_extensions=item.get("stac_extensions", []),
@@ -121,6 +121,12 @@ def db_to_stac(cls, item: dict, base_url: str) -> stac_types.Item:
             assets=assets,
         )
 
+        if get_bool_env("HIDE_PRIVATE_DATA"):
+            fields_to_remove = ["private_data"]
+            stac_item = hide_private_data(stac_item, fields_to_remove)
+
+        return stac_item
+
 
 class CollectionSerializer(Serializer):
     """Serialization methods for STAC collections."""

stac_fastapi/core/stac_fastapi/core/utilities.py

@@ -4,6 +4,7 @@
 such as converting bounding boxes to polygon representations.
 """
 
+import copy
 import logging
 import os
 from typing import Any, Dict, List, Optional, Set, Union
@@ -178,3 +179,34 @@ def dict_deep_update(merge_to: Dict[str, Any], merge_from: Dict[str, Any]) -> No
             dict_deep_update(merge_to[k], merge_from[k])
         else:
             merge_to[k] = v
+
+
+def hide_private_data(obj: Any, private_field_names: Union[str, List[str]]) -> Any:
+    """Hide private data fields from the object.
+
+    Args:
+        obj: The object to process (dict, list, or other)
+        private_field_names: A list or single field names to hide from response
+    """
+    obj = copy.deepcopy(obj)
+
+    field_names = (
+        [private_field_names]
+        if isinstance(private_field_names, str)
+        else private_field_names
+    )
+
+    if not field_names:
+        return obj
+
+    if isinstance(obj, dict):
+        for field in field_names:
+            obj.pop(field, None)
+        for value in obj.values():
+            hide_private_data(value, field_names)
+
+    elif isinstance(obj, list):
+        for item in obj:
+            hide_private_data(item, field_names)
+
+    return obj

stac_fastapi/tests/api/test_api.py

@@ -1657,3 +1657,53 @@ async def test_use_datetime_false(app_client, load_test_data, txn_client, monkey
 
     assert "test-item-datetime-only" not in found_ids
     assert "test-item-start-end-only" in found_ids
+
+
+@pytest.mark.asyncio
+async def test_hide_private_data_true(app_client, txn_client, load_test_data):
+    """Test hiding the private data from response"""
+
+    os.environ["HIDE_PRIVATE_DATA"] = "true"
+
+    test_collection = load_test_data("test_collection.json")
+    test_collection_id = "test-collection-hide-private-data"
+    test_collection["id"] = test_collection_id
+    await create_collection(txn_client, test_collection)
+
+    test_item = load_test_data("test_item.json")
+    test_item_id = "test-item-hide-private-data"
+    test_item["id"] = test_item_id
+    test_item["collection"] = test_collection_id
+    test_item["private_data"] = {"item_secret": "sensitive_info"}
+    await create_item(txn_client, test_item)
+
+    # Test /collections/{collection_id}/items
+    resp = await app_client.get(f"/collections/{test_collection_id}/items")
+    assert resp.status_code == 200
+    resp_json = resp.json()
+    item = resp_json["features"][0]
+    assert "private_data" not in item
+
+    # Test /collections/{collection_id}/items/{item_id}
+    resp = await app_client.get(
+        f"/collections/{test_collection_id}/items/{test_item_id}"
+    )
+    assert resp.status_code == 200
+    resp_json = resp.json()
+    assert "private_data" not in resp_json
+
+    # Test GET /search
+    resp = await app_client.get(f"/search?collections={test_collection_id}")
+    assert resp.status_code == 200
+    resp_json = resp.json()
+    item = resp_json["features"][0]
+    assert "private_data" not in item
+
+    # Test POST /search
+    resp = await app_client.post("/search", json={"collections": [test_collection_id]})
+    assert resp.status_code == 200
+    resp_json = resp.json()
+    item = resp_json["features"][0]
+    assert "private_data" not in item
+
+    del os.environ["HIDE_PRIVATE_DATA"]