add ENABLE_COLLECTIONS_AUTHX

Author: philvarner

CHANGELOG.md

@@ -22,7 +22,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 - To all endpoints that depend on collections, add support for a query parameter (GET)
   or body field (POST) `_collections` that will filter to only those collections, but
-  will not reveal that in link contents.
+  will not reveal that in link contents. This is controlled by the "ENABLE_COLLECTIONS_AUTHX"
 
 ## [3.11.0] - 2025-03-27
 

README.md

@@ -583,7 +583,7 @@ There are some settings that should be reviewed and updated as needeed in the se
 | REQUEST_LOGGING_FORMAT           | Express request logging format to use. Any of the [Morgan predefined formats](https://github.com/expressjs/morgan#predefined-formats).                                                                                                                                          | tiny                                                                                 |
 | STAC_API_URL                     | The root endpoint of this API                                                                                                                                                                                                                                                   | Inferred from request                                                                |
 | ENABLE_TRANSACTIONS_EXTENSION    | Boolean specifying if the [Transaction Extension](https://github.com/radiantearth/stac-api-spec/tree/master/ogcapi-features/extensions/transaction) should be activated                                                                                                         | false                                                                                |
-| ENABLE_CONTEXT_EXTENSION    | Boolean specifying if the [Context Extension](https://github.com/stac-api-extensions/context) should be activated                                                                                                         | false                                                                                |
+| ENABLE_CONTEXT_EXTENSION         | Boolean specifying if the [Context Extension](https://github.com/stac-api-extensions/context) should be activated                                                                                                                                                               | false                                                                                |
 | STAC_API_ROOTPATH                | The path to append to URLs if this is not deployed at the server root. For example, if the server is deployed without a custom domain name, it will have the stage name (e.g., dev) in the path.                                                                                | ""                                                                                   |
 | PRE_HOOK                         | The name of a Lambda function to be called as the pre-hook.                                                                                                                                                                                                                     | none                                                                                 |
 | POST_HOOK                        | The name of a Lambda function to be called as the post-hook.                                                                                                                                                                                                                    | none                                                                                 |
@@ -598,6 +598,7 @@ There are some settings that should be reviewed and updated as needeed in the se
 | CORS_CREDENTIALS                 | Configure whether or not to send the `Access-Control-Allow-Credentials` CORS header. Header will be sent if set to `true`.                                                                                                                                                      | none                                                                                 |
 | CORS_METHODS                     | Configure whether or not to send the `Access-Control-Allow-Methods` CORS header. Expects a comma-delimited string, e.g., `GET,PUT,POST`.                                                                                                                                        | `GET,HEAD,PUT,PATCH,POST,DELETE`                                                     |
 | CORS_HEADERS                     | Configure whether or not to send the `Access-Control-Allow-Headers` CORS header. Expects a comma-delimited string, e.g., `Content-Type,Authorization`. If not specified, defaults to reflecting the headers specified in the request’s `Access-Control-Request-Headers` header. | none                                                                                 |
+| ENABLE_COLLECTIONS_AUTHX         | Enables support for hidden `_collections` query parameter / field when set to `true`.                                                                                                                                                                                                              | none                                                                                 |
 
 Additionally, the credential for OpenSearch must be configured, as decribed in the
 section [Populating and accessing credentials](#populating-and-accessing-credentials).
@@ -1110,6 +1111,8 @@ parameter named  (for GET requests) or body JSON field (for POST requests) named
 to filter the collections a user has access to. This parameter/field will be excluded
 from pagination links, so it does not need to be removed on egress.
 
+This feature must be enabled with the `ENABLE_COLLECTIONS_AUTHX` configuration.
+
 The endpoints this applies to are:
 
 - /collections

src/lib/api.js

@@ -336,7 +336,9 @@ const extractIds = function (params) {
 }
 
 const extractAllowedCollectionIds = function (params) {
-  return parseIds(params._collections)
+  return process.env['ENABLE_COLLECTIONS_AUTHX'] === 'true'
+    ? parseIds(params._collections)
+    : undefined
 }
 
 const extractCollectionIds = function (params) {

tests/system/test-api-collection-items-get.js

@@ -94,6 +94,7 @@ test('GET /collections/:collectionId/items for non-existent collection returns 4
 
 test('GET /collections/:collectionId/items with restriction returns filtered collections', async (t) => {
   const { collectionId } = t.context
+  process.env['ENABLE_COLLECTIONS_AUTHX'] = 'true'
 
   const path = `collections/${collectionId}/items`
 

tests/system/test-api-get-aggregate.js

@@ -502,6 +502,8 @@ test('GET /aggregate with aggregations and filter params', async (t) => {
 })
 
 test('GET /aggregate with restriction returns filtered collections', async (t) => {
+  process.env['ENABLE_COLLECTIONS_AUTHX'] = 'true'
+
   const fixtureFiles = [
     'collection.json',
     'LC80100102015050LGN00.json',

tests/system/test-api-get-collection-aggregate.js

@@ -169,6 +169,8 @@ test('GET /aggregate with aggregation not supported by this collection', async (
 })
 
 test('GET /collections/:collectionId/aggregate with restriction returns filtered collections', async (t) => {
+  process.env['ENABLE_COLLECTIONS_AUTHX'] = 'true'
+
   const collectionId = 'landsat-8-l1'
 
   const path = `collections/${collectionId}/aggregate`

tests/system/test-api-get-collection-aggregations.js

@@ -131,6 +131,8 @@ test('GET /collections/:collectionId/aggregations returns default aggregations f
   })
 
 test('GET /collections/:collectionId/aggregations with restriction returns filtered collections', async (t) => {
+  process.env['ENABLE_COLLECTIONS_AUTHX'] = 'true'
+
   const { collectionId } = t.context
 
   const path = `collections/${collectionId}/aggregations`

tests/system/test-api-get-collection-queryables.js

@@ -113,6 +113,8 @@ test.only('GET /collection/:collectionId/queryables for collection with unsuppor
 })
 
 test('GET /collections/:collectionId/queryables with restriction returns filtered collections', async (t) => {
+  process.env['ENABLE_COLLECTIONS_AUTHX'] = 'true'
+
   const { collectionId } = t.context
 
   const path = `collections/${collectionId}/queryables`

tests/system/test-api-get-collection.js

@@ -61,6 +61,8 @@ test('GET /collection/:collectionId for non-existent collection returns Not Foun
 })
 
 test('GET /collections/:collectionId with restriction returns filtered collections', async (t) => {
+  process.env['ENABLE_COLLECTIONS_AUTHX'] = 'true'
+
   const { collectionId } = t.context
 
   t.is((await t.context.api.client.get(`collections/${collectionId}`,

tests/system/test-api-get-collections.js

@@ -51,10 +51,25 @@ test('GET /collections has a content type of "application/json', async (t) => {
 })
 
 test('GET /collections with restriction returns filtered collections', async (t) => {
+  process.env['ENABLE_COLLECTIONS_AUTHX'] = 'true'
+
   await refreshIndices()
 
   const { collectionId } = t.context
 
+  // disable collections filtering
+  process.env['ENABLE_COLLECTIONS_AUTHX'] = 'not true'
+
+  t.is((await t.context.api.client.get(
+    'collections', {
+      searchParams: { _collections: 'not-a-collection' } }
+  )
+  ).collections.length, 1)
+
+  // enable collections filtering
+
+  process.env['ENABLE_COLLECTIONS_AUTHX'] = 'true'
+
   t.is((await t.context.api.client.get(
     'collections', {
       searchParams: { _collections: `${collectionId},foo,bar` } }