developmentseed
diff --git a/‎README.md
Lines changed: 6 additions & 7 deletions b/‎README.md
Lines changed: 6 additions & 7 deletions
diff --git a/‎pyproject.toml
Lines changed: 1 addition & 1 deletion b/‎pyproject.toml
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/stac_auth_proxy/middleware/ApplyCql2FilterMiddleware.py
Lines changed: 121 additions & 28 deletions b/‎src/stac_auth_proxy/middleware/ApplyCql2FilterMiddleware.py
Lines changed: 121 additions & 28 deletions
diff --git a/‎src/stac_auth_proxy/middleware/BuildCql2FilterMiddleware.py
Lines changed: 6 additions & 6 deletions b/‎src/stac_auth_proxy/middleware/BuildCql2FilterMiddleware.py
Lines changed: 6 additions & 6 deletions
diff --git a/‎src/stac_auth_proxy/utils/filters.py
Lines changed: 0 additions & 18 deletions b/‎src/stac_auth_proxy/utils/filters.py
Lines changed: 0 additions & 18 deletions
@@ -191,21 +191,21 @@ If enabled, filters are intended to be applied to the following endpoints:
   - **Action:** Read Item
   - **Applied Filter:** `ITEMS_FILTER`
   - **Strategy:** Append body with generated CQL2 query.
-- `GET /collections/{collection_id}`
-  - **Supported:** ❌[^23]
-  - **Action:** Read Collection
-  - **Applied Filter:** `COLLECTIONS_FILTER`
-  - **Strategy:** Append query params with generated CQL2 query.
 - `GET /collections/{collection_id}/items`
   - **Supported:** ✅
   - **Action:** Read Item
   - **Applied Filter:** `ITEMS_FILTER`
   - **Strategy:** Append query params with generated CQL2 query.
 - `GET /collections/{collection_id}/items/{item_id}`
-  - **Supported:** ❌[^25]
+  - **Supported:** ✅
   - **Action:** Read Item
   - **Applied Filter:** `ITEMS_FILTER`
   - **Strategy:** Validate response against CQL2 query.
+- `GET /collections/{collection_id}`
+  - **Supported:** ❌[^23]
+  - **Action:** Read Collection
+  - **Applied Filter:** `COLLECTIONS_FILTER`
+  - **Strategy:** Append query params with generated CQL2 query.
 - `POST /collections/`
   - **Supported:** ❌[^22]
   - **Action:** Create Collection
@@ -257,6 +257,5 @@ sequenceDiagram
 [^21]: https://github.com/developmentseed/stac-auth-proxy/issues/21
 [^22]: https://github.com/developmentseed/stac-auth-proxy/issues/22
 [^23]: https://github.com/developmentseed/stac-auth-proxy/issues/23
-[^25]: https://github.com/developmentseed/stac-auth-proxy/issues/25
 [^30]: https://github.com/developmentseed/stac-auth-proxy/issues/30
 [^37]: https://github.com/developmentseed/stac-auth-proxy/issues/37
@@ -8,7 +8,7 @@ classifiers = [
 dependencies = [
   "authlib>=1.3.2",
   "brotli>=1.1.0",
-  "cql2>=0.3.5",
+  "cql2>=0.3.6",
   "fastapi>=0.115.5",
   "httpx[http2]>=0.28.0",
   "jinja2>=3.1.4",
 
@@ -1,9 +1,14 @@
 """Middleware to apply CQL2 filters."""
 
 import json
-from dataclasses import dataclass
+import re
+from dataclasses import dataclass, field
+from functools import partial
 from logging import getLogger
+from typing import Callable, Optional
 
+from cql2 import Expr
+from starlette.datastructures import MutableHeaders, State
 from starlette.requests import Request
 from starlette.types import ASGIApp, Message, Receive, Scope, Send
 
@@ -17,7 +22,6 @@ class ApplyCql2FilterMiddleware:
     """Middleware to apply the Cql2Filter to the request."""
 
     app: ASGIApp
-
     state_key: str = "cql2_filter"
 
     async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
@@ -27,34 +31,123 @@ async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
 
         request = Request(scope)
 
-        if request.method == "GET":
-            cql2_filter = getattr(request.state, self.state_key, None)
-            if cql2_filter:
-                scope["query_string"] = filters.append_qs_filter(
-                    request.url.query, cql2_filter
-                )
+        get_cql2_filter: Callable[[], Optional[Expr]] = partial(
+            getattr, request.state, self.state_key, None
+        )
+
+        # Handle POST, PUT, PATCH
+        if request.method in ["POST", "PUT", "PATCH"]:
+            return await self.app(
+                scope,
+                Cql2RequestBodyAugmentor(
+                    receive=receive,
+                    state=request.state,
+                    get_cql2_filter=get_cql2_filter,
+                ),
+                send,
+            )
+
+        cql2_filter = get_cql2_filter()
+        if not cql2_filter:
             return await self.app(scope, receive, send)
 
-        elif request.method in ["POST", "PUT", "PATCH"]:
-
-            async def receive_and_apply_filter() -> Message:
-                message = await receive()
-                if message["type"] != "http.request":
-                    return message
-
-                cql2_filter = getattr(request.state, self.state_key, None)
-                if cql2_filter:
-                    try:
-                        body = json.loads(message.get("body", b"{}"))
-                    except json.JSONDecodeError as e:
-                        logger.warning("Failed to parse request body as JSON")
-                        # TODO: Return a 400 error
-                        raise e
+        if re.match(r"^/collections/([^/]+)/items/([^/]+)$", request.url.path):
+            return await self.app(
+                scope,
+                receive,
+                Cql2ResponseBodyValidator(cql2_filter=cql2_filter, send=send),
+            )
 
-                    new_body = filters.append_body_filter(body, cql2_filter)
-                    message["body"] = json.dumps(new_body).encode("utf-8")
-                return message
+        scope["query_string"] = filters.append_qs_filter(request.url.query, cql2_filter)
+        return await self.app(scope, receive, send)
 
-            return await self.app(scope, receive_and_apply_filter, send)
 
-        return await self.app(scope, receive, send)
+@dataclass(frozen=True)
+class Cql2RequestBodyAugmentor:
+    """Handler to augment the request body with a CQL2 filter."""
+
+    receive: Receive
+    state: State
+    get_cql2_filter: Callable[[], Optional[Expr]]
+
+    async def __call__(self) -> Message:
+        """Process a request body and augment with a CQL2 filter if available."""
+        message = await self.receive()
+        if message["type"] != "http.request":
+            return message
+
+        # NOTE: Can only get cql2 filter _after_ calling self.receive()
+        cql2_filter = self.get_cql2_filter()
+        if not cql2_filter:
+            return message
+
+        try:
+            body = json.loads(message.get("body", b"{}"))
+        except json.JSONDecodeError as e:
+            logger.warning("Failed to parse request body as JSON")
+            # TODO: Return a 400 error
+            raise e
+
+        new_body = filters.append_body_filter(body, cql2_filter)
+        message["body"] = json.dumps(new_body).encode("utf-8")
+        return message
+
+
+@dataclass
+class Cql2ResponseBodyValidator:
+    """Handler to validate response body with CQL2."""
+
+    send: Send
+    cql2_filter: Expr
+    initial_message: Optional[Message] = field(init=False)
+    body: bytes = field(init=False, default_factory=bytes)
+
+    async def __call__(self, message: Message) -> None:
+        """Process a response message and apply filtering if needed."""
+        if message["type"] == "http.response.start":
+            self.initial_message = message
+            return
+
+        if message["type"] == "http.response.body":
+            assert self.initial_message, "Initial message not set"
+
+            self.body += message["body"]
+            if message.get("more_body"):
+                return
+
+            try:
+                body_json = json.loads(self.body)
+            except json.JSONDecodeError:
+                logger.warning("Failed to parse response body as JSON")
+                await self._send_error_response(502, "Not found")
+                return
+
+            logger.debug(
+                "Applying %s filter to %s", self.cql2_filter.to_text(), body_json
+            )
+            if self.cql2_filter.matches(body_json):
+                await self.send(self.initial_message)
+                return await self.send(
+                    {
+                        "type": "http.response.body",
+                        "body": json.dumps(body_json).encode("utf-8"),
+                        "more_body": False,
+                    }
+                )
+            return await self._send_error_response(404, "Not found")
+
+    async def _send_error_response(self, status: int, message: str) -> None:
+        """Send an error response with the given status and message."""
+        assert self.initial_message, "Initial message not set"
+        error_body = json.dumps({"message": message}).encode("utf-8")
+        headers = MutableHeaders(scope=self.initial_message)
+        headers["content-length"] = str(len(error_body))
+        self.initial_message["status"] = status
+        await self.send(self.initial_message)
+        await self.send(
+            {
+                "type": "http.response.body",
+                "body": error_body,
+                "more_body": False,
+            }
+        )
@@ -1,14 +1,15 @@
 """Middleware to build the Cql2Filter."""
 
 import json
+import re
 from dataclasses import dataclass
 from typing import Callable, Optional
 
 from cql2 import Expr
 from starlette.requests import Request
 from starlette.types import ASGIApp, Message, Receive, Scope, Send
 
-from ..utils import filters, requests
+from ..utils import requests
 
 
 @dataclass(frozen=True)
@@ -78,11 +79,10 @@ async def receive_build_filter() -> Message:
     def _get_filter(self, path: str) -> Optional[Callable[..., Expr]]:
         """Get the CQL2 filter builder for the given path."""
         endpoint_filters = [
-            (filters.is_collection_endpoint, self.collections_filter),
-            (filters.is_item_endpoint, self.items_filter),
-            (filters.is_search_endpoint, self.items_filter),
+            (r"^/collections(/[^/]+)?$", self.collections_filter),
+            (r"^(/collections/([^/]+)/items(/[^/]+)?$|/search$)", self.items_filter),
         ]
-        for check, builder in endpoint_filters:
-            if check(path):
+        for expr, builder in endpoint_filters:
+            if re.match(expr, path):
                 return builder
         return None
@@ -1,7 +1,6 @@
 """Utility functions."""
 
 import json
-import re
 from typing import Optional
 from urllib.parse import parse_qs
 
@@ -32,23 +31,6 @@ def append_body_filter(
     }
 
 
-def is_collection_endpoint(path: str) -> bool:
-    """Check if the path is a collection endpoint."""
-    # TODO: Expand this to cover all cases where a collection filter should be applied
-    return path == "/collections"
-
-
-def is_item_endpoint(path: str) -> bool:
-    """Check if the path is an item endpoint."""
-    # TODO: Expand this to cover all cases where an item filter should be applied
-    return bool(re.compile(r"^(/collections/([^/]+)/items$|/search)").match(path))
-
-
-def is_search_endpoint(path: str) -> bool:
-    """Check if the path is a search endpoint."""
-    return path == "/search"
-
-
 def dict_to_query_string(params: dict) -> str:
     """
     Convert a dictionary to a query string. Dict values are converted to JSON strings,