feat: add AuthOptionsMiddleware for handling OPTIONS requests

Introduces AuthOptionsMiddleware to inform clients of user capabilities based on their authentication status. This middleware processes OPTIONS requests, checks user permissions against defined endpoint requirements, and constructs appropriate CORS headers for responses. Additionally, it integrates the new middleware into the FastAPI application.

Relates to:
- opengeospatial/ogcapi-features#1005
- stac-api-extensions/transaction#15

Author: alukach

src/stac_auth_proxy/app.py

@@ -18,6 +18,7 @@
     AddProcessTimeHeaderMiddleware,
     ApplyCql2FilterMiddleware,
     AuthenticationExtensionMiddleware,
+    AuthOptionsMiddleware,
     BuildCql2FilterMiddleware,
     EnforceAuthMiddleware,
     OpenApiMiddleware,
@@ -149,6 +150,13 @@ async def lifespan(app: FastAPI):
         AddProcessTimeHeaderMiddleware,
     )
 
+    app.add_middleware(
+        AuthOptionsMiddleware,
+        public_endpoints=settings.public_endpoints,
+        private_endpoints=settings.private_endpoints,
+        default_public=settings.default_public,
+    )
+
     app.add_middleware(
         EnforceAuthMiddleware,
         public_endpoints=settings.public_endpoints,

src/stac_auth_proxy/middleware/AuthOptionsMiddleware.py

@@ -0,0 +1,87 @@
+"""Middleware to remove ROOT_PATH from incoming requests and update links in responses."""
+
+import logging
+from dataclasses import dataclass
+
+from starlette.requests import Request
+from starlette.responses import Response
+from starlette.types import ASGIApp, Receive, Scope, Send
+
+from ..config import EndpointMethods
+from ..utils.requests import find_match
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class AuthOptionsMiddleware:
+    """Middleware to enform client of users capabilities in response to OPTIONS request."""
+
+    app: ASGIApp
+    private_endpoints: EndpointMethods
+    public_endpoints: EndpointMethods
+    default_public: bool
+    state_key: str = "payload"
+
+    async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
+        """Check capabilities of the user."""
+        print("HERE")
+        if scope["type"] != "http":
+            return await self.app(scope, receive, send)
+
+        if scope["method"] != "OPTIONS":
+            return await self.app(scope, receive, send)
+
+        # Get endpoint requirements
+        methods = ["GET", "POST", "PUT", "PATCH", "DELETE"]
+        method_requirements = {}
+        for method in methods:
+            match = find_match(
+                path=scope["path"],
+                method=method,
+                private_endpoints=self.private_endpoints,
+                public_endpoints=self.public_endpoints,
+                default_public=self.default_public,
+            )
+            method_requirements[method] = match
+
+        # Get user (maybe)
+        request = Request(scope)
+        assert hasattr(
+            request.state, self.state_key
+        ), "Auth Payload not set in request state. Is state_key set correctly? Does the EnforceAuthMiddleware run before this middleware?"
+        user = getattr(request.state, self.state_key, None)
+        user_scopes = user.get("scope", "").split(" ") if user else []
+
+        # Get user capabilities
+        valid_methods = []
+        for method, match in method_requirements.items():
+            # Is public
+            if not match.is_private:
+                valid_methods.append(method)
+                continue
+
+            # Is private and user has all required scopes
+            if user and all(scope in user_scopes for scope in match.required_scopes):
+                valid_methods.append(method)
+                continue
+
+        # Construct response
+        headers = {
+            "Allow": ", ".join(valid_methods),
+            "Access-Control-Allow-Methods": ", ".join(valid_methods),
+            "Access-Control-Allow-Headers": "Authorization, Content-Type",
+            "Access-Control-Max-Age": "86400",  # 24 hours
+        }
+
+        # Add CORS origin if provided in request
+        origin = request.headers.get("Origin")
+        if origin:
+            headers["Access-Control-Allow-Origin"] = origin
+
+        response = Response(
+            content="",
+            status_code=204,
+            headers=headers,
+        )
+        return await response(scope, receive, send)

src/stac_auth_proxy/middleware/EnforceAuthMiddleware.py

@@ -98,7 +98,6 @@ async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
                 auto_error=match.is_private,
                 required_scopes=match.required_scopes,
             )
-
         except HTTPException as e:
             response = JSONResponse({"detail": e.detail}, status_code=e.status_code)
             return await response(scope, receive, send)

src/stac_auth_proxy/middleware/__init__.py

@@ -3,6 +3,7 @@
 from .AddProcessTimeHeaderMiddleware import AddProcessTimeHeaderMiddleware
 from .ApplyCql2FilterMiddleware import ApplyCql2FilterMiddleware
 from .AuthenticationExtensionMiddleware import AuthenticationExtensionMiddleware
+from .AuthOptionsMiddleware import AuthOptionsMiddleware
 from .BuildCql2FilterMiddleware import BuildCql2FilterMiddleware
 from .EnforceAuthMiddleware import EnforceAuthMiddleware
 from .ProcessLinksMiddleware import ProcessLinksMiddleware
@@ -14,6 +15,7 @@
     "ApplyCql2FilterMiddleware",
     "AuthenticationExtensionMiddleware",
     "BuildCql2FilterMiddleware",
+    "AuthOptionsMiddleware",
     "EnforceAuthMiddleware",
     "ProcessLinksMiddleware",
     "RemoveRootPathMiddleware",