How does the proxy block access to the STAC API transaction endpoints?

[TWDBrob]

I am puzzled as to how POSTs to the collections endpoint of the API are being blocked. I was testing things out using the docker compose in the repo and I cant figure out how the transactions endpoints are being blocked by stac-auth-proxy when you go directly to the API, bypassing the proxy. The API is just using the bog-standard stac-fastapi-pgstac image and I don't see any configuration in the compose file that appears to prevent this I also commented out all the services except the DB and the API, so I know that it doesn't have anything to do with them.

How does this work?

[alukach]

I was testing things out using the docker compose in the repo and I cant figure out how the transactions endpoints are being blocked by stac-auth-proxy when you go directly to the API, bypassing the proxy

Hmm, that would surprise me. My guess is that the Transactions Extension is not enabled. I see that earlier this year, stac-fastapi-pgstac disabled the transactions extension by default (stac-utils/stac-fastapi-pgstac#236). I've just now committed a change (73b8156) to enable the transactions extension within our Docker Compose file. Perhaps that would change things for you?

As a sanity check, you should see https://api.stacspec.org/v1.0.0/ogcapi-features/extensions/transaction in the conformsTo property of the STAC catalog:

▶ curl -s localhost:8000 | jq .conformsTo
[
  "http://www.opengis.net/spec/cql2/1.0/conf/basic-cql2",
  "http://www.opengis.net/spec/cql2/1.0/conf/cql2-json",
  "http://www.opengis.net/spec/cql2/1.0/conf/cql2-text",
  "http://www.opengis.net/spec/ogcapi-common-2/1.0/conf/simple-query",
  "http://www.opengis.net/spec/ogcapi-features-1/1.0/conf/core",
  "http://www.opengis.net/spec/ogcapi-features-1/1.0/conf/geojson",
  "http://www.opengis.net/spec/ogcapi-features-1/1.0/conf/oas30",
  "http://www.opengis.net/spec/ogcapi-features-3/1.0/conf/features-filter",
  "http://www.opengis.net/spec/ogcapi-features-3/1.0/conf/filter",
  "https://api.stacspec.org/v1.0.0-rc.1/collection-search",
  "https://api.stacspec.org/v1.0.0-rc.1/collection-search#fields",
  "https://api.stacspec.org/v1.0.0-rc.1/collection-search#filter",
  "https://api.stacspec.org/v1.0.0-rc.1/collection-search#free-text",
  "https://api.stacspec.org/v1.0.0-rc.1/collection-search#query",
  "https://api.stacspec.org/v1.0.0-rc.1/collection-search#sort",
  "https://api.stacspec.org/v1.0.0-rc.2/item-search#filter",
  "https://api.stacspec.org/v1.0.0/collections",
  "https://api.stacspec.org/v1.0.0/collections/extensions/transaction",
  "https://api.stacspec.org/v1.0.0/core",
  "https://api.stacspec.org/v1.0.0/item-search",
  "https://api.stacspec.org/v1.0.0/item-search#fields",
  "https://api.stacspec.org/v1.0.0/item-search#query",
  "https://api.stacspec.org/v1.0.0/item-search#sort",
  "https://api.stacspec.org/v1.0.0/ogcapi-features",
  "https://api.stacspec.org/v1.0.0/ogcapi-features#fields",
  "https://api.stacspec.org/v1.0.0/ogcapi-features#query",
  "https://api.stacspec.org/v1.0.0/ogcapi-features#sort",
  "https://api.stacspec.org/v1.0.0/ogcapi-features/extensions/transaction"
]

Additionally, if you navigate to the API docs (/api.html), you should see the endpoints:

[TWDBrob]

I see the issue. When I launch the API in a container, I have this env var set:

ENV ENABLE_TRANSACTIONS_EXTENSIONS=TRUE

To be clear, stac-auth-proxy was doing what I wanted it to do. I just thought it was somehow locking down the API as well and I couldn't figure out how.