Support Auth (custom headers & query parameters)

Question

Support Auth (custom headers & query parameters)

m-mohr opened this issue a year ago · comments

Allow to intercept the request and append custom HTTP headers and query parameters to each request, including geotiff.js and pmtiles.

Matthias Mohr · Answer 1 · Mon Aug 28 2023 21:24:43 GMT+0800 (China Standard Time)

getSourceOptions has been made available for all sources, which allows implementors to customize the sources.
I guess it would still be nice to implement a helper that people can use for this, which pre-implements header and URL changes for all sources.

Noam Raby · Answer 2 · Mon Sep 04 2023 19:09:42 GMT+0800 (China Standard Time)

It would be wonderful if getSourceOptions would be available for request on url as well, or some other replacement. Use case: STAC endpoint requires authentication with headers.
Alternative solution would be to pass a function that resolves with STAC response. Instead of fetch(Options.url).then(res => res.json() (link) the adapter function would be called.

Matthias Mohr · Answer 3 · Mon Sep 04 2023 21:09:10 GMT+0800 (China Standard Time)

@NoamRa

It would be wonderful if getSourceOptions would be available for request on url as well

I don't understand this yet. What you elaborate with an example?

Here's an example to adapt the header:

For GeoTiff specifically it is fortunately possible via getSourceOptions. You can use the headers object:
https://openlayers.org/en/latest/apidoc/module-ol_source_GeoTIFF.html#~GeoTIFFSourceOptions

Something like this should work:

async getSourceOptions(type, options) {
    if (type === SourceType.GeoTIFF) {
        const token = await getToken(...); // Assign your token here...
        options.sourceOptions = options.sourceOptions || {};
        options.sourceOptions.headers = {
            Authorization: `Bearer ${token}`
        };
    }
    return options;
}

For customizing the URL, there's an example here:
https://m-mohr.github.io/ol-stac/en/latest/examples/planetary-computer.html

Is there still anything missing in addition to this?

Brandon Liu · Answer 4 · Thu Sep 28 2023 17:28:46 GMT+0800 (China Standard Time)

@m-mohr see https://github.com/protomaps/PMTiles/pull/261/files

TBH I am not 100% sure we should be going down this path. It seems like presigned URLs are strictly better, and don't require any custom header support for the generic S3-compatible API case. If we attempt to sign a URL dynamically using awsv4 signature algorithm, from what I can see every individual HTTP request with a unique Range value needs to be signed separately, which would require passing in a async authentication function instead of a static headers.

Is there a specific storage system that ONLY takes Authorization headers where the presigned URL strategy does not work? I verified that presigning a .pmtiles URL once via aws cli and then making range requests into it (without more signing) works fine.

Matthias Mohr · Answer 5 · Thu Sep 28 2023 23:20:38 GMT+0800 (China Standard Time)

We have services which don't have signed URLs, but instead use Authorization headers (e.g. Planet, I think). It's not really just aboiur storage systems such as S3 here, we have many APIs which just work with API keys or Bearer tokens - unfortunately.

Brandon Liu · Answer 6 · Thu Sep 28 2023 23:32:33 GMT+0800 (China Standard Time)

Is there one you know of that I can test with, or that you have access to upload to?

Matthias Mohr · Answer 7 · Thu Sep 28 2023 23:42:13 GMT+0800 (China Standard Time)

Unfortunately not, sorry.

Brandon Liu · Answer 8 · Sun Oct 01 2023 11:33:42 GMT+0800 (China Standard Time)

ol-pmtiles v0.3.0 takes a headers option like the other SourceOptions now so this is ready for whenever we want to support this in ol-stac!