Add token authorization for STAC API

[batpad]

NOTE: This is likely not the best repository for the ticket, but since we don't have a dedicated repository for our eaopi-k8s setup currently, am creating the ticket here. We can move it if needed.

We need to add an authorization layer for users to access the STAC API, similar to how the current Montandon API does. All requests to the STAC API should require a token, that we need some sort of middleware or so in the FastAPI application to validate.

@thenav56 - could you outline / point to code or a ticket that specifies exactly how the token handling works right now and exactly how the STAC API needs to authenticate the tokens? Right now it's just some JWT token validation, and the user can get the token from GO, correct? Not sure if you also have thoughts around changing that with your recent work on enabling GO to be an OAuth2 provider, but perhaps now we just implement the current token-based authentication.

@geohacker @sunu @emmanuelmathot - in terms of how we add this auth layer to the FastAPI backend, I think the steps would be:

• Create a separate repository for the monty-eoapi deployment - we will need it for the custom authentication code, but also for other configuration, etc. @sunu - we should maybe create a separate ticket for this?
• In there, implement the middleware to handle authentication for API requests - @geohacker I'm a bit fuzzy on the details here - we would create another FastAPI application that wraps around stac-fastapi, or is there a way to configure a custom authentication middleware, etc? Could you flesh out exactly how that would look like? cc @emmanuelmathot

@geohacker @sunu @emmanuelmathot - let's figure out what we need to do to enable custom authentication in our eoapi setup - I know it's roughly straightforward, but let's just get that setup, and then @thenav56 can probably help with the details of the JWT auth scheme to use, etc. to perform the actual token validation.

cc @subinasr

[alukach]

In there, implement the middleware to handle authentication for API requests - @geohacker I'm a bit fuzzy on the details here - we would create another FastAPI application that wraps around stac-fastapi, or is there a way to configure a custom authentication middleware, etc? Could you flesh out exactly how that would look like? cc @emmanuelmathot

A few strategies to consider:

1. STAC Auth Proxy - Keep the STAC API on an internal network, proxy requests through a layer that enforces auth. Currently, the logic is very simple (can specify which endpoints require valid auth token) but is being built out to support more complex scenarios (restricting records based on auth token)
2. eoAPI Auth Utils - Implement simple auth requirements (protect specified routes, optionally require specified scopes) within a customized FastAPI application via helpers from this library

Middleware (at least in the FastAPI/Starlette parlance) is generally not the recommended path forward for FastAPI applications as it does not play well with the generated OpenAPI Spec (as far as I am aware)

[thenav56]

JWT Info for the Current Monty Instance

Here's some relevant info about the JWT used in the current Monty setup.

• Discussion about the current implementation: JWT token integration with Montandon go-api#2029
• Code for the current implementation: https://github.com/IFRCGo/Monty-IFRC/blob/91fe45c3fada040b74ccbb5087c29dca7524d019/API/helpers/validator.R#L8-L28

Public Keys (From https://github.com/IFRCGo/go-api)

Team Message: https://teams.microsoft.com/l/message/19:[email protected]/1714812479900?context=%7B%22contextType%22%3A%22chat%22%7D

• STAGING JWT Public Key:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/J4ar4OVKuT3Qbh3D2mtuiTMQUf1
tkYr5vUGpixeoOxW+bR8MGVwIURZyi2vZ92vxQ3plOn44HgRnhEZ6OWDdQ==
-----END PUBLIC KEY-----

• PRODUCTION JWT Public Key:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENv76JQ5Ntqq3zbpk3gVsKa7SEtev
B8pQ/GOq6+biLffG28i0rHgf4SRBxdKkQNuXcb4TBDQTH7l9Z3+GGC3Zxw==
-----END PUBLIC KEY-----