ensure anonymous access is prevented

alukach · alukach · commit e128f9984858 · 2026-03-04T22:05:40.000-08:00
diff --git a/applications/argocd/staging/applications/montandon-eoapi/stac-auth-proxy/montandon_filters.py b/applications/argocd/staging/applications/montandon-eoapi/stac-auth-proxy/montandon_filters.py
@@ -53,12 +53,13 @@ class CollectionsFilter:
     async def __call__(self, context: dict[str, Any]) -> str:
         jwt_payload: Optional[dict[str, Any]] = context.get("payload")
 
-        # Anonymous: only public collections
+        # Anonymous: no data
         if not jwt_payload:
-            return self.public_collections_filter
+            logger.debug("Anonymous user, no collections permitted to be viewed")
+            return "1=0"
 
-        # Superuser: no filter
-        if jwt_payload.get(self.admin_claim) == 'true':
+        # Superuser: all data
+        if jwt_payload.get(self.admin_claim) == "true":
             logger.debug(
                 f"Superuser detected for sub {jwt_payload.get('sub')}, "
                 "no filter applied for collections"
@@ -164,8 +165,13 @@ async def _get_public_collections_ids(self) -> list[str]:
     async def __call__(self, context: dict[str, Any]) -> str:
         jwt_payload: Optional[dict[str, Any]] = context.get("payload")
 
-        # Superuser: no filter
-        if jwt_payload and jwt_payload.get(self.admin_claim) == 'true':
+        # Anonymous: no data
+        if not jwt_payload:
+            logger.debug("Anonymous user, no items permitted to be viewed")
+            return "1=0"
+
+        # Superuser: all data
+        if jwt_payload.get(self.admin_claim) == "true":
             logger.debug(
                 f"Superuser detected for sub {jwt_payload.get('sub')}, "
                 "no filter applied for items"
