stac-server
stac-server copied to clipboard
stac-utils
Forbidden error thrown when `limit` is only keyword in POST query
When only providing the limit keyword it works fine with GET:
https://earth-search.aws.element84.com/v1/search?limit=10
but POST throws an error when only the limit keyword is provided. Use pystac-client to test
stac-client search https://earth-search.aws.element84.com/v1 --matched --logging DEBUG
DEBUG:pystac_client.stac_api_io:POST https://earth-search.aws.element84.com/v1/search Headers: {'User-Agent': 'python-requests/2.28.1', 'Accept-Encoding': 'gzip, deflate, br', 'Accept': '*/*', 'Connection': 'keep-alive', 'Content-Length': '14', 'Content-Type': 'application/json'} Payload: {"limit": 100}
{"message":"Forbidden"}
In contrast, this works
stac-client search https://earth-search.aws.element84.com/v1 --matched -c sentinel-2-l2a --logging DEBUG
DEBUG:pystac_client.stac_api_io:GET https://earth-search.aws.element84.com/v1 Headers: {'User-Agent': 'python-requests/2.28.1', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive'}
DEBUG:pystac_client.stac_api_io:POST https://earth-search.aws.element84.com/v1/search Headers: {'User-Agent': 'python-requests/2.28.1', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'Content-Length': '47', 'Content-Type': 'application/json'} Payload: {"limit": 1, "collections": ["sentinel-2-l2a"]}
We also see this behavior in landsatlook, which also uses stac-server, although it manifests as a CloudFront error rather than Forbidden due to their configuration.
stac-client search https://landsatlook.usgs.gov/stac-server --matched --logging DEBUG
stac-client search https://landsatlook.usgs.gov/stac-server -c landsat-c2l2-sr --matched --logging DEBUG
@matthewhanson I've seen an error similar to this when the WAF "Prevent SQL injection" rules are in place. (It sees the "limit" in the body and thinks it's SQL.) That may or not be the cause here, but something to investigate.
