geeViz.eeAuth.server

FastAPI proxy for Earth Engine that injects per-tenant SA tokens.

The proxy receives requests from EE clients (browser JS, Python SDK via geeViz.eeAuth.client), looks up the requested tenant in the SA registry, mints a token (cached), and forwards to the real EE endpoint with the right Authorization and x-goog-user-project headers.

Two ways to use:

1. Standalone:

   python -m geeViz.eeAuth --port 8888
   

   or programmatically:

   from geeViz.eeAuth.server import create_proxy_app
   app = create_proxy_app()
   # serve with uvicorn / etc.
   

2. Mounted in an existing FastAPI app:

   from fastapi import FastAPI
   from geeViz.eeAuth.server import build_proxy_router
   
   app = FastAPI()
   app.include_router(build_proxy_router(), prefix="/ee-api")
   

Tenant routing — the proxy picks the SA in this order:

1. X-geeViz-Creds request header (server-side EE SDK; set by geeViz.eeAuth.client.TenantAwareHttp).

2. ?tenant= query string parameter (browser map iframes).

3. Default tenant (the registry’s default entry, loaded from GEE_SERVICE_ACCOUNT_B64).

Workload tagging — every POST is stamped with a workload tag ee-proxy__<tenant> in the query string for billing attribution. Pass workload_tag_builder=... to build_proxy_router if you want to construct your own tag (e.g. include user / session).

Functions

build_proxy_router([creds, upstream, ...])	Build a FastAPI APIRouter that handles {path:path} and proxies every request to upstream with the right SA token.
create_proxy_app([creds, upstream, ...])	Build a standalone FastAPI app with the proxy mounted at prefix.