feat: add support for excluding queryables from validation

Author: Andrzej Pijanowski

README.md

@@ -445,8 +445,9 @@ QUERYABLES_CACHE_TTL=3600  # Optional, defaults to 3600 seconds (1 hour)
 - Search requests (both GET and POST) are checked against this cache.
 - If a request contains a query parameter or filter field that is not in the list of allowed queryables, the API returns a `400 Bad Request` error with a message indicating the invalid field(s).
 - The cache is automatically refreshed based on the `QUERYABLES_CACHE_TTL` setting.
+- **Interaction with `EXCLUDED_FROM_QUERYABLES`**: If `VALIDATE_QUERYABLES` is enabled, fields listed in `EXCLUDED_FROM_QUERYABLES` will also be considered invalid for filtering. This effectively enforces the exclusion of these fields from search queries.
 
-This feature helps prevent queries on unindexed fields which could lead to poor performance or unexpected results.
+This feature helps prevent queries on non-queryable fields which could lead to unnecessary load on the database.
 
 ## Datetime-Based Index Management
 

stac_fastapi/sfeos_helpers/stac_fastapi/sfeos_helpers/queryables.py

@@ -27,6 +27,7 @@ def __init__(self, database_logic: Any):
         self._lock = asyncio.Lock()
         self.validation_enabled: bool = False
         self.cache_ttl: int = 3600  # How often to refresh cache (in seconds)
+        self.excluded_queryables: Set[str] = set()
         self.reload_settings()
 
     def reload_settings(self):
@@ -36,6 +37,17 @@ def reload_settings(self):
         )
         self.cache_ttl = int(os.getenv("QUERYABLES_CACHE_TTL", "3600"))
 
+        excluded = os.getenv("EXCLUDED_FROM_QUERYABLES", "")
+        self.excluded_queryables = set()
+        if excluded:
+            for field in excluded.split(","):
+                field = field.strip()
+                if field:
+                    # Remove 'properties.' prefix if present
+                    if field.startswith("properties."):
+                        field = field[11:]
+                    self.excluded_queryables.add(field)
+
     async def _update_cache(self):
         """Update the cache with the latest queryables from the database."""
         if not self.validation_enabled:
@@ -48,6 +60,9 @@ async def _update_cache(self):
             queryables_mapping = await self._db_logic.get_queryables_mapping()
             all_queryables_set = set(queryables_mapping.keys())
 
+            if self.excluded_queryables:
+                all_queryables_set = all_queryables_set - self.excluded_queryables
+
             self._all_queryables = all_queryables_set
 
             self._cache = {"*": list(all_queryables_set)}

stac_fastapi/tests/api/test_api_query_validation.py

@@ -65,3 +65,32 @@ async def test_item_collection_get_filter_invalid_param(app_client, ctx):
     assert resp.status_code == 400
     resp_json = resp.json()
     assert "Invalid query fields: invalid_param" in resp_json["detail"]
+
+
+@pytest.mark.asyncio
+async def test_validate_queryables_excluded(app_client, ctx):
+    """Test that excluded queryables are rejected when validation is enabled."""
+
+    excluded_field = "eo:cloud_cover"
+
+    with mock.patch.dict(
+        os.environ,
+        {
+            "VALIDATE_QUERYABLES": "true",
+            "EXCLUDED_FROM_QUERYABLES": excluded_field,
+            "QUERYABLES_CACHE_TTL": "0",
+        },
+    ):
+        reload_queryables_settings()
+
+        query = {"query": {excluded_field: {"lt": 10}}}
+        resp = await app_client.post("/search", json=query)
+        assert resp.status_code == 400
+        assert "Invalid query fields" in resp.json()["detail"]
+        assert excluded_field in resp.json()["detail"]
+
+        query = {"query": {"id": {"eq": "test-item"}}}
+        resp = await app_client.post("/search", json=query)
+        assert resp.status_code == 200
+
+    reload_queryables_settings()