chore(main): release 1.0.3

[ds-release-bot]

🤖 I have created a release beep boop

1.0.3 (2026-03-09)

⚠ BREAKING CHANGES

• auth: Authentication failures now return 401 instead of 403

Features

• add configure_app for applying middleware to existing FastAPI applications (#85) (3c5cf69)
• add aws lambda handler (#81) (214de02)
• add configurable audiences (#83) (58d05ea)
• add debug endpoint (cd64125)
• add healthz endpoints (4b1f4d1), closes #27
• Add helm chart auth options. (#118) (cfae34b)
• Add helm README.md and unit tests (#117) (74a1bc8)
• Add mock OIDC server (#40) (0e5a23b)
• add opa integration (#47) (6f9216b), closes #24
• add openapi endpoint as default public endpoint (374b75a)
• Add timing middleware (8d006ef)
• add x-upstream-time header (3abf298)
• allow customize filter paths (#58) (0530ea0)
• augment openapi spec (ac981ce)
• Buildout CQL2 filter tooling for reading Items (#17) + Refactor codebase into middleware (#20) (327b9cf)
• buildout filter for item read (#45) (3b9977e)
• check upstream API health at startup (#32) (12f2973)
• config: add root path GET requests to default public endpoints (#62) (59c6a97)
• config: expand default endpoints (#79) (6718991)
• configurable root_path (#50) (34ba6b7)
• enable collections filtering (#52) (df9330e)
• enable hosting custom Swagger UI (#53) (ca913a0)
• handle CORS by default (#133) (4c49b95)
• helm: add extraContainers in helm-chart (#132) (e0acecb)
• helm: Add support for initContainers. (#104) (a7ca408)
• increase default healthcheck retries (d19b8aa)
• integrate with Authentication Extension (#41) (bd87d38), closes #35
• make use of Server-Timing header (c894026), closes #69
• proxy headers, override host (#49) (2961a48), closes #34
• proxy: Add proxy context headers to upstream requests (3903e89)
• relax ServerHealthCheck defaults (ad29ee7)
• remove applied filters on response links (#67) (2b2b224), closes #64
• reorg config for better customization (4fcf7d1)
• skip json middleware based on response data type (#103) (16b05c3)
• support brottli compression (0c5cf4e)
• Support CEL access policies (#13) (9373dee)
• support custom OpenAPI auth scheme (#51) (de6a946)
• support customizing port when running as a module (9a18c49)
• support scopes in private endpoints (#33) (b44d28a), closes #28
• support specifying cls & args & kwargs separately (b3dd73e)
• tooling to disable auth extension & compression (046c731)
• update authentication extension integratino to use discovery URL (1ce8ed5)
• use HTTP2 (45b4e38), closes #38
• Use PydanticSettings for config management (4895bca)
• validate auth tokens (b5ecada)
• validate transaction requests with CQL2 filters (#131) (254bd82), closes #21 #22

Bug Fixes

• auth-extension: consider link method when adding auth:refs (158f507)
• auth: correct HTTP status codes for authentication and authorization failures (#108) (17227e4)
• avoid flaky assertion (1b8fa28)
• check private endpoint scopes when default_public=False (6dfa54d)
• correct required conformance classes for filters (9d4d211)
• correctly catch JSON parse errors (9d8599f)
• Disable openAPI tooling (6595df0)
• disable server reload by default (c109801), closes #142
• don't set host header (0c89e09)
• Enhance type safety in middleware and utility functions (#122) (52cdd0e)
• ensure openapi spec demonstrates auth when cql2 filters apply (#135) (7310cee)
• ensure OPTIONS requests are sent upstream without auth check (#76) (855183a), closes #75
• Ensure x-forwarded-port header is used in Forwarded header (#115) (78525b1)
• fix status check for 2xx responses (#59) (5b03cb3)
• handle compressed OpenAPI responses & ensure paths correctly marked private (#29) (2fe0852)
• handle deeply nested security dependencies (#14) (5ff51ca)
• Helm chart and app version mismatch. (#120) (7998675)
• improve link processing (#95) (e52b5a9)
• jinja2: use sandboxed environment (504074f)
• lifespan: allow endpoints that don't support trailing slashes (2e6e24b)
• lifespan: handle gateway errors on server health checks (4e00c0e), closes #141
• Make docker image to run as non-root. (#116) (35e06f3)
• middleware: enhance JSON parsing error handling (#73) (daf5d09), closes #72
• only transform non-errors (8c66ba8)
• openapi: remove upstream servers (#90) (b54059b), closes #74
• prevent double-declaration of openapi endpoint (814145d)
• prevent down OIDC server from interfering with lifespan (#31) (4c9f4f9)
• prevent JSON middleware from throwing 500s on non-transformed content (aa27887)
• prevent sending automatic accept-encoding headers upstream (1189f97)
• process links w/o the prefix (#70) (8a09873)
• properly return error on invalid CQL2 filters (5c5c856)
• remove helm chart auth options. (#126) (42015b3)
• retain proxy headers when behind proxy (#88) (74780f0)
• Rework body augmentor to avoid error on empty POSTs (f0ec9a5)
• run lin/tests on all pushes (c565ae7)
• serve healthz without trailing slash (13acd0f)
• simplify cache by handling expired keys as KeyErrors (a2d275d)
• Skip CQL2 filter build for OPTIONS requests (#123) (6ee043e), closes #110
• stac-fastapi health checks. (#128) (42db5ef)
• support filtering bulk item creation (2c4a791)
• update link transformation logic to prevent duplicate root_path in responses (a71bd8e)

Documentation

• add author (add5630)
• add callout for eoAPI usage discussion (5915de4)
• add changelog (5710853)
• add illustration for appying filters on non-filter compliant endpoints (1a75550)
• add upgrade callout (33a57c7)
• add version badges to README (d962230)
• architecture: add data filtering diagrams (48afd7e)
• build out separate documentation website (#78) (6c9b6ba)
• cicd: correct filename in deploy-mkdocs workflow (5f00eca)
• cicd: fix deploy step (5178b92)
• config: add admonitions for more details (40444cf)
• config: cleanup formatting (8a82d3d)
• correct swagger UI config details (7684925)
• deployment: Add details of deploying STAC Auth Proxy (aaf3802)
• describe installation via pip (bfb9ca8)
• describe missing list collections filter functionality (fe46940)
• describe response validation (d0b9099)
• docker: Add OpenSearch backend stack to docker-compose (#71) (d779321)
• enhance middleware stack documentation with detailed descriptions and execution order (06b51cb)
• fix getting started link (8efe5e5)
• fix JSON (f217216)
• fix/simplify footnote links (0b53cab)
• generalize example docker command (e39778a)
• link + typo (0d58b35)
• missing word (7496b76)
• place docker instructions before installation (6a14912)
• prefer headings over nested list (447a13d)
• PRIVATE_ENDPOINTS can be used in DEFAULT_PUBLIC=False scenarios (024f37c)
• record-level-auth: add filter factory guidance (47c4e68)
• Remove unused import of 'Expr' from record-level-auth (4f86e7b)
• reorder callout (3194bb3)
• reorg comments (2da2a26)
• rm experimental warning (5c7f290)
• temporarily disable starlette docstrings (c4fd9e0)
• tips: add details about CORS configuration (#84) (fc1e217)
• update default public endpoints (526c34c)
• update filter class path syntax (a7f5b1b)
• update middleware descriptions (d3d3769)
• update README to include ROOT_PATH configuration and usage tips (e13a89d)
• update tips to describe non-upstream URL (ebadd52)
• updated features list (625fc91)
• use footnotes for issue links (5b94c7d)
• user-guide: Add record-level auth section (89377c6)
• user-guide: Add route-level auth user guide (#80) (a840234)
• user-guide: create getting-started section (6ba081e)
• user-guide: fix configuration links (11a5d28)
• user-guide: fix tips file ref (2d5d2ac)
• user-guide: formatting (8ed08bc)
• user-guide: Mention row-level authorization (5fbd5df)
• user-guide: Move configuration & installation to user guide (170f001)
• user-guide: Mv tips to user-guide (d829800)
• user-guide: Reword authentication to authorization (37fa12d)
• whitespace (b6a6319)

Miscellaneous Chores

• release 0.11.1 (976dfab)
• release 1.0.3 (9dc99f6)

---

This PR was generated with Release Please. See documentation.