feat: send auth credentials on all STAC API requests

[alukach]

What I'm changing

Reads (GET) against the configured STAC API now carry Authorization: Bearer <token> whenever the user is authenticated — matching the behavior that mutations already had. The hand-rolled header in collectionTransaction is retired; all requests flow through one central injection point, scoped to URLs under REACT_APP_STAC_API.

Before: useCollection, useItem, useStacSearch, and the local useCollections hook all issued anonymous requests. On a protected STAC API (e.g. the eoAPI develop deployment with the STAC Authentication extension's auth:refs annotations), this produced 401s or reduced data for logged-in users.

After: every request to the STAC API base URL includes the bearer token when one is available. When the user logs out, the header disappears on the next request.

How I did it

• StacApiAuthBridge in main.tsx reads the current token from useAuth() and does two things on every token change:
  • Passes a memoized options={{ headers: { Authorization } }} into StacApiProvider, so every stac-react hook that consumes the shared StacApi instance picks up the authed headers.
  • Syncs the token into a module-level store via setApiAuthToken(token), so the static Api.fetch (used for mutations and any direct reads) can inject the header without needing to be a hook.
• Api.fetch (packages/client/src/api/index.ts) attaches the header only when the URL is under REACT_APP_STAC_API (path-boundary normalized, so /stac-admin cannot match a /stac base). Caller-provided headers still win on key collision — that's covered by a test.
• packages/client/src/pages/CollectionList/useCollections.ts is an outlier: it calls useStacApi(url) directly because stac-react@0.1.0-alpha.10 doesn't re-export useStacApiContext. It now reads useAuth() itself and passes the same options down, mirroring the bridge.
• collectionTransaction (packages/client/src/pages/CollectionForm/index.tsx) drops its token parameter and the hand-rolled Authorization: Bearer … header. Mutations now carry exactly one Authorization header, injected centrally.

No changes to stac-react were needed — the installed version already merges options.headers into every fetch, and re-passing a new options object on token change triggers the provider to rebuild its StacApi. Design notes and the skipped-alternative rationale are in docs/plans/2026-04-23-authed-get-requests-design.md and docs/plans/2026-04-23-authed-get-requests.md.

Tests

Added packages/client/src/api/index.test.ts — 5 unit tests pinning down the injection rules:

• Token present + URL under STAC base → header added
• Token absent → no header
• Token present + URL outside STAC base → no header
• Caller-provided Authorization overrides injected one
• REACT_APP_STAC_API unset → no header

Full suite: 108 passing.

How you can test it

1. Point .env at a protected STAC API:

   REACT_APP_STAC_API=https://eoapi.develop.eoepca.org/stac
   REACT_APP_OIDC_AUTHORITY=<authority URL>
   REACT_APP_OIDC_CLIENT_ID=<client id>
   

2. Run npm run client:serve and open DevTools → Network.
3. Logged out: requests to eoapi.develop.eoepca.org/stac/* should have no Authorization header. Public data or 401s are both fine depending on server config.
4. Log in: every subsequent request to the STAC API should carry Authorization: Bearer <token>. Collection list, collection detail, items list, search — all should return authed data.
5. Log out: the next request should no longer carry the header.
6. Mutations: edit a collection. The PUT should succeed with exactly one Authorization header in the request.
7. Scope guardrail: any non-STAC request (OIDC discovery, static assets) should never receive the token.
8. npx jest — all 108 tests pass.

[alukach]

This was just some simplification to remove packages/client/src/auth/resolveAuthConfig.ts which seemed unnecessary