fix(stac): upgrade stac auth proxy to v1.1.1

[botanical]

Issue

https://github.com/NASA-IMPACT/veda-architecture/issues/762

What?

• Upgrade stac-auth-proxy to v1.1.1
• Adds secondary defense by using request.scope["path"] as recommended by https://www.secwest.net/starlette

Upgrade Starlette to 1.0.1 or later. Rebuild and redeploy every container, virtualenv, and bundled artifact that pins or vendors Starlette. Bundled installs are common in LLM tooling; pip list on the host is not enough. Audit images.

Secondary (defense in depth)
Replace request.url and request.url.path with request.scope["path"] in every middleware, dependency, and decorator that makes security decisions. Grep the codebase. This bug class will recur; reading the un-reconstructed value is the durable fix.

Testing

• Tested authorization on STAC API
• Tested endpoints POST /collection, DELETE /collection
• Verified that tenant extraction and addition to links works
• Verified that tenant filtering works https://dev.openveda.cloud/api/stac/faketenant2/collections
• Verified that STAC browser works as usual

[ividito]

scope_path will always be a str or None, and so if scope_path will evaluate the same as what we have here. I think instead of calling this function, it would be simpler to use:

path = request.scope.get("path") or request.url.path

or (in common/auth/veda_auth/pep_middleware.py)

path = (request.scope.get("path") or request.url.path).rstrip("/") or "/"

[botanical]

1478b1b