Use earthdata tokens with GDAL to access data via https links

earthdata_examples.R

## examples
# requires GDAL >= 3.6
edl_set_token()
library(stars)
url <- "https://data.lpdaac.earthdatacloud.nasa.gov/lp-prod-protected/HLSL30.020/HLS.L30.T56JKT.2023246T235950.v2.0/HLS.L30.T56JKT.2023246T235950.v2.0.SAA.tif"
x <- read_stars(paste0("/vsicurl/",url))
plot(x)

edl_set_token.R

# Helper functions for dealing with nasa earthdata login
# Requires GDAL >= 3.6
#
edl_set_token <- function (username = Sys.getenv("EARTHDATA_USER"), 
                          password = Sys.getenv("EARTHDATA_PASSWORD"),
                           token_number = 1
                          ) {
  base <- 'https://urs.earthdata.nasa.gov'
  list_tokens <- "/api/users/tokens"
  pw <- openssl::base64_encode(paste0(username, ":", password))
  resp <- httr::GET(paste0(base,list_tokens),
                    httr::add_headers(Authorization= paste("Basic", pw)))
  p <- httr::content(resp, "parsed")[[token_number]]
  
  if(is.null(p$access_token)) {
    request_token <- "/api/users/token"
    resp <- httr::GET(paste0(base,request_token),
                    httr::add_headers(Authorization= paste("Basic", pw)))
    p <- httr::content(resp, "parsed")
  }
  header = paste("Authorization: Bearer", p$access_token)
  Sys.setenv("GDAL_HTTP_HEADERS"=header)
  invisible(header)
}

# alias
ed_set_token <- edl_set_token

edl_download <- function(x, header = edl_set_token()) {
  dest <- basename(x)
  bearer <- gsub("Authorization: ", "", header)
  httr::GET(x, httr::write_disk(dest, overwrite=TRUE), 
            httr::add_headers(Authorization = bearer))
  #download.file(x, dest, header = list(Authorization = bearer))
  dest
}

edl_stac_urls <- function(items, assets = "data") {
  purrr::map(items$features, list("assets")) |>
  purrr::map(list(assets)) |> 
  purrr::map_chr("href")
}
 

@cboettig I ran into an issue with this code if a user doesn't generate a token first via the website it fails.
So a couple of fixes:

• Need to check if the first response actually has data, I used a length test on the parsed list for now.
• When generating a new token it needs to be POST request https://wiki.earthdata.nasa.gov/display/EL/How+to+Generate+a+User+Token

edl_set_token <- function (username = Sys.getenv("EARTHDATA_USER"), 
                           password = Sys.getenv("EARTHDATA_PASSWORD"),
                           token_number = 1
) {
  base <- 'https://urs.earthdata.nasa.gov'
  list_tokens <- "/api/users/tokens"
  pw <- openssl::base64_encode(paste0(username, ":", password))
  resp <- httr::GET(paste0(base,list_tokens),
                    httr::add_headers(Authorization= paste("Basic", pw)))
  token_resp <- httr::content(resp, "parsed") 
  if(length(token_resp) > 0){
    p <- token_resp[[token_number]]
  }
  else {
    request_token <- "/api/users/token"
    resp <- httr::POST(paste0(base,request_token),
                      httr::add_headers(Authorization= paste("Basic", pw)))
    p <- httr::content(resp, "parsed")
  }
  header = paste("Authorization: Bearer", p$access_token)
  Sys.setenv("GDAL_HTTP_HEADERS"=header)
  invisible(header)
}

Thanks @wildintellect . This gist is was really just a first pass, current approach is now in https://cran.r-project.org/web/packages/earthdatalogin/, issues welcome.

I've moved away from bearer token as the default to use netrc as the default auth instead, though earthdatalogin supports both. The difficulty with bearer token method is that it actually doesn't work if your running inside AWS us-west-2, which is kinda silly.

@cboettig interesting, thanks for the update. We moved to the token method because we couldn't get NetRC to work reliably on Windows, and didn't find your package. I'll talk with @yuvipanda and @betolink about this more since we are working on some related projects too.

@wildintellect nsidc/earthaccess#188 has a lot of investigative work on this as well.