Skip to content

evaluate_hazards triggers interactive Earth Engine auth for credential-free sources #125

Description

@Sammyjoseph999

While using evaluate_hazards with a credential-free source (nasa_power), the toolkit launched an interactive Earth Engine OAuth flow (ee.Authenticate()) in the browser and saved a credential token to ~/.config/earthengine/credentials — with no opt-in. A data-analysis call should never launch interactive auth implicitly.

Reproduce

import climate_toolkit as ct
ct.evaluate_hazards(
    crop_name="maize", location_coord=(-1.286, 36.817),
    date_from="2020-01-01", date_to="2020-06-30",
    source="nasa_power",           # no Earth Engine requested
)

Actual: prints To authorize access needed by Earth Engine, open the following URL ..., opens a browser, and on completion writes ~/.config/earthengine/credentials.

Expected: degrade gracefully with no auth prompt — exactly like download_station_data/compare_station_to_grids already do:

Anchor elevation unavailable; continuing without elevation guard.
Reason: Earth Engine project ID missing. ...

Cause

The livestock heat-stress branch auto-fetches an elevation anchor:

  • climate_toolkit/calculate_hazards/hazards.py:351-352 → elevation resolver with auto_fetch_elevation=True
  • that reaches climate_toolkit/fetch_data/source_data/sources/gee.py:42, which calls ee.Authenticate() unconditionally when EE is not already initialized

By contrast, the weather-station elevation path (climate_toolkit/weather_station/dem.py:98 fetch_anchor_elevationinitialize_earth_engine) catches the missing-project condition and continues without the elevation guard.

Suggested fix

  1. Never call ee.Authenticate() implicitly from a library/analysis path.
  2. Have the hazards elevation auto-fetch use the same graceful degradation as the weather-station path: if Earth Engine is not configured (no GCP_PROJECT_ID / not authenticated), skip the elevation guard and continue, with a one-line note.
  3. Optionally gate auto_fetch_elevation behind an explicit EE-availability check.

Impact

Users running credential-free workflows (e.g. source="nasa_power") unexpectedly get an interactive auth prompt and a saved Google credential on their machine.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions