Remove Transaction endpoints from public API after next stac-fastapi release

[jtherrmann]

Overview

Split from #2.

We've already disabled access to the Transaction endpoints at the database layer in the public API, but we still want to remove those endpoints from the API itself, both for extra security and so as not to confuse users who see those endpoints available in the Swagger UI.

I opened stac-utils/stac-fastapi#492 to ask how to do this, and then opened stac-utils/stac-fastapi#495 based on the feedback to that issue.

As soon as that PR gets merged and there's another stac-fastapi release, we can modify the API handler to populate the environment variable with the list of extensions (all of them except the two Transaction extensions) before importing the pgstac app handler.

Tasks

• After the next stac-fastapi release, specify the list of extensions so as to exclude the Transaction extensions.

[jtherrmann]

After deploying to test, I confirmed that the endpoints do not exist in the Swagger UI and that the endpoint does not exist in test, but still does for prod:

$ curl -X 'DELETE' 'https://stac-test.asf.alaska.edu/collections/glo-30-hand' -H 'accept: application/json'
{"detail":"Method Not Allowed"}
$ curl -X 'DELETE' 'https://stac.asf.alaska.edu/collections/glo-30-hand' -H 'accept: application/json'
{"code":"InsufficientPrivilegeError","description":"permission denied for table collections"}

TODO: after deploying to prod, confirm the same for prod.