issue_comments

Released this in Datasette 1.0a0: - #1913

The API explorer is now live here: https://latest-1-0-dev.datasette.io/-/api

I think the ability to create tokens should be protected by a create-tokens permission, not just a global setting.

New documentation for these features currently lives here: https://docs.datasette.io/en/1.0-dev/json_api.html#the-json-write-api

Working on that first "insert row" implementation:

• https://github.com/simonw/datasette/issues/1851

Has made it very clear to me that I should go the whole hog and build the basic form-based interface for this as well.

I started the documentation for the API tokens mechanism here: https://docs.datasette.io/en/1.0-dev/authentication.html#api-tokens

I'm going to set a convention that "token": "something" in an actor means that they were authenticated by a token.

"token": "dstok" for example.

It strikes me that users should NOT be able to use a token to create additional tokens.

The current design actually does allow that, since the dstok_ Bearer token can be used to authenticate calls to the /-/create-token page.

So I think I need a mechanism whereby that page can only allow access to users authenticated by cookie.

Not obvious how to do that though, since Datasette's authentication actor system is designed to abstract that detail away!

Here's the implementation of datasette-auth-tokens: https://github.com/simonw/datasette-auth-tokens/blob/main/datasette_auth_tokens/init.py

API authentication will be via Authorization: Bearer XXX request headers.

I'm inclined to add a default token mechanism to Datasette based on tokens that are signed with the DATASETTE_SECRET. Maybe the root user can access /-/create-token which provides a UI for generating a time-limited signed token? Could also have a datasette create-token command for creating such tokens at the command-line.

Plugins can then define alternative ways of creating tokens, such as the existing https://datasette.io/plugins/datasette-auth-tokens plugin.

It may turn out that it makes sense to also add a UI for these actions as part of this project. That's still to be determined.

This is going to need a whole bunch of new permissions.

To review: the existing set of permissions are listed here: https://docs.datasette.io/en/0.62/authentication.html#built-in-permissions

• view-instance
• view-database
• view-database-download
• view-table
• view-query
• execute-sql
• permissions-debug
• debug-menu

I'm going to reuse database terminology for the new permissions. So first draft of those is:

• insert-row
• update-row
• delete-row
• create-table
• drop-table
• alter-table

I'm going to treat this as a bit of a research spike, at least until I like the direction it is going enough to commit to it.