Skip to main content

Datasette plugin for authenticating access using passwords

Project description

datasette-auth-passwords

PyPI Changelog License

Datasette plugin for authenticating access using passwords

Installation

Install this plugin in the same environment as Datasette.

datasette install datasette-auth-passwords

Demo

A demo of this plugin is running at https://datasette-auth-passwords-demo.datasette.io/

The demo is configured to show the public.db database to everyone, but the private.db database only to logged in users.

You can log in at https://datasette-auth-passwords-demo.datasette.io/-/login with username root and password password!.

Usage

This plugin works based on a list of username/password accounts that are hard-coded into the plugin configuration.

First, you'll need to create a password hash. There are three ways to do that:

Now add the following to your metadata.json:

{
    "plugins": {
        "datasette-auth-passwords": {
            "someusername_password_hash": {
                "$env": "PASSWORD_HASH_1"
            }
        }
    }
}

The password hash can now be specified in an environment variable when you run Datasette. You can do that like so:

PASSWORD_HASH_1='pbkdf2_sha256$...' \
    datasette -m metadata.json

Be sure to use single quotes here otherwise the $ symbols in the password hash may be incorrectly interpreted by your shell.

You will now be able to log in to your instance using the form at /-/login with someusername as the username and the password that you used to create your hash as the password.

You can include as many accounts as you like in the configuration, each with different usernames.

datasette hash-password

The plugin exposes a new CLI command, datasette hash-password. You can run this without arguments to interactively create a new password hash:

datasette hash-password
Password: 
Repeat for confirmation: 
pbkdf2_sha256$260000$1513...

Or if you want to use it as part of a script, you can add the --no-confirm option to generate a hash directly from a value passed to standard input:

echo 'my password' | datasette hash-password --no-confirm
pbkdf2_sha256$260000$daa...

Specifying actors

By default, a logged in user will result in an actor block that just contains their username:

{
    "id": "someusername"
}

You can customize the actor that will be used for a username by including an "actors" configuration block, like this:

{
    "plugins": {
        "datasette-auth-passwords": {
            "someusername_password_hash": {
                "$env": "PASSWORD_HASH_1"
            },
            "actors": {
                "someusername": {
                    "id": "someusername",
                    "name": "Some user"
                }
            }
        }
    }
}

HTTP Basic authentication option

This plugin defaults to implementing login using an HTML form that sets a signed authentication cookie.

You can alternatively configure it to use HTTP Basic authentication instead.

Do this by adding "http_basic_auth": true to the datasette-auth-passwords block in your plugin configuration.

This option introduces the following behaviour:

  • Account usernames and passwords are configured in the same way as form-based authentication
  • Every page within Datasette - even pages that normally do not use authentication, such as static assets - will display a browser login prompt
  • Users will be unable to log out without closing their browser entirely

There is a demo of this mode at https://datasette-auth-passwords-http-basic-demo.datasette.io/ - sign in with username root and password password!

Using with datasette publish

If you are publishing data using a datasette publish command you can use the --plugin-secret option to securely configure your password hashes (see secret configuration values).

You would run the command something like this:

datasette publish cloudrun mydatabase.db \
    --install datasette-auth-passwords \
    --plugin-secret datasette-auth-passwords root_password_hash 'pbkdf2_sha256$...' \
    --service datasette-auth-passwords-demo

This will allow you to log in as username root using the password that you used to create the hash.

Development

To set up this plugin locally, first checkout the code. Then create a new virtual environment:

cd datasette-auth-passwords
python3 -mvenv venv
source venv/bin/activate

Or if you are using pipenv:

pipenv shell

Now install the dependencies and tests:

pip install -e '.[test]'

To run the tests:

pytest

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

datasette_auth_passwords-1.1.1.tar.gz (8.3 kB view details)

Uploaded Source

Built Distribution

File details

Details for the file datasette_auth_passwords-1.1.1.tar.gz.

File metadata

File hashes

Hashes for datasette_auth_passwords-1.1.1.tar.gz
Algorithm Hash digest
SHA256 403a53cb6a29617e91ea3de212dd54e7270c2bdb3e9e8dba350d540e1c5adfca
MD5 a8f4e09566f4c65bb41d368c8f441cd1
BLAKE2b-256 41272e613ed17c92effac6d3a23c9b16bb983fcaa56a223f62ead61070f37f83

See more details on using hashes here.

File details

Details for the file datasette_auth_passwords-1.1.1-py3-none-any.whl.

File metadata

File hashes

Hashes for datasette_auth_passwords-1.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 95a933214fbd8ad1218d11bc37a17e074c66141e593ce202cf0f45cd3562c734
MD5 2c11dd9d9b7c6a2b3656af3f4a469486
BLAKE2b-256 3a2533eff736b8ebeacbd69bd323f8b52348686150ef67228b119936343c967b

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page