Datasette plugin for authenticating access using API tokens
Project description
datasette-auth-tokens
Datasette plugin for authenticating access using API tokens
Installation
Install this plugin in the same environment as Datasette.
$ pip install datasette-auth-tokens
Hard-coded tokens
Read about Datasette's authentication and permissions system.
This plugin lets you configure secret API tokens which can be used to make authenticated requests to Datasette.
First, create a random API token. A useful recipe for doing that is the following:
$ python -c 'import secrets; print(secrets.token_hex(32))'
5f9a486dd807de632200b17508c75002bb66ca6fde1993db1de6cbd446362589
Decide on the actor that this token should represent, for example:
{
"bot_id": "my-bot"
}
You can then use "allow"
blocks to provide that token with permission to access specific actions. To enable access to a configured writable SQL query you could use this in your metadata.json
:
{
"plugins": {
"datasette-auth-tokens": {
"tokens": [
{
"token": {
"$env": "BOT_TOKEN"
},
"actor": {
"bot_id": "my-bot"
}
}
]
}
},
"databases": {
":memory:": {
"queries": {
"show_version": {
"sql": "select sqlite_version()",
"allow": {
"bot_id": "my-bot"
}
}
}
}
}
}
This uses Datasette's secret configuration values mechanism to allow the secret token to be passed as an environment variable.
Run Datasette like this:
BOT_TOKEN="this-is-the-secret-token" \
datasette -m metadata.json
You can now run authenticated API queries like this:
$ curl -H 'Authorization: Bearer this-is-the-secret-token' \
'http://127.0.0.1:8001/:memory:/show_version.json?_shape=array'
[{"sqlite_version()": "3.31.1"}]
Tokens from your database
As an alternative (or in addition) to the hard-coded list of tokens you can store tokens in a database table and configure the plugin to access them using a SQL query.
Your query needs to take a :token_id
parameter and return at least two columns: one called token_secret
and one called actor_*
- usually actor_id
. Further actor_
prefixed columns can be returned to provide more details for the authenticated actor.
Here's a simple example of a configuration query:
select actor_id, actor_name, token_secret from tokens where token_id = :token_id
This can run against a table like this one:
token_id | token_secret | actor_id | actor_name |
---|---|---|---|
1 | bd3c94f51fcd | 78 | Cleopaws |
2 | 86681b4d6f66 | 32 | Pancakes |
The tokens are formed as the token id, then a hyphen, then the token secret. For example:
1-bd3c94f51fcd
2-86681b4d6f66
The SQL query will be executed with the portion before the hyphen as the :token_id
parameter.
The token_secret
value returned by the query will be comepared to the portion of the token after the hyphen to check if the token is valid.
Columns with a prefix of actor_
will be used to populate the actor dictionary. In the above example, a token of 2-86681b4d6f66
will become an actor dictionary of {"id": 32, "name": "Pancakes"}
.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Hashes for datasette_auth_tokens-0.2-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 2a0ad6d88e469082a800d5dc7b61630f1cb0b04aede4785d32c22f3ea9089af4 |
|
MD5 | 8e10f9e63feb4503e888d44b2e0e9b32 |
|
BLAKE2b-256 | 29c2e70a13ee9efc7d75f0d384e7e5bdd32dbcbe6cc92fcbed915e33ffe72a54 |