Datasette plugin for authenticating staff users against Sierra ILS REST API

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for ray_voelker from gravatar.com ray_voelker

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers
Report project as malware

Project description

datasette-sierra-ils-auth

PyPI Changelog Tests License

Datasette plugin for authenticating staff users against Sierra ILS REST API, with local role-based authorization.

Features

  • Authentication via Sierra ILS /v6/users/validate endpoint
  • Authorization via local SQLite database with roles and permissions
  • Auto-provisioning of new users on first successful Sierra login
  • Built-in admin account for initial setup (optional)
  • Admin UI for managing users and roles

Installation

Install this plugin in the same environment as Datasette:

datasette install datasette-sierra-ils-auth

Or with pip:

pip install datasette-sierra-ils-auth

Configuration

Environment Variables

Variable Required Description
SIERRA_API_BASE Yes Sierra API base URL (e.g., https://your-library.iii.com/iii/sierra-api/v6)
SIERRA_CLIENT_KEY Yes Sierra API client key
SIERRA_CLIENT_SECRET Yes Sierra API client secret
SIERRA_AUTH_ADMIN_PASSWORD No Password for built-in admin account (bypasses Sierra)
SIERRA_AUTH_DB_PATH No Path to auth database (default: ./sierra_auth.db)
SIERRA_AUTH_COOKIE_NAME No Session cookie name (default: ds_sierra_auth)
SIERRA_AUTH_COOKIE_MAX_AGE No Session duration in seconds (default: 86400 / 24 hours)
SIERRA_AUTH_LOGIN_REDIRECT No Redirect URL after login (default: /)

Sierra API Requirements

Your Sierra API key needs the Users Write role to validate user credentials. Create an API key in Sierra Administration (requires permission 1052).

Usage

Basic Setup

  1. Set the required environment variables:
export SIERRA_API_BASE=https://your-library.iii.com/iii/sierra-api/v6
export SIERRA_CLIENT_KEY=your-api-key
export SIERRA_CLIENT_SECRET=your-api-secret
  1. Run Datasette:
datasette your-database.db
  1. Users can log in at /-/sierra-auth/login using their Sierra staff credentials.

Built-in Admin Account

For initial setup or when Sierra API is unavailable, you can enable a local admin account:

export SIERRA_AUTH_ADMIN_PASSWORD=your-secure-password

This creates an admin user that:

  • Bypasses Sierra API authentication (uses local password)
  • Has the admin role with full permissions
  • Password is updated on each startup if changed

Admin UI

Users with the admin role or manage-users permission can access:

  • /-/sierra-auth/admin/users - List all users
  • /-/sierra-auth/admin/users/<id> - Edit user roles and status

Database

The plugin creates a sierra_auth.db SQLite database to store:

  • users - User accounts (auto-created on first Sierra login)
  • roles - Available roles (viewer, staff, admin by default)
  • user_roles - Role assignments
  • permissions - Permission definitions
  • role_permissions - Permission assignments to roles
  • auth_log - Audit log of authentication events

Default Roles

Role Description Default Permissions
viewer Default for new users view-instance, view-database-collection
staff Library staff Above + view-database-patrons
admin Full access All permissions

Persisting the Database (Docker/Podman)

The auth database stores user roles, permissions, and audit logs. To persist this data across container restarts, mount a volume:

# docker-compose.yml
services:
  datasette:
    image: your-datasette-image
    environment:
      - SIERRA_API_BASE=${SIERRA_API_BASE}
      - SIERRA_CLIENT_KEY=${SIERRA_CLIENT_KEY}
      - SIERRA_CLIENT_SECRET=${SIERRA_CLIENT_SECRET}
      - SIERRA_AUTH_ADMIN_PASSWORD=${SIERRA_AUTH_ADMIN_PASSWORD}
      - SIERRA_AUTH_DB_PATH=/data/sierra_auth.db
    volumes:
      - auth_data:/data

volumes:
  auth_data:

Or with Docker/Podman run:

docker run -v auth_data:/data \
  -e SIERRA_AUTH_DB_PATH=/data/sierra_auth.db \
  -e SIERRA_API_BASE=... \
  your-datasette-image

How It Works

  1. User submits Sierra login + password at /-/sierra-auth/login
  2. Plugin validates credentials against Sierra /v6/users/validate
  3. On success (HTTP 204): user is looked up or created in local database
  4. User's roles and permissions are loaded from local database
  5. Signed session cookie is set
  6. On subsequent requests, actor_from_request hook rebuilds actor from cookie

Development

To set up this plugin locally:

git clone https://github.com/chimpy-me/datasette-sierra-ils-auth
cd datasette-sierra-ils-auth
uv sync

Run tests:

uv run pytest

Run Datasette with the plugin:

uv run datasette

License

MIT License

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for ray_voelker from gravatar.com ray_voelker

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers

Release history Release notifications | RSS feed

This version

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

datasette_sierra_ils_auth-0.1.0.tar.gz (19.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

datasette_sierra_ils_auth-0.1.0-py3-none-any.whl (14.6 kB view details)

Uploaded Python 3

File details

Details for the file datasette_sierra_ils_auth-0.1.0.tar.gz.

File metadata

  • Download URL: datasette_sierra_ils_auth-0.1.0.tar.gz
  • Upload date:
  • Size: 19.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.9.18 {"installer":{"name":"uv","version":"0.9.18","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Pop!_OS","version":"22.04","id":"jammy","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}

File hashes

Hashes for datasette_sierra_ils_auth-0.1.0.tar.gz
Algorithm Hash digest
SHA256 3c79cbf7643d73c590191f77a66c90ed4cf45f8786b78200109c118966233688
MD5 1c5fdce56517f9d964d5bc291ff2b7c1
BLAKE2b-256 9275432b3bb5eaf149520f3774e81b137f5efc1bcff88398bf858a711173c079

See more details on using hashes here.

File details

Details for the file datasette_sierra_ils_auth-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: datasette_sierra_ils_auth-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 14.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.9.18 {"installer":{"name":"uv","version":"0.9.18","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Pop!_OS","version":"22.04","id":"jammy","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}

File hashes

Hashes for datasette_sierra_ils_auth-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 28bb267ca8d92db4ca2d12508dd7da367e9fdd356537cd83f7c2cf90f629ce52
MD5 2379ec94cab6d767ddf0f82fa47c3811
BLAKE2b-256 a6dde9321ee4fe84cfafd02cbe9c720d324e2c7d78b65a9a67391ca14bc53680

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page