html_url,issue_url,id,node_id,user,created_at,updated_at,author_association,body,reactions,issue,performed_via_github_app
https://github.com/simonw/datasette/issues/1852#issuecomment-1291406219,https://api.github.com/repos/simonw/datasette/issues/1852,1291406219,IC_kwDOBm6k_c5M-UuL,9599,2022-10-26T02:19:54Z,2022-10-26T02:59:52Z,OWNER,"I'm going to split the remaining work into separate issues:
- [x] #1856
- [ ] #1855
","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1421552095,
https://github.com/simonw/datasette/issues/1852#issuecomment-1291431132,https://api.github.com/repos/simonw/datasette/issues/1852,1291431132,IC_kwDOBm6k_c5M-azc,9599,2022-10-26T02:59:50Z,2022-10-26T02:59:50Z,OWNER,Documentation: https://docs.datasette.io/en/1.0-dev/authentication.html#api-tokens,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1421552095,
https://github.com/simonw/datasette/issues/1852#issuecomment-1291397623,https://api.github.com/repos/simonw/datasette/issues/1852,1291397623,IC_kwDOBm6k_c5M-Sn3,9599,2022-10-26T02:11:40Z,2022-10-26T02:11:40Z,OWNER,"Built a prototype of the `actor_from_request()` hook for this and now:
```
% curl http://127.0.0.1:8001/-/actor.json -H 'Authorization: Bearer dstok_eyJhIjoicm9vdCIsImUiOm51bGx9.6O1OxgNTFkAU6uw7xNcmXYX949A'
{""actor"": {""id"": ""root"", ""dstok"": true}}
```","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1421552095,
https://github.com/simonw/datasette/issues/1852#issuecomment-1291392887,https://api.github.com/repos/simonw/datasette/issues/1852,1291392887,IC_kwDOBm6k_c5M-Rd3,9599,2022-10-26T02:04:48Z,2022-10-26T02:04:48Z,OWNER,"Implemented that `dstok_` prefix and the thing where only the `actor[""id""]` is copied to the `""a""` field.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1421552095,
https://github.com/simonw/datasette/issues/1852#issuecomment-1291290451,https://api.github.com/repos/simonw/datasette/issues/1852,1291290451,IC_kwDOBm6k_c5M94dT,9599,2022-10-26T00:49:56Z,2022-10-26T00:49:56Z,OWNER,Prefix: `dstok_` - for Datasette signed token.,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1421552095,
https://github.com/simonw/datasette/issues/1852#issuecomment-1291289369,https://api.github.com/repos/simonw/datasette/issues/1852,1291289369,IC_kwDOBm6k_c5M94MZ,9599,2022-10-26T00:47:46Z,2022-10-26T00:47:46Z,OWNER,"The tokens also need something that can be used to differentiate them from alternative token mechanisms that other plugins might provide.
Maybe a prefix before the signed value.
Prefixes are also useful for scanning to check they were not accidentally committed to source control.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1421552095,
https://github.com/simonw/datasette/issues/1852#issuecomment-1291272280,https://api.github.com/repos/simonw/datasette/issues/1852,1291272280,IC_kwDOBm6k_c5M90BY,9599,2022-10-26T00:16:09Z,2022-10-26T00:46:21Z,OWNER,"Other options:
- `--setting default_api_tokens off`
- `--setting signed_api_tokens off`
- `--setting allow_create_token off`
These feel inconsistent because they don't use the `allow_` prefix - but they're also a bit less ugly to look at.
I like that last one.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1421552095,
https://github.com/simonw/datasette/issues/1852#issuecomment-1291281243,https://api.github.com/repos/simonw/datasette/issues/1852,1291281243,IC_kwDOBm6k_c5M92Nb,9599,2022-10-26T00:32:21Z,2022-10-26T00:32:21Z,OWNER,"Rather than duplicating the entire actor into the ""a"" field, maybe just copy the actor ID?
Would need to restrict token creation to just actors with an ID set.
","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1421552095,
https://github.com/simonw/datasette/issues/1852#issuecomment-1291274835,https://api.github.com/repos/simonw/datasette/issues/1852,1291274835,IC_kwDOBm6k_c5M90pT,9599,2022-10-26T00:20:48Z,2022-10-26T00:22:26Z,OWNER,"Tests failed because I added a view without also adding documentation!
I forgot that the deploy still goes out for branches other than `main` even if the tests aren't passing:
https://github.com/simonw/datasette/blob/c7dd76c26257ded5bcdfd0570e12412531b8b88f/.github/workflows/deploy-latest.yml#L34-L38","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1421552095,
https://github.com/simonw/datasette/issues/1852#issuecomment-1291273609,https://api.github.com/repos/simonw/datasette/issues/1852,1291273609,IC_kwDOBm6k_c5M90WJ,9599,2022-10-26T00:18:40Z,2022-10-26T00:18:40Z,OWNER,"Another thought about tokens that can act on behalf of the user.
Imagine a user has permission to access a table. They create a token that can create that table... but then their permission is revoked. It would be bad if they could still use that token they created earlier to access that table!
On that basis, I think the model described above where tokens mainly work to provide an ""act on behalf of this actor"" - but with optional additional constraints - is a good one.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1421552095,
https://github.com/simonw/datasette/issues/1852#issuecomment-1291272612,https://api.github.com/repos/simonw/datasette/issues/1852,1291272612,IC_kwDOBm6k_c5M90Gk,9599,2022-10-26T00:16:53Z,2022-10-26T00:16:53Z,OWNER,Next step: make these tokens actually do something.,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1421552095,
https://github.com/simonw/datasette/issues/1852#issuecomment-1291272414,https://api.github.com/repos/simonw/datasette/issues/1852,1291272414,IC_kwDOBm6k_c5M90De,9599,2022-10-26T00:16:28Z,2022-10-26T00:16:28Z,OWNER,If I'm going to change the naming conventions for settings I should do it before Datasette 1.0.,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1421552095,
https://github.com/simonw/datasette/issues/1852#issuecomment-1291271580,https://api.github.com/repos/simonw/datasette/issues/1852,1291271580,IC_kwDOBm6k_c5M9z2c,9599,2022-10-26T00:14:49Z,2022-10-26T00:15:06Z,OWNER,"If I'm going to have a setting to disable this feature I need to decide what it will be called.
Closest existing setting is this one, since it's for a feature that is turned on by default:
datasette mydatabase.db --setting allow_download off
So maybe this?
datasette mydatabase.db --setting allow_signed_api_tokens off
I like `allow_signed_api_tokens` more than `allow_api_tokens` because if you install a plugin such as https://datasette.io/plugins/datasette-auth-tokens then API tokens will work even though you disabled this default signed token feature.
`allow_signed_api_tokens` does feel a bit clumsy/verbose though.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1421552095,
https://github.com/simonw/datasette/issues/1852#issuecomment-1291270227,https://api.github.com/repos/simonw/datasette/issues/1852,1291270227,IC_kwDOBm6k_c5M9zhT,9599,2022-10-26T00:12:18Z,2022-10-26T00:12:18Z,OWNER,Demo is now live at https://latest-1-0-dev.datasette.io/-/create-token - visit https://latest-1-0-dev.datasette.io/login-as-root first to sign in.,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1421552095,
https://github.com/simonw/datasette/issues/1852#issuecomment-1291269607,https://api.github.com/repos/simonw/datasette/issues/1852,1291269607,IC_kwDOBm6k_c5M9zXn,9599,2022-10-26T00:11:15Z,2022-10-26T00:11:15Z,OWNER,"If you click ""Create token"" for ""Token never expires"" multiple times you currently get exactly the same token each time, since it's just a signed token containing a copy of your actor dictionary.
I'm not sure if I like that. I could give each token a random ID (maybe using `secrets.token_hex()`) such that different tokens have different identities, which would be useful for logging and auditing and maybe even revocation at some point in the future.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1421552095,
https://github.com/simonw/datasette/issues/1852#issuecomment-1291268380,https://api.github.com/repos/simonw/datasette/issues/1852,1291268380,IC_kwDOBm6k_c5M9zEc,9599,2022-10-26T00:09:06Z,2022-10-26T00:09:06Z,OWNER,"Demo:
![token-demo](https://user-images.githubusercontent.com/9599/197904595-e5651d6c-bafc-4124-b762-71ad94c06ced.gif)
","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1421552095,