{"html_url": "https://github.com/simonw/datasette/issues/1850#issuecomment-1291430992", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1850", "id": 1291430992, "node_id": "IC_kwDOBm6k_c5M-axQ", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-10-26T02:59:33Z", "updated_at": "2022-10-26T02:59:33Z", "author_association": "OWNER", "body": "I started the documentation for the API tokens mechanism here: https://docs.datasette.io/en/1.0-dev/authentication.html#api-tokens", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1421529723, "label": "Write API in Datasette core"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1850#issuecomment-1291417755", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1850", "id": 1291417755, "node_id": "IC_kwDOBm6k_c5M-Xib", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-10-26T02:36:52Z", "updated_at": "2022-10-26T02:36:58Z", "author_association": "OWNER", "body": "I'm going to set a convention that `\"token\": \"something\"` in an actor means that they were authenticated by a token.\r\n\r\n`\"token\": \"dstok\"` for example.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1421529723, "label": "Write API in Datasette core"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1850#issuecomment-1291417100", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1850", "id": 1291417100, "node_id": "IC_kwDOBm6k_c5M-XYM", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-10-26T02:35:32Z", "updated_at": "2022-10-26T02:35:32Z", "author_association": "OWNER", "body": "It strikes me that users should NOT be able to use a token to create additional tokens.\r\n\r\nThe current design actually does allow that, since the `dstok_` Bearer token can be used to authenticate calls to the `/-/create-token` page.\r\n\r\nSo I think I need a mechanism whereby that page can only allow access to users authenticated by cookie.\r\n\r\nNot obvious how to do that though, since Datasette's authentication actor system is designed to abstract that detail away!", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1421529723, "label": "Write API in Datasette core"}, "performed_via_github_app": null}