{"html_url": "https://github.com/simonw/datasette/issues/785#issuecomment-636553736", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/785", "id": 636553736, "node_id": "MDEyOklzc3VlQ29tbWVudDYzNjU1MzczNg==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-01T00:18:40Z", "updated_at": "2020-06-01T00:18:40Z", "author_association": "OWNER", "body": "That documentation: https://github.com/simonw/datasette/blob/c818de88a9c2683437875f788e325d911c8b767b/docs/config.rst#configuring-the-secret", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 628025100, "label": "Datasette secret mechanism - initially for signed cookies"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/785#issuecomment-636541827", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/785", "id": 636541827, "node_id": "MDEyOklzc3VlQ29tbWVudDYzNjU0MTgyNw==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-05-31T22:46:34Z", "updated_at": "2020-06-01T00:17:35Z", "author_association": "OWNER", "body": "This is nearly ready to close. I'm going to add documentation for `--secret` and the  `DATASETTE_SECRET` environment variable.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 628025100, "label": "Datasette secret mechanism - initially for signed cookies"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/785#issuecomment-636541929", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/785", "id": 636541929, "node_id": "MDEyOklzc3VlQ29tbWVudDYzNjU0MTkyOQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-05-31T22:47:17Z", "updated_at": "2020-05-31T22:47:17Z", "author_association": "OWNER", "body": "I'll add a section about secrets to this page: https://datasette.readthedocs.io/en/latest/config.html", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 628025100, "label": "Datasette secret mechanism - initially for signed cookies"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/785#issuecomment-636541630", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/785", "id": 636541630, "node_id": "MDEyOklzc3VlQ29tbWVudDYzNjU0MTYzMA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-05-31T22:45:07Z", "updated_at": "2020-05-31T22:45:07Z", "author_association": "OWNER", "body": "Documentation for those new methods: https://github.com/simonw/datasette/blob/e28207e76ec3b26b2c396370fd3fb325a60bfd49/docs/internals.rst#signvalue-namespacedefault", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 628025100, "label": "Datasette secret mechanism - initially for signed cookies"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/785#issuecomment-636539295", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/785", "id": 636539295, "node_id": "MDEyOklzc3VlQ29tbWVudDYzNjUzOTI5NQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-05-31T22:24:14Z", "updated_at": "2020-05-31T22:28:27Z", "author_association": "OWNER", "body": "I'll add two utility methods to the Datasette class:\r\n\r\n- `datasette.sign(value, \"namespace\")` - returns signed string\r\n- `datasette.unsign(signed, \"namespace\")` - returns value OR raises `BadSignature`", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 628025100, "label": "Datasette secret mechanism - initially for signed cookies"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/785#issuecomment-636538298", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/785", "id": 636538298, "node_id": "MDEyOklzc3VlQ29tbWVudDYzNjUzODI5OA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-05-31T22:14:43Z", "updated_at": "2020-05-31T22:15:01Z", "author_association": "OWNER", "body": "... actually no I'll do it using a CLI option that can also be in an environment variable:\r\n\r\nhttps://click.palletsprojects.com/en/7.x/options/#values-from-environment-variables\r\n\r\n```python\r\n@click.command()\r\n@click.option('--secret', envvar='DATASETTE_SECRET')\r\ndef greet(secret):\r\n    ...\r\n```", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 628025100, "label": "Datasette secret mechanism - initially for signed cookies"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/785#issuecomment-636537921", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/785", "id": 636537921, "node_id": "MDEyOklzc3VlQ29tbWVudDYzNjUzNzkyMQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-05-31T22:11:29Z", "updated_at": "2020-05-31T22:11:29Z", "author_association": "OWNER", "body": "First version of cookie signing will use a secret that is either pulled from `DATASETTE_SECRET` environment variable or generated every time the server starts. I'll add a non-environment-variable based secret later.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 628025100, "label": "Datasette secret mechanism - initially for signed cookies"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/785#issuecomment-636537679", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/785", "id": 636537679, "node_id": "MDEyOklzc3VlQ29tbWVudDYzNjUzNzY3OQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-05-31T22:09:23Z", "updated_at": "2020-05-31T22:09:23Z", "author_association": "OWNER", "body": "I'm going to use https://github.com/pallets/itsdangerous for this.\r\n\r\nAnnoyingly they're very close to release v2.0 which adds support for key rotation... but it's not quite out of pre-release yet. I'll go with 1.1.0 for the moment and upgrade to 2.0 as soon as that is out.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 628025100, "label": "Datasette secret mechanism - initially for signed cookies"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/785#issuecomment-636515763", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/785", "id": 636515763, "node_id": "MDEyOklzc3VlQ29tbWVudDYzNjUxNTc2Mw==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-05-31T19:19:03Z", "updated_at": "2020-05-31T19:19:13Z", "author_association": "OWNER", "body": "Maybe Datasette should have a `--secrets=path/to/secrets.json` command-line option for storing these?", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 628025100, "label": "Datasette secret mechanism - initially for signed cookies"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/785#issuecomment-636515671", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/785", "id": 636515671, "node_id": "MDEyOklzc3VlQ29tbWVudDYzNjUxNTY3MQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-05-31T19:18:18Z", "updated_at": "2020-05-31T19:18:18Z", "author_association": "OWNER", "body": "That `user_state_dir` solution may have been more trouble than it was worth though - I seem to remember it causing issues on some hosting providers.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 628025100, "label": "Datasette secret mechanism - initially for signed cookies"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/785#issuecomment-636515599", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/785", "id": 636515599, "node_id": "MDEyOklzc3VlQ29tbWVudDYzNjUxNTU5OQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-05-31T19:17:43Z", "updated_at": "2020-05-31T19:17:43Z", "author_association": "OWNER", "body": "I previously solved this for the `datasette-auth-existing-cookies` plugin as described in this issue: https://github.com/simonw/datasette-auth-existing-cookies/issues/1\r\n\r\n> Concrete plan: you have to pass a secret to the class constructor. The Datasette plugin (the code in `__init__.py`) uses the following in order of preference (first things are most preferred):\r\n> \r\n> - A plugin configuration option called `cookie_secret` - which can be protected by this mechanism: https://datasette.readthedocs.io/en/stable/plugins.html#secret-configuration-values\r\n> - A JSON configuration file in the `user_state_dir` file, if it exists\r\n> - If that does not exist, a secret is generated and written to that JSON file\r\n> \r\n> I originally planned to have separate support for an environment variable, but the existence of the [secret configuration values](https://datasette.readthedocs.io/en/stable/plugins.html#secret-configuration-values) mechanism means this is already handled.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 628025100, "label": "Datasette secret mechanism - initially for signed cookies"}, "performed_via_github_app": null}