{"html_url": "https://github.com/simonw/datasette/issues/1951#issuecomment-1350293098", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1951", "id": 1350293098, "node_id": "IC_kwDOBm6k_c5Qe9Zq", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-14T02:43:44Z", "updated_at": "2022-12-14T02:43:44Z", "author_association": "OWNER", "body": "Documentation for the new method: https://docs.datasette.io/en/latest/internals.html#create-token-actor-id-expires-after-none-restrict-all-none-restrict-database-none-restrict-resource-none", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1495431932, "label": "`datasette.create_token(...)` method for creating signed API tokens"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1951#issuecomment-1350231654", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1951", "id": 1350231654, "node_id": "IC_kwDOBm6k_c5QeuZm", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-14T01:48:50Z", "updated_at": "2022-12-14T01:48:57Z", "author_association": "OWNER", "body": "I like that the word `restrict` reflects the `_r` in the actor/token.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1495431932, "label": "`datasette.create_token(...)` method for creating signed API tokens"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1951#issuecomment-1350222701", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1951", "id": 1350222701, "node_id": "IC_kwDOBm6k_c5QesNt", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-14T01:35:05Z", "updated_at": "2022-12-14T01:35:22Z", "author_association": "OWNER", "body": "Maybe this:\r\n\r\n```python\r\ndatasette.create_token(\"root\", expires_after=3600, restrict_all=(\"view-query\", \"view-table\"))\r\n\r\ntoken = datasette.create_token(\"root\", expires_after=3600, restrict_database={\r\n  \"fixtures\": (\"view-query\",)\r\n})\r\n\r\ntoken = datasette.create_token(\"root\", expires_after=3600, restrict_resource={\r\n  \"fixtures\": {\r\n    \"facetable\": (\"insert-row\", \"update-row\")\r\n  }\r\n})\r\n```", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1495431932, "label": "`datasette.create_token(...)` method for creating signed API tokens"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1951#issuecomment-1350220579", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1951", "id": 1350220579, "node_id": "IC_kwDOBm6k_c5Qersj", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-14T01:31:38Z", "updated_at": "2022-12-14T01:31:38Z", "author_association": "OWNER", "body": "The problem with `all=(..)` is it feels misleading - it's actually restricting the permissions made available to the token.\r\n\r\nLikewise, `databases=` being a dict of restricted permissions isn't completely obvious.\r\n\r\nAnd the nested `tables=` dictionary feels a bit odd too.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1495431932, "label": "`datasette.create_token(...)` method for creating signed API tokens"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1951#issuecomment-1350218177", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1951", "id": 1350218177, "node_id": "IC_kwDOBm6k_c5QerHB", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-14T01:27:45Z", "updated_at": "2022-12-14T01:30:41Z", "author_association": "OWNER", "body": "Some sketches:\r\n```python\r\n# Token for root user\r\ntoken = datasette.create_token(\"root\")\r\n\r\n# Expiring in an hour\r\ntoken = datasette.create_token(\"root\", expires_after=3600)\r\n```\r\nMore complicated is when you want to restrict to specific permissions:\r\n```python\r\n# Limited to view-query and view-table\r\ntoken = datasette.create_token(\"root\", expires_after=3600, all=(\"view-query\", \"view-table\"))\r\n\r\n# I'm not sure about that all= name\r\n\r\n# Limits within a specific database:\r\ntoken = datasette.create_token(\"root\", expires_after=3600, databases={\r\n  \"fixtures\": (\"view-query\",)\r\n})\r\n\r\n# And specific tables:\r\ntoken = datasette.create_token(\"root\", expires_after=3600, tables={\r\n  \"fixtures\": {\r\n    \"facetable\": (\"insert-row\", \"update-row\")\r\n  }\r\n})\r\n```", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1495431932, "label": "`datasette.create_token(...)` method for creating signed API tokens"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1951#issuecomment-1350217380", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1951", "id": 1350217380, "node_id": "IC_kwDOBm6k_c5Qeq6k", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-14T01:26:22Z", "updated_at": "2022-12-14T01:26:22Z", "author_association": "OWNER", "body": "It's going to look very similar to the CLI tool, at least in terms of capabilities:\r\n```\r\nUsage: datasette create-token [OPTIONS] ID\r\n\r\n  Create a signed API token for the specified actor ID\r\n\r\n  Example:\r\n\r\n      datasette create-token root --secret mysecret\r\n\r\n  To allow only \"view-database-download\" for all databases:\r\n\r\n      datasette create-token root --secret mysecret \\\r\n          --all view-database-download\r\n\r\n  To allow \"create-table\" against a specific database:\r\n\r\n      datasette create-token root --secret mysecret \\\r\n          --database mydb create-table\r\n\r\n  To allow \"insert-row\" against a specific table:\r\n\r\n      datasette create-token root --secret myscret \\\r\n          --resource mydb mytable insert-row\r\n\r\n  Restricted actions can be specified multiple times using multiple --all,\r\n  --database, and --resource options.\r\n\r\n  Add --debug to see a decoded version of the token.\r\n```", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1495431932, "label": "`datasette.create_token(...)` method for creating signed API tokens"}, "performed_via_github_app": null}