issue_comments

https://simonwillison.net/2020/Jul/1/datasette-045/

https://datasette.readthedocs.io/en/latest/changelog.html#v0-45

I've been testing the WIP using this in the console: javascript fetch('/data/add_name.json', { method: 'POST', body: 'name=XXXfetch', credentials: 'omit', headers: {'Content-Type': 'application/x-www-form-urlencoded'} }) .then(response => console.log(response)) Against a canned query configured like this: yaml databases: data: queries: add_name: sql: insert into names (name) values (:name) write: true I haven't got it to work yet. Latest error is this one: INFO: Uvicorn running on http://127.0.0.1:8001 (Press CTRL+C to quit) Traceback (most recent call last): File "/Users/simon/Dropbox/Development/datasette/datasette/app.py", line 975, in route_path await response.asgi_send(send) AttributeError: 'tuple' object has no attribute 'asgi_send' INFO: 127.0.0.1:49938 - "POST /data/add_name.json HTTP/1.1" 500 Internal Server Error It looks like I'm going to have to rethink how the BaseView code around tables, formats and hashes is structured in order to fix this. That's a big refactoring! I'm moving this to a new milestone for Datasette 0.46.

Don't forget to update the news in the README.

The latest release of https://github.com/simonw/datasette-auth-tokens (0.2) now supports SQL configuration of tokens.

Tokens get verified by plugins. So far there's only one: https://github.com/simonw/datasette-auth-tokens - which has you hard-coding plugins in a configuration file. I have a issue there to add support for database-backed tokens too: https://github.com/simonw/datasette-auth-tokens/issues/1

Have you tried the method described here? https://datasette.readthedocs.io/en/latest/internals.html#csrf-protection - I'm happy to bulk out that section of the documentation if that doesn't help solve your problem.

I just closed #835 which should make CSRF protection easier to work with - it won't interfere with requests without cookies or requests with Authentication: Bearer token tokens. See also https://github.com/simonw/asgi-csrf/issues/11

You can try out pip install datasette==0.45a5 to get those features. Hopefully releasing a full 0.45 tomorrow.

This case may not be covered without extra work: https://github.com/simonw/datasette/blob/3ec5b1abf6afa2d22a3378092809a1a8c0249d26/datasette/views/database.py#L122-L123

This can be a plugin hook:

python @hookspec def forbidden(datasette, request, message, send): "Custom response for a 403 forbidden error" If the hook returns a Response object, it will be returned to the user. Plugins are likely to want to return a redirect response.

Maybe the hook can instead use the send argument to respond to the request and return True which means "I've responded to this"?

I'm going to leave send off for the moment - I can add that in the future if it turns out it would have been a good idea.

The response from this will never be a 302 - it will always be a 200 if the response worked or a 400 for bad parameters or a 500 for errors. The body returned will always be in JSON format.

I'm going to add some tests for this.