id,node_id,number,title,user,state,locked,assignee,milestone,comments,created_at,updated_at,closed_at,author_association,pull_request,body,repo,type,active_lock_reason,performed_via_github_app,reactions,draft,state_reason
1423336089,I_kwDOBm6k_c5U1mKZ,1855,`datasette create-token` ability to create tokens with a reduced set of permissions,9599,closed,0,,8711695,19,2022-10-26T02:20:52Z,2022-12-14T01:24:49Z,2022-12-13T05:20:24Z,OWNER,,"Initial design ideas: https://github.com/simonw/datasette/issues/1852#issuecomment-1289733483

> Token design concept:
> 
> ```json
> {
>     ""t"": {
>         ""a"": [""ir"", ""ur"", ""dr""],
>         ""d"": {
>             ""fixtures"": [""ir"", ""ur"", ""dr""]
>         },
>         ""t"": {
>             ""fixtures"": {
>                 ""searchable"": [""ir""]
>             }
>         }
>     }
> }
> ```
> 
> That JSON would be minified and signed.
> 
> Minified version of the above looks like this (101 characters):
> 
> `{""t"":{""a"":[""ir"",""ur"",""dr""],""d"":{""fixtures"":[""ir"",""ur"",""dr""]},""t"":{""fixtures"":{""searchable"":[""ir""]}}}}`
> 
> The `""t""` key shows this is a token that as a default API key.
> 
> `""a""` means ""all"" - these are permissions that have been granted on all tables and databases.
> 
> `""d""` means ""databases"" - this is a way to set permissions for all tables in a specific database.
> 
> `""t""` means ""tables"" - this lets you set permissions at a finely grained table level.
> 
> Then the permissions themselves are two character codes which are shortened versions - so:
> 
> * `ir` = `insert-row`
> * `ur` = `update-row`
> * `dr` = `delete-row`

## Remaining tasks

- [x] Add these options to the `datasette create-token` command
- [x] Tests for `datasette create-token` options
- [x] Documentation for those options at https://docs.datasette.io/en/latest/authentication.html#datasette-create-token
- [x] A way to handle permissions that don't have known abbreviations (permissions added by plugins). Probably need to solve the plugin permission registration problem as part of that
- [x] Stop hard-coding names of actions in the `permission_allowed_actor_restrictions` function",107914493,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/1855/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,completed
1423369494,I_kwDOBm6k_c5U1uUW,1859,datasette create-token CLI command,9599,closed,0,,8658075,3,2022-10-26T03:12:59Z,2022-11-15T19:59:00Z,2022-10-26T04:31:39Z,OWNER,,The CLI equivalent of the `/-/create-token` page.,107914493,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/1859/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,completed
1423364990,I_kwDOBm6k_c5U1tN-,1858,`max_signed_tokens_ttl` setting for a maximum duration on API tokens,9599,closed,0,,8658075,4,2022-10-26T03:05:53Z,2022-11-15T19:58:52Z,2022-10-27T03:15:05Z,OWNER,,"It's currently possible to use `/-/create-token` to create a token that lasts forever.

Some administrators may wish to have a maximum expiry instead. I should support that with a setting.",107914493,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/1858/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,completed
1423347412,I_kwDOBm6k_c5U1o7U,1857,Prevent API tokens from using /-/create-token to create more tokens,9599,closed,0,,8658075,1,2022-10-26T02:38:09Z,2022-11-15T19:57:11Z,2022-10-26T02:57:26Z,OWNER,,"> It strikes me that users should NOT be able to use a token to create additional tokens.
>
> The current design actually does allow that, since the `dstok_` Bearer token can be used to authenticate calls to the `/-/create-token` page.
>
> So I think I need a mechanism whereby that page can only allow access to users authenticated by cookie.
> 
> Not obvious how to do that though, since Datasette's authentication actor system is designed to abstract that detail away!

_Originally posted by @simonw in https://github.com/simonw/datasette/issues/1850#issuecomment-1291417100_",107914493,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/1857/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,completed
1423336122,I_kwDOBm6k_c5U1mK6,1856,allow_signed_tokens setting for disabling API signed token mechanism,9599,closed,0,,8658075,3,2022-10-26T02:20:55Z,2022-11-15T19:57:05Z,2022-10-26T02:58:35Z,OWNER,,"Had some design thoughts here: https://github.com/simonw/datasette/issues/1852#issuecomment-1291272280

I liked this option the most:

    --setting allow_create_tokens off",107914493,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/1856/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,completed
1424378012,I_kwDOBm6k_c5U5kic,1860,SQL query field can't begin by a comment,562352,closed,0,,,12,2022-10-26T16:55:31Z,2022-10-27T18:57:37Z,2022-10-27T04:21:40Z,NONE,,"![image](https://user-images.githubusercontent.com/562352/198085197-f26fcd61-4dac-4ca4-a346-e70f88a30ecc.png)

SQL comments are **very** useful to explain the meaning of the query. It's currently impossible to put it at the beginning of the field as seen on the screen capture: it leads to an error: `Statement must be a SELECT`.

It would be great to make it possible because:
* as the request is the title of the page:
  * it eases the search with search engines
  * it eases the search in the browsers' url field
* it acts as a kind of title: the global meaning of the query is immediately understandable
* some tools, such as Slack, are shortening long URLs and displaying the beginning of the URLs (eg. `https://example.org/products?sql=select+%28length%28data_quality_errors_ta[...]+%21%3D+%22%22+group+by+NB_of_issues+order+by+NB_of_issues+desc+limit+200`)

Beginning a query with a comment is possible with SQLite.
",107914493,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/1860/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,completed