issues: 1423347412

This data as json

id node_id number title user state locked assignee milestone comments created_at updated_at closed_at author_association pull_request body repo type active_lock_reason performed_via_github_app reactions draft state_reason
1423347412 I_kwDOBm6k_c5U1o7U 1857 Prevent API tokens from using /-/create-token to create more tokens 9599 closed 0   8658075 1 2022-10-26T02:38:09Z 2022-11-15T19:57:11Z 2022-10-26T02:57:26Z OWNER  

It strikes me that users should NOT be able to use a token to create additional tokens.

The current design actually does allow that, since the dstok_ Bearer token can be used to authenticate calls to the /-/create-token page.

So I think I need a mechanism whereby that page can only allow access to users authenticated by cookie.

Not obvious how to do that though, since Datasette's authentication actor system is designed to abstract that detail away!

Originally posted by @simonw in https://github.com/simonw/datasette/issues/1850#issuecomment-1291417100

 107914493 issue     
{
    "url": "https://api.github.com/repos/simonw/datasette/issues/1857/reactions",
    "total_count": 0,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
}
   completed

Links from other tables