From 0f013ff497df62e1dd2075777b9817555646010e Mon Sep 17 00:00:00 2001
From: Simon Willison <swillison@gmail.com>
Date: Tue, 25 Oct 2022 19:43:55 -0700
Subject: [PATCH] Mechanism to prevent tokens creating tokens, closes #1857

---
 datasette/default_permissions.py |  2 +-
 datasette/views/special.py       |  4 ++++
 docs/authentication.rst          |  2 ++
 tests/test_auth.py               | 11 ++++++++++-
 4 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/datasette/default_permissions.py b/datasette/default_permissions.py
index 4d836ddc..d908af7a 100644
--- a/datasette/default_permissions.py
+++ b/datasette/default_permissions.py
@@ -69,4 +69,4 @@ def actor_from_request(datasette, request):
     if expires_at is not None:
         if expires_at < time.time():
             return None
-    return {"id": decoded["a"], "dstok": True}
+    return {"id": decoded["a"], "token": "dstok"}
diff --git a/datasette/views/special.py b/datasette/views/special.py
index 7f70eb1f..91130353 100644
--- a/datasette/views/special.py
+++ b/datasette/views/special.py
@@ -177,6 +177,10 @@ class CreateTokenView(BaseView):
             raise Forbidden(
                 "You must be logged in as an actor with an ID to create a token"
             )
+        if request.actor.get("token"):
+            raise Forbidden(
+                "Token authentication cannot be used to create additional tokens"
+            )
 
     async def get(self, request):
         self.check_permission(request)
diff --git a/docs/authentication.rst b/docs/authentication.rst
index fc903fbb..cbecd296 100644
--- a/docs/authentication.rst
+++ b/docs/authentication.rst
@@ -348,6 +348,8 @@ A token created by a user will include that user's ``"id"`` in the token payload
 
 Coming soon: a mechanism for creating tokens that can only perform a subset of the actions available to the user who created them.
 
+This page cannot be accessed by actors with a ``"token": "some-value"`` property. This is to prevent API tokens from being used to automatically create more tokens. Datasette plugins that implement their own form of API token authentication should follow this convention.
+
 .. _permissions_plugins:
 
 Checking permissions in plugins
diff --git a/tests/test_auth.py b/tests/test_auth.py
index be21d6a5..397d51d7 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -180,6 +180,15 @@ def test_auth_create_token(app_client, post_data, errors, expected_duration):
             assert about_right - 2 < details["e"] < about_right + 2
 
 
+def test_auth_create_token_not_allowed_for_tokens(app_client):
+    ds_tok = app_client.ds.sign({"a": "test", "token": "dstok"}, "token")
+    response = app_client.get(
+        "/-/create-token",
+        headers={"Authorization": "Bearer dstok_{}".format(ds_tok)},
+    )
+    assert response.status == 403
+
+
 @pytest.mark.parametrize(
     "scenario,should_work",
     (
@@ -207,6 +216,6 @@ def test_auth_with_dstok_token(app_client, scenario, should_work):
         headers["Authorization"] = "Bearer {}".format(token)
     response = app_client.get("/-/actor.json", headers=headers)
     if should_work:
-        assert response.json == {"actor": {"id": "test", "dstok": True}}
+        assert response.json == {"actor": {"id": "test", "token": "dstok"}}
     else:
         assert response.json == {"actor": None}