github/datasette
1
0
Fork 0
mirror of https://github.com/simonw/datasette.git synced 2025-12-10 16:51:24 +01:00
Code Issues Projects Releases Packages Wiki Activity

Mechanism to prevent tokens creating tokens, closes #1857

Browse source
This commit is contained in:
Simon Willison 2022-10-25 19:43:55 -07:00
commit 0f013ff497
4 changed files with 17 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
datasette/default_permissions.py
View file

@ -69,4 +69,4 @@ def actor_from_request(datasette, request):
if expires_at is not None:
if expires_at < time.time():
return None
return {"id": decoded["a"], "dstok": True}
return {"id": decoded["a"], "token": "dstok"}

4
datasette/views/special.py
View file

@ -177,6 +177,10 @@ class CreateTokenView(BaseView):
raise Forbidden(
"You must be logged in as an actor with an ID to create a token"
)
if request.actor.get("token"):
raise Forbidden(
"Token authentication cannot be used to create additional tokens"
)
async def get(self, request):
self.check_permission(request)