github/datasette
1
0
Fork 0
mirror of https://github.com/simonw/datasette.git synced 2025-12-10 16:51:24 +01:00
Code Issues Projects Releases Packages Wiki Activity

Mechanism to prevent tokens creating tokens, closes #1857

Browse source
This commit is contained in:
Simon Willison 2022-10-25 19:43:55 -07:00
commit 0f013ff497
4 changed files with 17 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/authentication.rst
View file

@ -348,6 +348,8 @@ A token created by a user will include that user's ``"id"`` in the token payload
Coming soon: a mechanism for creating tokens that can only perform a subset of the actions available to the user who created them.
This page cannot be accessed by actors with a ``"token": "some-value"`` property. This is to prevent API tokens from being used to automatically create more tokens. Datasette plugins that implement their own form of API token authentication should follow this convention.
.. _permissions_plugins:
Checking permissions in plugins