From 9eb9ffae3ddd4e8ff0b713bf6fd6a0afed3368d7 Mon Sep 17 00:00:00 2001
From: Simon Willison <swillison@gmail.com>
Date: Sun, 30 Oct 2022 13:09:55 -0700
Subject: [PATCH] Drop API token requirement from API explorer, refs #1871

---
 datasette/default_permissions.py      |  9 +++++++++
 datasette/templates/api_explorer.html | 13 ++++---------
 2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/datasette/default_permissions.py b/datasette/default_permissions.py
index 87684e2a..151ba2b5 100644
--- a/datasette/default_permissions.py
+++ b/datasette/default_permissions.py
@@ -131,3 +131,12 @@ def register_commands(cli):
         if debug:
             click.echo("\nDecoded:\n")
             click.echo(json.dumps(ds.unsign(token, namespace="token"), indent=2))
+
+
+@hookimpl
+def skip_csrf(scope):
+    # Skip CSRF check for requests with content-type: application/json
+    if scope["type"] == "http":
+        headers = scope.get("headers") or {}
+        if dict(headers).get(b"content-type") == b"application/json":
+            return True
diff --git a/datasette/templates/api_explorer.html b/datasette/templates/api_explorer.html
index 034bee60..01b182d8 100644
--- a/datasette/templates/api_explorer.html
+++ b/datasette/templates/api_explorer.html
@@ -15,16 +15,13 @@
 {% endif %}
 
 <form method="post" id="api-explorer">
-  <div>
-    <label for="auth-token">API token:</label>
-    <input type="text" id="auth-token" name="token" value="" style="width: 40%">
-  </div>
   <div>
     <label for="path">API path:</label>
-    <input type="text" id="path" name="path" value="/fixtures/searchable/-/insert" style="width: 40%">
+    <input type="text" id="path" name="path" value="/fixtures/searchable/-/insert" style="width: 60%">
   </div>
-  <div>
-    <textarea name="json" style="width: 60%; height: 200px; font-family: monospace; font-size: 0.8em;"></textarea>
+  <div style="margin: 0.5em 0">
+    <label for="apiJson" style="vertical-align: top">JSON:</label>
+    <textarea id="apiJson" name="json" style="width: 60%; height: 200px; font-family: monospace; font-size: 0.8em;"></textarea>
   </div>
   <p><button id="json-format" type="button">Format JSON</button> <input type="submit" value="POST"></p>
 </form>
@@ -46,7 +43,6 @@ form.addEventListener("submit", (ev) => {
   var formData = new FormData(form);
   var json = formData.get('json');
   var path = formData.get('path');
-  var token = formData.get('token');
   // Validate JSON
   try {
     var data = JSON.parse(json);
@@ -60,7 +56,6 @@ form.addEventListener("submit", (ev) => {
     body: json,
     headers: {
       'Content-Type': 'application/json',
-      'Authorization': `Bearer ${token}`
     }
   }).then(r => r.json()).then(r => {
     alert(JSON.stringify(r, null, 2));