From c23fa850e7f21977e367e3467656055216978e8a Mon Sep 17 00:00:00 2001
From: Simon Willison <swillison@gmail.com>
Date: Tue, 25 Oct 2022 19:55:47 -0700
Subject: [PATCH] allow_signed_tokens setting, closes #1856

---
 datasette/app.py                 |  5 +++++
 datasette/default_permissions.py |  2 ++
 datasette/views/special.py       |  2 ++
 docs/authentication.rst          |  2 ++
 docs/cli-reference.rst           |  2 ++
 docs/plugins.rst                 |  1 +
 docs/settings.rst                | 13 +++++++++++++
 tests/test_auth.py               | 26 +++++++++++++++++++++-----
 8 files changed, 48 insertions(+), 5 deletions(-)

diff --git a/datasette/app.py b/datasette/app.py
index cab9d142..c868f8d3 100644
--- a/datasette/app.py
+++ b/datasette/app.py
@@ -124,6 +124,11 @@ SETTINGS = (
         True,
         "Allow users to download the original SQLite database files",
     ),
+    Setting(
+        "allow_signed_tokens",
+        True,
+        "Allow users to create and use signed API tokens",
+    ),
     Setting("suggest_facets", True, "Calculate and display suggested facets"),
     Setting(
         "default_cache_ttl",
diff --git a/datasette/default_permissions.py b/datasette/default_permissions.py
index d908af7a..49ca8851 100644
--- a/datasette/default_permissions.py
+++ b/datasette/default_permissions.py
@@ -52,6 +52,8 @@ def permission_allowed(datasette, actor, action, resource):
 @hookimpl
 def actor_from_request(datasette, request):
     prefix = "dstok_"
+    if not datasette.setting("allow_signed_tokens"):
+        return None
     authorization = request.headers.get("authorization")
     if not authorization:
         return None
diff --git a/datasette/views/special.py b/datasette/views/special.py
index 91130353..89015958 100644
--- a/datasette/views/special.py
+++ b/datasette/views/special.py
@@ -171,6 +171,8 @@ class CreateTokenView(BaseView):
     has_json_alternate = False
 
     def check_permission(self, request):
+        if not self.ds.setting("allow_signed_tokens"):
+            raise Forbidden("Signed tokens are not enabled for this Datasette instance")
         if not request.actor:
             raise Forbidden("You must be logged in to create a token")
         if not request.actor.get("id"):
diff --git a/docs/authentication.rst b/docs/authentication.rst
index cbecd296..50304ec5 100644
--- a/docs/authentication.rst
+++ b/docs/authentication.rst
@@ -350,6 +350,8 @@ Coming soon: a mechanism for creating tokens that can only perform a subset of t
 
 This page cannot be accessed by actors with a ``"token": "some-value"`` property. This is to prevent API tokens from being used to automatically create more tokens. Datasette plugins that implement their own form of API token authentication should follow this convention.
 
+You can disable this feature using the :ref:`allow_signed_tokens <setting_allow_signed_tokens>` setting.
+
 .. _permissions_plugins:
 
 Checking permissions in plugins
diff --git a/docs/cli-reference.rst b/docs/cli-reference.rst
index 4a8465cb..fd5e2404 100644
--- a/docs/cli-reference.rst
+++ b/docs/cli-reference.rst
@@ -226,6 +226,8 @@ These can be passed to ``datasette serve`` using ``datasette serve --setting nam
                                    ?_facet= parameter (default=True)
       allow_download               Allow users to download the original SQLite
                                    database files (default=True)
+      allow_signed_tokens          Allow users to create and use signed API tokens
+                                   (default=True)
       suggest_facets               Calculate and display suggested facets
                                    (default=True)
       default_cache_ttl            Default HTTP cache TTL (used in Cache-Control:
diff --git a/docs/plugins.rst b/docs/plugins.rst
index 29078054..9efef32f 100644
--- a/docs/plugins.rst
+++ b/docs/plugins.rst
@@ -151,6 +151,7 @@ If you run ``datasette plugins --all`` it will include default plugins that ship
             "templates": false,
             "version": null,
             "hooks": [
+                "actor_from_request",
                 "permission_allowed"
             ]
         },
diff --git a/docs/settings.rst b/docs/settings.rst
index a6d50543..be640b21 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -169,6 +169,19 @@ Should users be able to download the original SQLite database using a link on th
 
     datasette mydatabase.db --setting allow_download off
 
+.. _setting_allow_signed_tokens:
+
+allow_signed_tokens
+~~~~~~~~~~~~~~~~~~~
+
+Should users be able to create signed API tokens to access Datasette?
+
+This is turned on by default. Use the following to turn it off::
+
+    datasette mydatabase.db --setting allow_signed_tokens off
+
+Turning this setting off will disable the ``/-/create-token`` page, :ref:`described here <CreateTokenView>`. It will also cause any incoming ``Authorization: Bearer dstok_...`` API tokens to be ignored.
+
 .. _setting_default_cache_ttl:
 
 default_cache_ttl
diff --git a/tests/test_auth.py b/tests/test_auth.py
index 397d51d7..a79dafd8 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -189,9 +189,20 @@ def test_auth_create_token_not_allowed_for_tokens(app_client):
     assert response.status == 403
 
 
+def test_auth_create_token_not_allowed_if_allow_signed_tokens_off(app_client):
+    app_client.ds._settings["allow_signed_tokens"] = False
+    try:
+        ds_actor = app_client.actor_cookie({"id": "test"})
+        response = app_client.get("/-/create-token", cookies={"ds_actor": ds_actor})
+        assert response.status == 403
+    finally:
+        app_client.ds._settings["allow_signed_tokens"] = True
+
+
 @pytest.mark.parametrize(
     "scenario,should_work",
     (
+        ("allow_signed_tokens_off", False),
         ("no_token", False),
         ("invalid_token", False),
         ("expired_token", False),
@@ -201,7 +212,7 @@ def test_auth_create_token_not_allowed_for_tokens(app_client):
 )
 def test_auth_with_dstok_token(app_client, scenario, should_work):
     token = None
-    if scenario == "valid_unlimited_token":
+    if scenario in ("valid_unlimited_token", "allow_signed_tokens_off"):
         token = app_client.ds.sign({"a": "test"}, "token")
     elif scenario == "valid_expiring_token":
         token = app_client.ds.sign({"a": "test", "e": int(time.time()) + 1000}, "token")
@@ -211,11 +222,16 @@ def test_auth_with_dstok_token(app_client, scenario, should_work):
         token = "invalid"
     if token:
         token = "dstok_{}".format(token)
+    if scenario == "allow_signed_tokens_off":
+        app_client.ds._settings["allow_signed_tokens"] = False
     headers = {}
     if token:
         headers["Authorization"] = "Bearer {}".format(token)
     response = app_client.get("/-/actor.json", headers=headers)
-    if should_work:
-        assert response.json == {"actor": {"id": "test", "token": "dstok"}}
-    else:
-        assert response.json == {"actor": None}
+    try:
+        if should_work:
+            assert response.json == {"actor": {"id": "test", "token": "dstok"}}
+        else:
+            assert response.json == {"actor": None}
+    finally:
+        app_client.ds._settings["allow_signed_tokens"] = True