allow_signed_tokens setting, closes #1856

datasette/app.py

@@ -124,6 +124,11 @@ SETTINGS = (
         True,
         "Allow users to download the original SQLite database files",
     ),
+    Setting(
+        "allow_signed_tokens",
+        True,
+        "Allow users to create and use signed API tokens",
+    ),
     Setting("suggest_facets", True, "Calculate and display suggested facets"),
     Setting(
         "default_cache_ttl",

datasette/default_permissions.py

@@ -52,6 +52,8 @@ def permission_allowed(datasette, actor, action, resource):
 @hookimpl
 def actor_from_request(datasette, request):
     prefix = "dstok_"
+    if not datasette.setting("allow_signed_tokens"):
+        return None
     authorization = request.headers.get("authorization")
     if not authorization:
         return None

datasette/views/special.py

@@ -171,6 +171,8 @@ class CreateTokenView(BaseView):
     has_json_alternate = False
 
     def check_permission(self, request):
+        if not self.ds.setting("allow_signed_tokens"):
+            raise Forbidden("Signed tokens are not enabled for this Datasette instance")
         if not request.actor:
             raise Forbidden("You must be logged in to create a token")
         if not request.actor.get("id"):