allow_signed_tokens setting, closes #1856

2025-12-10 16:51:24 +01:00 · 2022-10-25 19:55:47 -07:00 · 2022-10-25 19:55:47 -07:00 · c23fa850e7
commit c23fa850e7
parent 0f013ff497
8 changed files with 48 additions and 5 deletions
--- a/docs/authentication.rst
+++ b/docs/authentication.rst
@ -350,6 +350,8 @@ Coming soon: a mechanism for creating tokens that can only perform a subset of t

 This page cannot be accessed by actors with a ``"token": "some-value"`` property. This is to prevent API tokens from being used to automatically create more tokens. Datasette plugins that implement their own form of API token authentication should follow this convention.

+You can disable this feature using the :ref:`allow_signed_tokens <setting_allow_signed_tokens>` setting.
+
 .. _permissions_plugins:

 Checking permissions in plugins
--- a/docs/cli-reference.rst
+++ b/docs/cli-reference.rst
@ -226,6 +226,8 @@ These can be passed to ``datasette serve`` using ``datasette serve --setting nam
                                   ?_facet= parameter (default=True)
      allow_download               Allow users to download the original SQLite
                                   database files (default=True)
+      allow_signed_tokens          Allow users to create and use signed API tokens
+                                   (default=True)
      suggest_facets               Calculate and display suggested facets
                                   (default=True)
      default_cache_ttl            Default HTTP cache TTL (used in Cache-Control:
--- a/docs/plugins.rst
+++ b/docs/plugins.rst
@ -151,6 +151,7 @@ If you run ``datasette plugins --all`` it will include default plugins that ship
            "templates": false,
            "version": null,
            "hooks": [
+                "actor_from_request",
                "permission_allowed"
            ]
        },
--- a/docs/settings.rst
+++ b/docs/settings.rst
@ -169,6 +169,19 @@ Should users be able to download the original SQLite database using a link on th

    datasette mydatabase.db --setting allow_download off

+.. _setting_allow_signed_tokens:
+
+allow_signed_tokens
+~~~~~~~~~~~~~~~~~~~
+
+Should users be able to create signed API tokens to access Datasette?
+
+This is turned on by default. Use the following to turn it off::
+
+    datasette mydatabase.db --setting allow_signed_tokens off
+
+Turning this setting off will disable the ``/-/create-token`` page, :ref:`described here <CreateTokenView>`. It will also cause any incoming ``Authorization: Bearer dstok_...`` API tokens to be ignored.
+
 .. _setting_default_cache_ttl:

 default_cache_ttl