mirror of
https://github.com/simonw/datasette.git
synced 2026-05-27 20:36:17 +02:00
c96dc5ce26Closes #2649 * Add register_token_handler plugin hook for pluggable token backends Adds a new register_token_handler hook that allows plugins to provide custom token creation and verification backends. This enables plugins like datasette-oauth to issue tokens without depending on specific backend plugins like datasette-auth-tokens. Key changes: - New datasette/tokens.py with TokenHandler base class and SignedTokenHandler (the default signed-token implementation moved here) - New register_token_handler hookspec in hookspecs.py - Datasette.create_token() is now async and delegates to token handlers - New Datasette.verify_token() method tries all handlers in sequence - handler= parameter on create_token() to select a specific backend - TokenHandler exported from datasette package for plugin use - Fixed actor_from_request loop to await all coroutines (avoids warnings) * Add documentation and hook test for register_token_handler Fixes CI failures: the new hook needs a section in docs/plugin_hooks.rst (checked by test_plugin_hooks_are_documented) and a test_hook_* function in test_plugins.py (checked by test_plugin_hooks_have_tests). * Register tokens module as separate default plugin Instead of re-exporting hookimpls from default_permissions/__init__.py, register datasette.default_permissions.tokens as its own DEFAULT_PLUGINS entry. Cleaner and avoids confusing import-for-side-effect patterns. * Replace restrict_x params with TokenRestrictions dataclass Consolidates the three separate restrict_all, restrict_database, and restrict_resource parameters into a single TokenRestrictions dataclass. Cleaner API surface for both Datasette.create_token() and TokenHandler.create_token(). Also clarifies docs re: default handler selection via pluggy ordering. * Add builder methods to TokenRestrictions Adds allow_all(), allow_database(), and allow_resource() methods that return self for chaining. Callers no longer need to manipulate nested dicts directly: restrictions = (TokenRestrictions() .allow_all("view-instance") .allow_database("mydb", "create-table") .allow_resource("mydb", "mytable", "insert-row")) * docs: add 1.0a25 upgrade guide section for create_token() signature change Ref: https://github.com/simonw/datasette/issues/2649#issuecomment-3962639393 * docs: note that create_token() is now async in upgrade guide * docs: update internals, plugin_hooks, authentication for new token API - internals.rst: new async create_token() signature with restrictions and handler params, add TokenRestrictions reference docs - plugin_hooks.rst: show full create_token signature in TokenHandler example, note list returns and error cases - authentication.rst: cross-reference TokenRestrictions from the restrictions section * style: apply black formatting to token handler files * docs: fix RST heading underline length in internals.rst * tests: add restrictions round-trip and expiration tests for token handler Covers allow_database/allow_resource builders, _r payload encoding, and token_expires in verified actors. Coverage 76% -> 90%. * tests: add test for signed tokens disabled * fix: add TokenRestrictions TYPE_CHECKING import to fix ruff F821 * docs: regenerate plugins.rst with cog * docs: reformat code blocks in plugin_hooks.rst with blacken-docs * docs: add await .verify_token() to internals.rst * tests: rewrite register_token_handler test to use real plugin handler Adds a HardcodedTokenHandler to the test plugins dir that creates tokens like dstok_hardcoded_token_1. The test now exercises creating tokens via the default handler (which is the plugin's hardcoded one), by explicitly naming the hardcoded handler, and by explicitly naming the signed handler -- then verifies each token round-trips correctly. * tests: clarify test_token_handler_via_http tests the default signed handler * fix: use handler="signed" explicitly where signed tokens are expected The HardcodedTokenHandler in my_plugin.py gets globally registered, so create_token() without a handler name picks it up as the default. Fix the create-token view, CLI, and tests to explicitly request the signed handler where they depend on signed token behavior. * fix: use handler="signed" in test_create_table_permissions https://claude.ai/code/session_013cQFiDQjYRrRBH2biFfKuS |
||
|---|---|---|
| .. | ||
| plugins | ||
| test_templates | ||
| __init__.py | ||
| build_small_spatialite_db.py | ||
| conftest.py | ||
| ext.c | ||
| fixtures.py | ||
| spatialite.db | ||
| test-datasette-load-plugins.sh | ||
| test_actions_sql.py | ||
| test_actor_restriction_bug.py | ||
| test_allowed_resources.py | ||
| test_api.py | ||
| test_api_write.py | ||
| test_auth.py | ||
| test_base_view.py | ||
| test_canned_queries.py | ||
| test_cli.py | ||
| test_cli_serve_get.py | ||
| test_cli_serve_server.py | ||
| test_config_dir.py | ||
| test_config_permission_rules.py | ||
| test_crossdb.py | ||
| test_csv.py | ||
| test_custom_pages.py | ||
| test_datasette_https_server.sh | ||
| test_default_deny.py | ||
| test_docs.py | ||
| test_docs_plugins.py | ||
| test_facets.py | ||
| test_filters.py | ||
| test_html.py | ||
| test_internal_db.py | ||
| test_internals_database.py | ||
| test_internals_datasette.py | ||
| test_internals_datasette_client.py | ||
| test_internals_request.py | ||
| test_internals_response.py | ||
| test_internals_urls.py | ||
| test_label_column_for_table.py | ||
| test_load_extensions.py | ||
| test_messages.py | ||
| test_multipart.py | ||
| test_package.py | ||
| test_permission_endpoints.py | ||
| test_permissions.py | ||
| test_plugins.py | ||
| test_publish_cloudrun.py | ||
| test_publish_heroku.py | ||
| test_restriction_sql.py | ||
| test_routes.py | ||
| test_schema_endpoints.py | ||
| test_search_tables.py | ||
| test_spatialite.py | ||
| test_table_api.py | ||
| test_table_html.py | ||
| test_token_handler.py | ||
| test_tracer.py | ||
| test_utils.py | ||
| test_utils_check_callable.py | ||
| test_utils_permissions.py | ||
| test_write_wrapper.py | ||
| utils.py | ||