datasette/docs
Claude aaaffe45b8
Return 401 for invalid or expired bearer tokens
Invalid dstok_ tokens - bad signature, malformed payload, expired, or
presented while allow_signed_tokens is off - previously degraded the
request to anonymous, so clients saw a 403 permission error or worse,
a 200 with anonymous-visible data. Token handlers can now raise
TokenInvalid for tokens they recognize but reject; Datasette responds
with 401, the canonical JSON error body and a WWW-Authenticate: Bearer
error="invalid_token" header, even when a valid cookie is also present.

Bearer tokens no registered handler recognizes are still ignored, so
authentication plugins with their own token formats keep working.
TokenInvalid is exported from the datasette package for use by plugin
token handlers.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01GrHZSypDfMnym1tM5XJAFZ
2026-07-04 15:18:12 +00:00
..
_static Add favicon to documentation (#1967) 2022-12-31 11:00:31 -08:00
_templates Drop jQuery dependency 2023-03-26 16:38:58 -07:00
.gitignore Added initial docs, including a changelog 2017-11-16 07:11:00 -08:00
authentication.rst Return 401 for invalid or expired bearer tokens 2026-07-04 15:18:12 +00:00
auto-build.sh Added --load-extension argument to datasette serve 2017-11-16 08:48:49 -08:00
binary_data.rst Use shot-scraper images from datasette-screenshots repo, closes #1844 2022-10-14 12:57:00 -07:00
changelog.rst Small tweaks to 1.0a35 release notes prior to release 2026-06-23 14:33:20 -07:00
cli-reference.rst datasette serve --default-deny option (#2593) 2025-11-12 16:14:21 -08:00
codespell-ignore-words.txt Move Metadata to --internal database 2024-06-11 09:33:23 -07:00
conf.py New :pr:ID shortcut for docs 2026-04-15 16:04:17 -07:00
configuration.rst textarea column type 2026-06-13 22:18:45 -07:00
contributing.rst Add cache-busted static asset helper (#2804) 2026-06-23 13:44:58 -07:00
csv_export.rst Use shot-scraper images from datasette-screenshots repo, closes #1844 2022-10-14 12:57:00 -07:00
custom_templates.rst Improve docs structure for static(), refs #2804, #2800 2026-06-23 13:59:01 -07:00
datasette-0.51.png Release 0.51 2020-10-31 15:21:49 -07:00
datasette-logo.svg Added new logo to the documentation 2020-07-12 12:53:29 -07:00
deploying.rst Add test for RST heading underline lengths, closes #2544 2025-10-26 09:49:49 -07:00
ecosystem.rst Shrunk ecosystem docs in favour of datasette.io, closes #1182 2021-01-09 14:17:18 -08:00
events.md RenameTableEvent, plus write connection track_event() mechanism (#2682) 2026-03-30 11:20:46 -07:00
facets.rst Move table configuration docs from metadata.rst to configuration.rst (#2668) 2026-03-17 08:47:04 -07:00
full_text_search.rst Move table configuration docs from metadata.rst to configuration.rst (#2668) 2026-03-17 08:47:04 -07:00
getting_started.rst Replace Glitch with Codespaces, closes #2488 2025-05-28 19:17:22 -07:00
index.rst Generated template context documentation, closes #1510 2026-06-11 07:47:15 -07:00
installation.rst Python 3.14, drop Python 3.9 2025-10-08 13:11:32 -07:00
internals.rst Document custom json encoder (#1996) 2026-06-23 16:24:03 -07:00
introspection.rst Filter /-/databases by view-database permission 2026-07-04 14:00:42 +00:00
javascript_plugins.rst Better docs for makeJumpSections() 2026-06-14 16:28:09 -07:00
json_api.rst Return canonical JSON error for Forbidden on JSON requests 2026-07-04 14:09:10 +00:00
json_api_doc.py Clearer examples and descriptions for JSON API extras (#2773) 2026-06-11 19:41:24 -07:00
Makefile Document custom json encoder (#1996) 2026-06-23 16:24:03 -07:00
metadata.rst Move table configuration docs from metadata.rst to configuration.rst (#2668) 2026-03-17 08:47:04 -07:00
metadata_doc.py Rename metadata tables and add schema to docs, refs #2382 2024-08-05 13:53:55 -07:00
pages.rst Add "ok": true to every JSON object success response 2026-07-04 13:40:05 +00:00
performance.rst Release 0.63a1 2022-10-23 20:07:09 -07:00
plugin_hooks.rst Return 401 for invalid or expired bearer tokens 2026-07-04 15:18:12 +00:00
plugins.rst Precompute action permissions for table pages 2026-06-22 10:11:56 -07:00
publish.rst Remove all remaining "$ " prefixes from docs, closes #2140 2023-08-11 10:44:34 -07:00
settings.rst Fix permissions_execute_sql warnings in documentation 2025-11-01 11:52:23 -07:00
spatialite.rst Renamed canned queries to queries / stored queries in docs 2026-05-26 15:17:51 -07:00
sql_queries.rst Return 400 for write canned-query SQL failures 2026-07-04 14:35:54 +00:00
template_context.rst Add cache-busted static asset helper (#2804) 2026-06-23 13:44:58 -07:00
template_context_doc.py Clarify template context metadata names 2026-06-23 11:30:30 -07:00
testing_plugins.rst datasette.fixtures module, closes #2733 2026-05-21 23:05:37 -07:00
upgrade-1.0a20.md Renamed canned queries to queries / stored queries in docs 2026-05-26 15:17:51 -07:00
upgrade_guide.md Replace token-based CSRF with Sec-Fetch-Site header protection (#2689) 2026-04-14 17:11:36 -07:00
writing_plugins.rst Add cache-busted static asset helper (#2804) 2026-06-23 13:44:58 -07:00