Manage mode - UI for creating database-backed tokens

[simonw]

Refs:

• Manage tokens mode: UI for creating database-backed tokens with restricted permissions #7

TODO:

• DB schema
• Create tokens page, saving tokens to DB
• Update authentication code to read tokens from that table
• Update last_used_timestamp every X seconds (X=60 at first)
• Interface to list currently issued tokens
• Hide the _datasette_auth_tokens table by default - this will happen with Tables starting with an underscore should be treated as hidden datasette#2104
• Ability to revoke tokens
• Tests
• Documentation

Not for this PR but to come later: ability to edit tokens, more advanced audit trail functionality.

[simonw]

Surprisingly difficult to figure out how best to link this page to the page where you create a token:

I thought about shipping a custom template with the plugin, but the debug HTML comment says this:

<!-- Templates considered: table-messages-datasette_auth_tokens-a1b28e.html, *table.html -->

But that's no good, because it fixes the name based on the database - and the database could change.

Then I considered using the get_metadata() hook to customize the description_html on the table page, but I don't think that works either. I added this hook:

@hookimpl
def get_metadata(datasette, key, database, table):
    print("key=", key, "database=", database, "table=", table)

And I see this when I visit the /messages/_datasette_auth_tokens page:

key= plugins database= None table= None
key= tables database= messages table= None
key= None database= None table= None
key= allow database= messages table= None
key= None database= None table= None
key= allow database= None table= None
key= None database= None table= None
key= tables database= messages table= None
key= None database= None table= None
key= allow database= messages table= None
key= None database= None table= None
key= allow database= None table= None
key= None database= None table= None
key= databases database= None table= None
key= databases database= None table= None
key= databases database= None table= None
key= tables database= messages table= None
key= tables database= messages table= None
key= tables database= messages table= None
key= tables database= messages table= None
key= allow_sql database= messages table= None
key= allow_sql database= None table= None
key= None database= None table= None
key= source database= None table= None
key= source_url database= None table= None
key= license database= None table= None
key= license_url database= None table= None
key= databases database= None table= None
key= databases database= None table= None
key= databases database= None table= None
key= source database= None table= None
key= source_url database= None table= None
key= license database= None table= None
key= license_url database= None table= None
key= about database= None table= None
key= about_url database= None table= None
key= extra_css_urls database= None table= None
key= extra_js_urls database= None table= None
key= allow database= None table= None
key= None database= None table= None
key= allow database= messages table= None
key= None database= None table= None
key= None database= None table= None

It looks like there's a bug there where the table= is not correctly set.

So I think the easiest thing to do will be to use a table actions cog menu item, and then ensure that "Create API token" is added to the global navigation menu for the instance.

[simonw]

I want this in the table view to be displayed nicer:

{"a": ["vi"], "d": {"messages": ["vd"]}, "r": {"messages": {"messages": ["vt"]}}}

[simonw]

Tests are failing like this:

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/runner/work/datasette-auth-tokens/datasette-auth-tokens/datasette_auth_tokens/views.py", line 154, in _shared
    "all_permissions": datasette.permissions.keys(),
                       ^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'Datasette' object has no attribute 'permissions'

That's because I need them to run against the datasette>=1.0a2.

[simonw]

I'm going to add tests for revoke/expire, then land this PR.

[simonw]

First version of the docs: https://github.com/simonw/datasette-auth-tokens/blob/5a135a6dabf59452a4988b6479afa24dbde37de5/README.md#managed-tokens-mode