Plugin hook to allow issuing of API tokens

[simonw]

Currently Datasette core can issue API tokens as signed values:

datasette/datasette/app.py

Lines 716 to 753 in 6a2c27b

	def create_token(
	self,
	actor_id: str,
	*,
	expires_after: int | None = None,
	restrict_all: Iterable[str] | None = None,
	restrict_database: Dict[str, Iterable[str]] | None = None,
	restrict_resource: Dict[str, Dict[str, Iterable[str]]] | None = None,
	):
	token = {"a": actor_id, "t": int(time.time())}
	if expires_after:
	token["d"] = expires_after
	def abbreviate_action(action):
	# rename to abbr if possible
	action_obj = self.actions.get(action)
	if not action_obj:
	return action
	return action_obj.abbr or action
	if expires_after:
	token["d"] = expires_after
	if restrict_all or restrict_database or restrict_resource:
	token["_r"] = {}
	if restrict_all:
	token["_r"]["a"] = [abbreviate_action(a) for a in restrict_all]
	if restrict_database:
	token["_r"]["d"] = {}
	for database, actions in restrict_database.items():
	token["_r"]["d"][database] = [abbreviate_action(a) for a in actions]
	if restrict_resource:
	token["_r"]["r"] = {}
	for database, resources in restrict_resource.items():
	for resource, actions in resources.items():
	token["_r"]["r"].setdefault(database, {})[resource] = [
	abbreviate_action(a) for a in actions
	]
	return "dstok_{}".format(self.sign(token, namespace="token"))

And then datasette-auth-tokens can issue API tokens that are database-backed (and can hence be audited and revoked): https://github.com/simonw/datasette-auth-tokens

Problem: I'm building a datasette-oauth plugin and it needs to be able to issue tokens. I'd like it to be able to use signed tokens by default but, if dataette-auth-tokens is configured, I'd like them to be database-backed tokens instead.

I tried figuring out how to do that with a new hook in datasette-auth-tokens itself but it felt messy, because I didn't want datasette-oauth to have to depend on that plugin.

So it needs to be a new hook in core, with the existing create_token() mechanism as a default plugin hook implementation.

[simonw]

This mechanism needs to support at minimum two actions:

• Issue a token
• Turn a token back into an actor

That second one is necessary because e.g. a database-backed token store needs to be able to process incoming tokes correctly.

I don't think the hook needs to handle revocation (only a thing for some backends) or token lists. For the moment just issue and verify should be enough.

This means multiple plugins may be in play at once, since an incoming token might have been issued by different mechanisms.

There does need to be a "default" concept though, since the whole point of this is so if you are using datasette-oauth and datasette-auth-tokens at the same time and the OAuth plugin needs to an issue a token it can use datasette-auth-tokens to do that.

So... I think plugins register their token handlers, then there's an await datasette.issue_token(...) method which uses the first configured one (based on hookfirst in Pluggy) BUT you can request tokens are issued by another handler, maybe with a datasette.issue_token(..., plugin="datasette-auth-tokens") argument or similar.

When a token is verified it gets passed to each handler in turn until one of them returns an actor or we run out of handlers to try.

[simonw]

In working on the PR in:

• register_token_handler() plugin hook for custom API token backends #2650

I realized that I'd like to make a breaking change to one documented internal Datasette method - the datasette.create_token() method. It's currently sync and I want it to be async so plugins can do async things (like database calls) while creating a token.

GitHub code search:

datasette create_token -repo:simonw/datasette -is:fork

https://github.com/search?q=datasette+create_token+-repo%3Asimonw/datasette+NOT+is%3Afork&type=code

Returns 48 results. Add -owner:simonw and it drops to 19. Add -owner:datasette -repo:fulcrumresearch/datasette and it drops to 6, none of which are real uses: https://github.com/search?q=datasette+create_token+-repo%3Asimonw%2Fdatasette+-is%3Afork+-owner%3Asimonw+-owner%3Adatasette+-repo%3Afulcrumresearch%2Fdatasette&type=code

So I think this change is fine.