register_token_handler() plugin hook for custom API token backends

[simonw]

Initial prompt was the description and first comment from:

• Plugin hook to allow issuing of API tokens #2649

Summary

This PR introduces a pluggable token handler system that allows plugins to provide custom token backends while maintaining backward compatibility with the existing signed token implementation.

Key Changes

• New TokenHandler base class (datasette/tokens.py): Abstract base class that plugins can subclass to implement custom token creation and verification logic
• SignedTokenHandler implementation: Moved existing signed token logic into a dedicated handler class that implements the TokenHandler interface
• Plugin hook register_token_handler: New hookspec in datasette/hookspecs.py allowing plugins to register custom token handlers
• Async token methods: Changed create_token() to async and added new verify_token() async method to Datasette class
• Token handler discovery: Added _token_handlers() method to collect all registered handlers from plugins
• Handler selection: create_token() now accepts optional handler parameter to select a specific handler by name; defaults to first registered handler
• Multi-handler verification: verify_token() tries all registered handlers until one recognizes the token
• Simplified token authentication: Refactored datasette/default_permissions/tokens.py to delegate to the new handler system instead of duplicating logic
• CLI update: Updated datasette create-token command to use the new async create_token() method
• HTTP integration: Token verification through HTTP Bearer authentication now works with all registered handlers
• Comprehensive test suite: Added 258 lines of tests covering default handler, custom handlers, verification, HTTP integration, and error cases

Implementation Details

• The SignedTokenHandler is automatically registered via the default permissions plugin
• Token handlers are tried in order during verification, allowing multiple backends to coexist
• The system maintains full backward compatibility—existing signed tokens continue to work
• Custom handlers can implement simple string-based tokens or complex database-backed systems
• All token handler methods are async to support I/O operations (e.g., database lookups)

https://claude.ai/code/session_013cQFiDQjYRrRBH2biFfKuS

---

📚 Documentation preview 📚: https://datasette--2650.org.readthedocs.build/en/2650/

[simonw]

Let's do better than this - a more type-friendly API.

[simonw]

@dataclasses.dataclass
class TokenRestrictions:
    """
    Restrictions to apply to a token, limiting which actions it can perform.
    - all: actions allowed against all databases/resources
    - database: {database_name: [actions]} for database-level restrictions
    - resource: {database_name: {resource_name: [actions]}} for resource-level
    """
    all: list[str] = dataclasses.field(default_factory=list)
    database: dict[str, list[str]] = dataclasses.field(default_factory=dict)
    resource: dict[str, dict[str, list[str]]] = dataclasses.field(
        default_factory=dict
    )

Don't write code until I say, but propose a design for this that uses more of a builder pattern and hence is less dictionary-heavy in terms of how it is interacted with

[simonw]

Claude suggested:

(TokenRestrictions()
    .allow("view-instance")
    .allow("view-database")
    .allow("create-table", database="mydb")
    .allow("insert-row", database="mydb", resource="mytable"))

I countered:

no lets do three methods for each category of restriction

[codecov]

Codecov Report

❌ Patch coverage is 93.43066% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 90.42%. Comparing base (6a2c27b) to head (0345b7a).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
datasette/app.py	90.62%	3 Missing ⚠️
datasette/cli.py	57.14%	3 Missing ⚠️
datasette/tokens.py	96.38%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2650      +/-   ##
==========================================
- Coverage   90.44%   90.42%   -0.02%     
==========================================
  Files          52       53       +1     
  Lines        8018     8075      +57     
==========================================
+ Hits         7252     7302      +50     
- Misses        766      773       +7     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[simonw]

I tested this breaking change in a branch of datasette-auth-tokens - I had Claude look at the upgrade guide.

Clone all of simonw/datasette to /tmp and checkout the claude/api-token-plugin-hook-jaSXV branch in that repo, then run the test suite for this (using uv run pytest) but with that /tmp/datasette folder set to be used instead of the regular Datasette depenedency.

In the Datasette repo read docs/upgrade_guide.md and tell me what you are going to change as a result

https://claude.ai/code/session_01RbZveeSogxSnjJ5yr6AFtq

[simonw]

I don't like the test for test_hook_register_token_handler - the other tests in that module act against a real plugin that has been registered, including testing that it is used. I think that test should use a special handler that creates a token with e.g. dstok_hardcoded_token_1 which we can then create (as the default plugin handler and also by specifying its name) and then validate

[simonw]

Finally got it to run the full test suite and it spotted:

The problem is much bigger than test_token_handler.py. The hardcoded handler gets globally registered and becomes the default for ALL token creation — including the /-/create-token web view and create-token CLI, which then try to unsign the hardcoded token and crash.

The fix: the /-/create-token view and CLI are specifically for signed tokens, so they should use handler="signed". Let me find and fix all the affected code.

Fix was pretty simple: