diff options
Diffstat (limited to 'python-datasette-auth-tokens.spec')
| -rw-r--r-- | python-datasette-auth-tokens.spec | 611 |
1 files changed, 611 insertions, 0 deletions
diff --git a/python-datasette-auth-tokens.spec b/python-datasette-auth-tokens.spec new file mode 100644 index 0000000..994b863 --- /dev/null +++ b/python-datasette-auth-tokens.spec @@ -0,0 +1,611 @@ +%global _empty_manifest_terminate_build 0 +Name: python-datasette-auth-tokens +Version: 0.3 +Release: 1 +Summary: Datasette plugin for authenticating access using API tokens +License: Apache License, Version 2.0 +URL: https://github.com/simonw/datasette-auth-tokens +Source0: https://mirrors.nju.edu.cn/pypi/web/packages/37/e8/9232738f0a0e825be9dec92244b1fb48ec897b04dbd599237cf1e3239319/datasette-auth-tokens-0.3.tar.gz +BuildArch: noarch + +Requires: python3-datasette +Requires: python3-pytest +Requires: python3-pytest-asyncio +Requires: python3-httpx +Requires: python3-sqlite-utils + +%description +# datasette-auth-tokens + +[](https://pypi.org/project/datasette-auth-tokens/) +[](https://github.com/simonw/datasette-auth-tokens/releases) +[](https://github.com/simonw/datasette-auth-tokens/actions?query=workflow%3ATest) +[](https://github.com/simonw/datasette-auth-tokens/blob/main/LICENSE) + +Datasette plugin for authenticating access using API tokens + +## Installation + +Install this plugin in the same environment as Datasette. + + $ pip install datasette-auth-tokens + +## Hard-coded tokens + +Read about Datasette's [authentication and permissions system](https://datasette.readthedocs.io/en/latest/authentication.html). + +This plugin lets you configure secret API tokens which can be used to make authenticated requests to Datasette. + +First, create a random API token. A useful recipe for doing that is the following: + + $ python -c 'import secrets; print(secrets.token_hex(32))' + 5f9a486dd807de632200b17508c75002bb66ca6fde1993db1de6cbd446362589 + +Decide on the actor that this token should represent, for example: + +```json +{ + "bot_id": "my-bot" +} +``` + +You can then use `"allow"` blocks to provide that token with permission to access specific actions. To enable access to a configured writable SQL query you could use this in your `metadata.json`: + +```json +{ + "plugins": { + "datasette-auth-tokens": { + "tokens": [ + { + "token": { + "$env": "BOT_TOKEN" + }, + "actor": { + "bot_id": "my-bot" + } + } + ] + } + }, + "databases": { + ":memory:": { + "queries": { + "show_version": { + "sql": "select sqlite_version()", + "allow": { + "bot_id": "my-bot" + } + } + } + } + } +} +``` +This uses Datasette's [secret configuration values mechanism](https://datasette.readthedocs.io/en/stable/plugins.html#secret-configuration-values) to allow the secret token to be passed as an environment variable. + +Run Datasette like this: + + BOT_TOKEN="this-is-the-secret-token" \ + datasette -m metadata.json + +You can now run authenticated API queries like this: + + $ curl -H 'Authorization: Bearer this-is-the-secret-token' \ + 'http://127.0.0.1:8001/:memory:/show_version.json?_shape=array' + [{"sqlite_version()": "3.31.1"}] + +Additionally you can allow passing the token as a query string parameter, although that's disabled by default given the security implications of URLs with secret tokens included. This may be useful to easily allow embedding data between different services. + +Simply enable it using the `param` config value: + +```json +{ + "plugins": { + "datasette-auth-tokens": { + "tokens": [ + { + "token": { + "$env": "BOT_TOKEN" + }, + "actor": { + "bot_id": "my-bot" + }, + } + ], + "param": "_auth_token" + } + }, + "databases": { + ":memory:": { + "queries": { + "show_version": { + "sql": "select sqlite_version()", + "allow": { + "bot_id": "my-bot" + } + } + } + } + } +} +``` + +You can now run authenticated API queries like this: + + $ curl http://127.0.0.1:8001/:memory:/show_version.json?_shape=array&_auth_token=this-is-the-secret-token + [{"sqlite_version()": "3.31.1"}] + +## Tokens from your database + +As an alternative (or in addition) to the hard-coded list of tokens you can store tokens in a database table and configure the plugin to access them using a SQL query. + +Your query needs to take a `:token_id` parameter and return at least two columns: one called `token_secret` and one called `actor_*` - usually `actor_id`. Further `actor_` prefixed columns can be returned to provide more details for the authenticated actor. + +Here's a simple example of a configuration query: + +```sql +select actor_id, actor_name, token_secret from tokens where token_id = :token_id +``` + +This can run against a table like this one: + +| token_id | token_secret | actor_id | actor_name | +| -------- | ------------ | -------- | ---------- | +| 1 | bd3c94f51fcd | 78 | Cleopaws | +| 2 | 86681b4d6f66 | 32 | Pancakes | + +The tokens are formed as the token ID, then a hyphen, then the token secret. For example: + +- `1-bd3c94f51fcd` +- `2-86681b4d6f66` + +The SQL query will be executed with the portion before the hyphen as the `:token_id` parameter. + +The `token_secret` value returned by the query will be compared to the portion of the token after the hyphen to check if the token is valid. + +Columns with a prefix of `actor_` will be used to populate the actor dictionary. In the above example, a token of `2-86681b4d6f66` will become an actor dictionary of `{"id": 32, "name": "Pancakes"}`. + +To configure this, use a `"query"` block in your plugin configuration like this: + +```json +{ + "plugins": { + "datasette-auth-tokens": { + "query": { + "sql": "select actor_id, actor_name, token_secret from tokens where token_id = :token_id", + "database": "tokens" + } + } + }, + "databases": { + "tokens": { + "allow": {} + } + } +} +``` +The `"sql"` key here contains the SQL query. The `"database"` key has the name of the attached database file that the query should be executed against - in this case it would execute against `tokens.db`. + +### Securing your tokens + +Anyone with access to your Datasette instance can use it to read the `token_secret` column in your tokens table. This probably isn't what you want! + +To avoid this, you should lock down access to that table. The configuration example above shows how to do this using an `"allow": {}` block. Consult Datasette's [Permissions documentation](https://datasette.readthedocs.io/en/stable/authentication.html#permissions) for more information about how to lock down this kind of access. + + + + +%package -n python3-datasette-auth-tokens +Summary: Datasette plugin for authenticating access using API tokens +Provides: python-datasette-auth-tokens +BuildRequires: python3-devel +BuildRequires: python3-setuptools +BuildRequires: python3-pip +%description -n python3-datasette-auth-tokens +# datasette-auth-tokens + +[](https://pypi.org/project/datasette-auth-tokens/) +[](https://github.com/simonw/datasette-auth-tokens/releases) +[](https://github.com/simonw/datasette-auth-tokens/actions?query=workflow%3ATest) +[](https://github.com/simonw/datasette-auth-tokens/blob/main/LICENSE) + +Datasette plugin for authenticating access using API tokens + +## Installation + +Install this plugin in the same environment as Datasette. + + $ pip install datasette-auth-tokens + +## Hard-coded tokens + +Read about Datasette's [authentication and permissions system](https://datasette.readthedocs.io/en/latest/authentication.html). + +This plugin lets you configure secret API tokens which can be used to make authenticated requests to Datasette. + +First, create a random API token. A useful recipe for doing that is the following: + + $ python -c 'import secrets; print(secrets.token_hex(32))' + 5f9a486dd807de632200b17508c75002bb66ca6fde1993db1de6cbd446362589 + +Decide on the actor that this token should represent, for example: + +```json +{ + "bot_id": "my-bot" +} +``` + +You can then use `"allow"` blocks to provide that token with permission to access specific actions. To enable access to a configured writable SQL query you could use this in your `metadata.json`: + +```json +{ + "plugins": { + "datasette-auth-tokens": { + "tokens": [ + { + "token": { + "$env": "BOT_TOKEN" + }, + "actor": { + "bot_id": "my-bot" + } + } + ] + } + }, + "databases": { + ":memory:": { + "queries": { + "show_version": { + "sql": "select sqlite_version()", + "allow": { + "bot_id": "my-bot" + } + } + } + } + } +} +``` +This uses Datasette's [secret configuration values mechanism](https://datasette.readthedocs.io/en/stable/plugins.html#secret-configuration-values) to allow the secret token to be passed as an environment variable. + +Run Datasette like this: + + BOT_TOKEN="this-is-the-secret-token" \ + datasette -m metadata.json + +You can now run authenticated API queries like this: + + $ curl -H 'Authorization: Bearer this-is-the-secret-token' \ + 'http://127.0.0.1:8001/:memory:/show_version.json?_shape=array' + [{"sqlite_version()": "3.31.1"}] + +Additionally you can allow passing the token as a query string parameter, although that's disabled by default given the security implications of URLs with secret tokens included. This may be useful to easily allow embedding data between different services. + +Simply enable it using the `param` config value: + +```json +{ + "plugins": { + "datasette-auth-tokens": { + "tokens": [ + { + "token": { + "$env": "BOT_TOKEN" + }, + "actor": { + "bot_id": "my-bot" + }, + } + ], + "param": "_auth_token" + } + }, + "databases": { + ":memory:": { + "queries": { + "show_version": { + "sql": "select sqlite_version()", + "allow": { + "bot_id": "my-bot" + } + } + } + } + } +} +``` + +You can now run authenticated API queries like this: + + $ curl http://127.0.0.1:8001/:memory:/show_version.json?_shape=array&_auth_token=this-is-the-secret-token + [{"sqlite_version()": "3.31.1"}] + +## Tokens from your database + +As an alternative (or in addition) to the hard-coded list of tokens you can store tokens in a database table and configure the plugin to access them using a SQL query. + +Your query needs to take a `:token_id` parameter and return at least two columns: one called `token_secret` and one called `actor_*` - usually `actor_id`. Further `actor_` prefixed columns can be returned to provide more details for the authenticated actor. + +Here's a simple example of a configuration query: + +```sql +select actor_id, actor_name, token_secret from tokens where token_id = :token_id +``` + +This can run against a table like this one: + +| token_id | token_secret | actor_id | actor_name | +| -------- | ------------ | -------- | ---------- | +| 1 | bd3c94f51fcd | 78 | Cleopaws | +| 2 | 86681b4d6f66 | 32 | Pancakes | + +The tokens are formed as the token ID, then a hyphen, then the token secret. For example: + +- `1-bd3c94f51fcd` +- `2-86681b4d6f66` + +The SQL query will be executed with the portion before the hyphen as the `:token_id` parameter. + +The `token_secret` value returned by the query will be compared to the portion of the token after the hyphen to check if the token is valid. + +Columns with a prefix of `actor_` will be used to populate the actor dictionary. In the above example, a token of `2-86681b4d6f66` will become an actor dictionary of `{"id": 32, "name": "Pancakes"}`. + +To configure this, use a `"query"` block in your plugin configuration like this: + +```json +{ + "plugins": { + "datasette-auth-tokens": { + "query": { + "sql": "select actor_id, actor_name, token_secret from tokens where token_id = :token_id", + "database": "tokens" + } + } + }, + "databases": { + "tokens": { + "allow": {} + } + } +} +``` +The `"sql"` key here contains the SQL query. The `"database"` key has the name of the attached database file that the query should be executed against - in this case it would execute against `tokens.db`. + +### Securing your tokens + +Anyone with access to your Datasette instance can use it to read the `token_secret` column in your tokens table. This probably isn't what you want! + +To avoid this, you should lock down access to that table. The configuration example above shows how to do this using an `"allow": {}` block. Consult Datasette's [Permissions documentation](https://datasette.readthedocs.io/en/stable/authentication.html#permissions) for more information about how to lock down this kind of access. + + + + +%package help +Summary: Development documents and examples for datasette-auth-tokens +Provides: python3-datasette-auth-tokens-doc +%description help +# datasette-auth-tokens + +[](https://pypi.org/project/datasette-auth-tokens/) +[](https://github.com/simonw/datasette-auth-tokens/releases) +[](https://github.com/simonw/datasette-auth-tokens/actions?query=workflow%3ATest) +[](https://github.com/simonw/datasette-auth-tokens/blob/main/LICENSE) + +Datasette plugin for authenticating access using API tokens + +## Installation + +Install this plugin in the same environment as Datasette. + + $ pip install datasette-auth-tokens + +## Hard-coded tokens + +Read about Datasette's [authentication and permissions system](https://datasette.readthedocs.io/en/latest/authentication.html). + +This plugin lets you configure secret API tokens which can be used to make authenticated requests to Datasette. + +First, create a random API token. A useful recipe for doing that is the following: + + $ python -c 'import secrets; print(secrets.token_hex(32))' + 5f9a486dd807de632200b17508c75002bb66ca6fde1993db1de6cbd446362589 + +Decide on the actor that this token should represent, for example: + +```json +{ + "bot_id": "my-bot" +} +``` + +You can then use `"allow"` blocks to provide that token with permission to access specific actions. To enable access to a configured writable SQL query you could use this in your `metadata.json`: + +```json +{ + "plugins": { + "datasette-auth-tokens": { + "tokens": [ + { + "token": { + "$env": "BOT_TOKEN" + }, + "actor": { + "bot_id": "my-bot" + } + } + ] + } + }, + "databases": { + ":memory:": { + "queries": { + "show_version": { + "sql": "select sqlite_version()", + "allow": { + "bot_id": "my-bot" + } + } + } + } + } +} +``` +This uses Datasette's [secret configuration values mechanism](https://datasette.readthedocs.io/en/stable/plugins.html#secret-configuration-values) to allow the secret token to be passed as an environment variable. + +Run Datasette like this: + + BOT_TOKEN="this-is-the-secret-token" \ + datasette -m metadata.json + +You can now run authenticated API queries like this: + + $ curl -H 'Authorization: Bearer this-is-the-secret-token' \ + 'http://127.0.0.1:8001/:memory:/show_version.json?_shape=array' + [{"sqlite_version()": "3.31.1"}] + +Additionally you can allow passing the token as a query string parameter, although that's disabled by default given the security implications of URLs with secret tokens included. This may be useful to easily allow embedding data between different services. + +Simply enable it using the `param` config value: + +```json +{ + "plugins": { + "datasette-auth-tokens": { + "tokens": [ + { + "token": { + "$env": "BOT_TOKEN" + }, + "actor": { + "bot_id": "my-bot" + }, + } + ], + "param": "_auth_token" + } + }, + "databases": { + ":memory:": { + "queries": { + "show_version": { + "sql": "select sqlite_version()", + "allow": { + "bot_id": "my-bot" + } + } + } + } + } +} +``` + +You can now run authenticated API queries like this: + + $ curl http://127.0.0.1:8001/:memory:/show_version.json?_shape=array&_auth_token=this-is-the-secret-token + [{"sqlite_version()": "3.31.1"}] + +## Tokens from your database + +As an alternative (or in addition) to the hard-coded list of tokens you can store tokens in a database table and configure the plugin to access them using a SQL query. + +Your query needs to take a `:token_id` parameter and return at least two columns: one called `token_secret` and one called `actor_*` - usually `actor_id`. Further `actor_` prefixed columns can be returned to provide more details for the authenticated actor. + +Here's a simple example of a configuration query: + +```sql +select actor_id, actor_name, token_secret from tokens where token_id = :token_id +``` + +This can run against a table like this one: + +| token_id | token_secret | actor_id | actor_name | +| -------- | ------------ | -------- | ---------- | +| 1 | bd3c94f51fcd | 78 | Cleopaws | +| 2 | 86681b4d6f66 | 32 | Pancakes | + +The tokens are formed as the token ID, then a hyphen, then the token secret. For example: + +- `1-bd3c94f51fcd` +- `2-86681b4d6f66` + +The SQL query will be executed with the portion before the hyphen as the `:token_id` parameter. + +The `token_secret` value returned by the query will be compared to the portion of the token after the hyphen to check if the token is valid. + +Columns with a prefix of `actor_` will be used to populate the actor dictionary. In the above example, a token of `2-86681b4d6f66` will become an actor dictionary of `{"id": 32, "name": "Pancakes"}`. + +To configure this, use a `"query"` block in your plugin configuration like this: + +```json +{ + "plugins": { + "datasette-auth-tokens": { + "query": { + "sql": "select actor_id, actor_name, token_secret from tokens where token_id = :token_id", + "database": "tokens" + } + } + }, + "databases": { + "tokens": { + "allow": {} + } + } +} +``` +The `"sql"` key here contains the SQL query. The `"database"` key has the name of the attached database file that the query should be executed against - in this case it would execute against `tokens.db`. + +### Securing your tokens + +Anyone with access to your Datasette instance can use it to read the `token_secret` column in your tokens table. This probably isn't what you want! + +To avoid this, you should lock down access to that table. The configuration example above shows how to do this using an `"allow": {}` block. Consult Datasette's [Permissions documentation](https://datasette.readthedocs.io/en/stable/authentication.html#permissions) for more information about how to lock down this kind of access. + + + + +%prep +%autosetup -n datasette-auth-tokens-0.3 + +%build +%py3_build + +%install +%py3_install +install -d -m755 %{buildroot}/%{_pkgdocdir} +if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi +if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi +if [ -d example ]; then cp -arf example %{buildroot}/%{_pkgdocdir}; fi +if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi +pushd %{buildroot} +if [ -d usr/lib ]; then + find usr/lib -type f -printf "/%h/%f\n" >> filelist.lst +fi +if [ -d usr/lib64 ]; then + find usr/lib64 -type f -printf "/%h/%f\n" >> filelist.lst +fi +if [ -d usr/bin ]; then + find usr/bin -type f -printf "/%h/%f\n" >> filelist.lst +fi +if [ -d usr/sbin ]; then + find usr/sbin -type f -printf "/%h/%f\n" >> filelist.lst +fi +touch doclist.lst +if [ -d usr/share/man ]; then + find usr/share/man -type f -printf "/%h/%f.gz\n" >> doclist.lst +fi +popd +mv %{buildroot}/filelist.lst . +mv %{buildroot}/doclist.lst . + +%files -n python3-datasette-auth-tokens -f filelist.lst +%dir %{python3_sitelib}/* + +%files help -f doclist.lst +%{_docdir}/* + +%changelog +* Mon May 15 2023 Python_Bot <Python_Bot@openeuler.org> - 0.3-1 +- Package Spec generated |