-
-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integrate with new authentication system in Datasette 0.44 #62
Comments
I'm going to try to do this in a way that preserves the ability for the plugin to still work as a standalone ASGI middleware. This could be hard. |
I don't actually need to implement |
I'm going to leave the |
This plugin currently only sets an authentication cookie that lasts for The Datasette |
Maybe this would be easier if I renamed this existing project |
Also tricky: the "stay logged out" cookie. This prevents the automatic redirect-based SSO mechanism from kicking in if the user has explicitly logged out: datasette-auth-github/datasette_auth_github/github_auth.py Lines 130 to 133 in a1dc4be
|
I'm going to fork the existing codebase as |
Without the ASGI stuff this gets a whole lot easier. I think it may even be reduceable to just two parts:
|
I can further simplify the code by dropping the allow_orgs / allow_teams stuff in favour of a mechanism that checks for membership of specific teams/orgs and then bakes those into the actor object. Then they can be checked using allow blocks: https://datasette.readthedocs.io/en/latest/authentication.html#defining-permissions-with-allow-blocks |
The teams/orgs stuff means that setting an expiry on the cookie is really important. I'm going to upgrade Datasette's signing infrastructure to be able to set expiry, and I'll teach Datasette that the |
I'm going to drop the I should still document (and have a test for) how to do this. Should be the following: {
"allow": {"id": "*"}
} |
I need to decide what to do about the auto-login mechanism. The current plugin requires authentication for all users, and automatically bounces through GitHub if authentication fails. In the new plugin I want to default to auth not required, since I'm building on Datasette's new permissions layer. So I think that means auto-login can still happen, but should only kick in on captured 403 errors. |
Made a start on the new README: https://github.com/simonw/datasette-auth-github/blob/f3eb2bcec1f80c57d851c69aa97a65d55db7061b/README.md New ideas from that README update:
|
So I need to re-implement this code for the new datasette-auth-github/datasette_auth_github/github_auth.py Lines 190 to 227 in 182298b
|
This is blocking people from using this plugin in collaboration with https://github.com/simonw/datasette-auth-tokens - which is bad! I should really get this fixed. |
I'm going to drop the auto-login mechanism entirely, it's not a good fit for the new auth system. |
Just needs some extra documentation now: #70 |
simonw/datasette#806
The text was updated successfully, but these errors were encountered: