Simon Willison’s Weblog

Weeknotes, I guess

4th June 2020

What a week. Hard to work up the enthusiasm to write about what I’ve been working on.

I’ve mainly been pushing towards shipping a Datasette release with writeable canned queries. This lead me down various other rabbit holes.

Authentication

Once you can write to a database, authentication and permissions become more than just a nice-to-have. I’ve used plugins for this in the past (datasette-auth-github and datasette-auth-existing-cookies), but to allow these plugins to work together with other features it makes sense to bring the concept of authentications and permission checks into Datasette core.

Issue #699 tracks my thinking on this. I’ve landed two new plugin hooks: actor_from_request, which lets plugins decide if the request is from an authenticated actor (a logged-in user or an authenticated API key of some sort) and permission_allowed which can answer if an actor is allowed to perform a specific action on a resource.

Flash messages

When you perform a write, I need to let you know if it worked or not. Django has messages, Flask calls them flash messages. I’ve now added these to Datasette, using signed cookies. The new /-/messages debug tool lets you try them out and see how they work.

CSRF protection

Still a work in progress (and a blocker on releasing the above new features). I shipped asgi-csrf 0.3 yesterday which is now ready for use in Datasette. The next step is to integrate it.

New milestone: Datasette 1.0

Writeable canned queries are the last major feature I want to add before Datasette 1.0. I’ve put some notes together on what this means: essentially I want 1.0 to signify that plugin builders and template authors can develop against Datasette with confidence that their stuff won’t break until at least 2.0. I also started a Datasette 1.0 milestone.