Option for HTTP Basic authentication #15
Comments
|
I considered doing this as a separate plugin entirely but found that I was duplicating much of the logic from this plugin - especially around how accounts are configured. This will benefit from SQL-backed accounts in #6 too. |
|
Maybe this option should be deployed as a second live demo? |
|
I'm going to build this such that, if you use the option, the entire Datasette instance is protected by it and is only accessible to users who can sign in using Basic auth. |
|
Documentation also should note that users cannot logout if you use this authentication mechanism. |
|
@simonw In the demo (https://datasette-auth-passwords-http-basic-demo.datasette.io/) I notice that the |
|
That's a little bit tricky. The padlock icon actually represents whether or not the Datasette permissions system is allowing access to a resource. In HTTP basic mode, protection is added at a higher layer than that - users are unable to access Datasette at all if they don't sign in with a valid basic auth account. Then once they've signed in their actor (based on their username) is used to consult the permissions system to check if they have permission to access different resources. The padlock icon on It's a little non-obvious in this case, but there is a reason to it. |
|
@simonw makes sense, thanks, thought it might be something like that. Being a little non-obvious seems ok in this case, since using basic auth is a niche use case. |
HTTP Basic authentication has some useful properties:
requestshttpxorcurlThis module defaults to form-based login, but it could have an option to instead use HTTP Basic auth - which could then wrap the entire application (via an
asgi_wrapperhook).Also requested here: simonw/datasette#1265
The text was updated successfully, but these errors were encountered: