-
-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement SQL-backed user accounts #6
Comments
The trick here is making it so that hashed passwords are protected by default, without leaving people room to mess things up. To do that, the default configuration should work as follows:
This is the default way things work. Advanced users can customize SQL queries and even (by jumping through some "I know this is not safe" hoops) completely customize the SQL that loads the password hash. |
It's only the password hashes that need to be kept secure - not the other details of the user account (whatever shape that might be). So the configuration SQL should be "given this username, how do I retrieve the corresponding password hash". These hashes can then be stored in a separate database entirely. |
Configuration design: {
"plugins": {
"datasette-auth-passwords": {
"query": {
"sql": "select password_hash from passwords where username = :username",
"database": "passwords"
}
}
}
} This will "protect" the entire You can disable the default protections by adding Maybe also support an "query": {
"sql": "select password_hash from passwords where username = :username",
"update_password_sql": "update passwords set password_hash = hash_password(:password) where username = :username",
"database": "passwords"
} This would then become a canned query. Is this necessary though? The existing canned query mechanism can be used for that maybe? Except that doesn't get setup with the right root-only permissions by default. Ensuring people use the right default configuration is really important here, so I think the plugin should lean towards doing that. |
Idea: if you leave off the "query": {
"database": "passwords"
} Your only responsibility would be attaching a |
Came up in office hours today! |
Again following the example of https://github.com/simonw/datasette-auth-tokens/blob/d6f45da578419177c260628db5f8352a839e45f2/README.md#tokens-from-your-database
The text was updated successfully, but these errors were encountered: