Option for HTTP Basic authentication

Question

Option for HTTP Basic authentication

Closed this issue 3 years ago · 7 comments

HTTP Basic authentication has some useful properties:

It's easier to call programmatically from libraries like requests httpx or curl
It can easily be wrapped around the entire application

This module defaults to form-based login, but it could have an option to instead use HTTP Basic auth - which could then wrap the entire application (via an asgi_wrapper hook).

Also requested here: simonw/datasette#1265

Answer 1 · 2021-03-19T18:35:47.000Z

I considered doing this as a separate plugin entirely but found that I was duplicating much of the logic from this plugin - especially around how accounts are configured. This will benefit from SQL-backed accounts in #6 too.

Answer 2 · 2021-03-19T18:36:08.000Z

Maybe this option should be deployed as a second live demo?

Answer 3 · 2021-03-19T18:37:40.000Z

I'm going to build this such that, if you use the option, the entire Datasette instance is protected by it and is only accessible to users who can sign in using Basic auth.

Answer 4 · 2021-03-19T18:50:27.000Z

Documentation also should note that users cannot logout if you use this authentication mechanism.

Answer 5 · 2021-03-19T21:20:38.000Z

@simonw In the demo (https://datasette-auth-passwords-http-basic-demo.datasette.io/) I notice that the _internal database displays with a padlock icon, and the public database displays without, implying the former requires authenticating and the latter doesn't - but actually both require authenticating via basic auth and can't be viewed without doing this. Should both have the padlock icon?

Answer 6 · 2021-03-21T04:46:50.000Z

That's a little bit tricky. The padlock icon actually represents whether or not the Datasette permissions system is allowing access to a resource. In HTTP basic mode, protection is added at a higher layer than that - users are unable to access Datasette at all if they don't sign in with a valid basic auth account. Then once they've signed in their actor (based on their username) is used to consult the permissions system to check if they have permission to access different resources.

The padlock icon on _internal does have a meaning here: it means that you, the root user, have access to view that database but other authenticated users (if we had configured any) might not have access to it.

It's a little non-obvious in this case, but there is a reason to it.

Answer 7 · 2021-03-21T13:58:05.000Z

@simonw makes sense, thanks, thought it might be something like that. Being a little non-obvious seems ok in this case, since using basic auth is a niche use case.