# datasette-auth-passwords
[](https://pypi.org/project/datasette-auth-passwords/)
[](https://github.com/simonw/datasette-auth-passwords/releases)
[](https://github.com/simonw/datasette-auth-passwords/blob/master/LICENSE)
Datasette plugin for authenticating access using passwords
## Installation
Install this plugin in the same environment as Datasette.
```bash
datasette install datasette-auth-passwords
```
## Demo
A demo of this plugin is running at https://datasette-auth-passwords-demo.datasette.io/
The demo is configured to show the `public.db` database to everyone, but the `private.db` database only to logged in users.
You can log in at https://datasette-auth-passwords-demo.datasette.io/-/login with username `root` and password `password!`.
## Usage
This plugin works based on a list of username/password accounts that are hard-coded into the plugin configuration.
First, you'll need to create a password hash. There are three ways to do that:
- Install the plugin, then use the interactive tool located at `/-/password-tool`
- Use the hosted version of that tool at https://datasette-auth-passwords-demo.datasette.io/-/password-tool
- Use the `datasette hash-password` command, described below
Now add the following to your `metadata.json`:
```json
{
"plugins": {
"datasette-auth-passwords": {
"someusername_password_hash": {
"$env": "PASSWORD_HASH_1"
}
}
}
}
```
The password hash can now be specified in an environment variable when you run Datasette. You can do that like so:
PASSWORD_HASH_1='pbkdf2_sha256$...' \
datasette -m metadata.json
Be sure to use single quotes here otherwise the `$` symbols in the password hash may be incorrectly interpreted by your shell.
You will now be able to log in to your instance using the form at `/-/login` with `someusername` as the username and the password that you used to create your hash as the password.
You can include as many accounts as you like in the configuration, each with different usernames.
### datasette hash-password
The plugin exposes a new CLI command, `datasette hash-password`. You can run this without arguments to interactively create a new password hash:
```bash
datasette hash-password
```
```
Password:
Repeat for confirmation:
pbkdf2_sha256$260000$1513...
```
Or if you want to use it as part of a script, you can add the `--no-confirm` option to generate a hash directly from a value passed to standard input:
```bash
echo 'my password' | datasette hash-password --no-confirm
```
```
pbkdf2_sha256$260000$daa...
```
### Specifying actors
By default, a logged in user will result in an [actor block](https://datasette.readthedocs.io/en/stable/authentication.html#actors) that just contains their username:
```json
{
"id": "someusername"
}
```
You can customize the actor that will be used for a username by including an `"actors"` configuration block, like this:
```json
{
"plugins": {
"datasette-auth-passwords": {
"someusername_password_hash": {
"$env": "PASSWORD_HASH_1"
},
"actors": {
"someusername": {
"id": "someusername",
"name": "Some user"
}
}
}
}
}
```
### HTTP Basic authentication option
This plugin defaults to implementing login using an HTML form that sets a signed authentication cookie.
You can alternatively configure it to use [HTTP Basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#basic_authentication_scheme) instead.
Do this by adding `"http_basic_auth": true` to the `datasette-auth-passwords` block in your plugin configuration.
This option introduces the following behaviour:
- Account usernames and passwords are configured in the same way as form-based authentication
- Every page within Datasette - even pages that normally do not use authentication, such as static assets - will display a browser login prompt
- Users will be unable to log out without closing their browser entirely
There is a demo of this mode at https://datasette-auth-passwords-http-basic-demo.datasette.io/ - sign in with username `root` and password `password!`
### Using with datasette publish
If you are publishing data using a [datasette publish](https://datasette.readthedocs.io/en/stable/publish.html#datasette-publish) command you can use the `--plugin-secret` option to securely configure your password hashes (see [secret configuration values](https://datasette.readthedocs.io/en/stable/plugins.html#secret-configuration-values)).
You would run the command something like this:
datasette publish cloudrun mydatabase.db \
--install datasette-auth-passwords \
--plugin-secret datasette-auth-passwords root_password_hash 'pbkdf2_sha256$...' \
--service datasette-auth-passwords-demo
This will allow you to log in as username `root` using the password that you used to create the hash.
## Development
To set up this plugin locally, first checkout the code. Then create a new virtual environment:
cd datasette-auth-passwords
python3 -mvenv venv
source venv/bin/activate
Or if you are using `pipenv`:
pipenv shell
Now install the dependencies and tests:
pip install -e '.[test]'
To run the tests:
pytest
Raw data
{
"_id": null,
"home_page": "https://github.com/simonw/datasette-auth-passwords",
"name": "datasette-auth-passwords",
"maintainer": null,
"docs_url": null,
"requires_python": null,
"maintainer_email": null,
"keywords": null,
"author": "Simon Willison",
"author_email": null,
"download_url": "https://files.pythonhosted.org/packages/41/27/2e613ed17c92effac6d3a23c9b16bb983fcaa56a223f62ead61070f37f83/datasette_auth_passwords-1.1.1.tar.gz",
"platform": null,
"description": "# datasette-auth-passwords\n\n[](https://pypi.org/project/datasette-auth-passwords/)\n[](https://github.com/simonw/datasette-auth-passwords/releases)\n[](https://github.com/simonw/datasette-auth-passwords/blob/master/LICENSE)\n\nDatasette plugin for authenticating access using passwords\n\n## Installation\n\nInstall this plugin in the same environment as Datasette.\n\n```bash\ndatasette install datasette-auth-passwords\n```\n\n## Demo\n\nA demo of this plugin is running at https://datasette-auth-passwords-demo.datasette.io/\n\nThe demo is configured to show the `public.db` database to everyone, but the `private.db` database only to logged in users.\n\nYou can log in at https://datasette-auth-passwords-demo.datasette.io/-/login with username `root` and password `password!`.\n\n## Usage\n\nThis plugin works based on a list of username/password accounts that are hard-coded into the plugin configuration.\n\nFirst, you'll need to create a password hash. There are three ways to do that:\n\n- Install the plugin, then use the interactive tool located at `/-/password-tool`\n- Use the hosted version of that tool at https://datasette-auth-passwords-demo.datasette.io/-/password-tool\n- Use the `datasette hash-password` command, described below\n\nNow add the following to your `metadata.json`:\n\n```json\n{\n \"plugins\": {\n \"datasette-auth-passwords\": {\n \"someusername_password_hash\": {\n \"$env\": \"PASSWORD_HASH_1\"\n }\n }\n }\n}\n```\n\nThe password hash can now be specified in an environment variable when you run Datasette. You can do that like so:\n\n PASSWORD_HASH_1='pbkdf2_sha256$...' \\\n datasette -m metadata.json\n\nBe sure to use single quotes here otherwise the `$` symbols in the password hash may be incorrectly interpreted by your shell.\n\nYou will now be able to log in to your instance using the form at `/-/login` with `someusername` as the username and the password that you used to create your hash as the password.\n\nYou can include as many accounts as you like in the configuration, each with different usernames.\n\n### datasette hash-password\n\nThe plugin exposes a new CLI command, `datasette hash-password`. You can run this without arguments to interactively create a new password hash:\n```bash\ndatasette hash-password\n```\n```\nPassword: \nRepeat for confirmation: \npbkdf2_sha256$260000$1513...\n```\nOr if you want to use it as part of a script, you can add the `--no-confirm` option to generate a hash directly from a value passed to standard input:\n```bash\necho 'my password' | datasette hash-password --no-confirm\n```\n```\npbkdf2_sha256$260000$daa...\n```\n### Specifying actors\n\nBy default, a logged in user will result in an [actor block](https://datasette.readthedocs.io/en/stable/authentication.html#actors) that just contains their username:\n\n```json\n{\n \"id\": \"someusername\"\n}\n```\n\nYou can customize the actor that will be used for a username by including an `\"actors\"` configuration block, like this:\n\n```json\n{\n \"plugins\": {\n \"datasette-auth-passwords\": {\n \"someusername_password_hash\": {\n \"$env\": \"PASSWORD_HASH_1\"\n },\n \"actors\": {\n \"someusername\": {\n \"id\": \"someusername\",\n \"name\": \"Some user\"\n }\n }\n }\n }\n}\n```\n### HTTP Basic authentication option\n\nThis plugin defaults to implementing login using an HTML form that sets a signed authentication cookie.\n\nYou can alternatively configure it to use [HTTP Basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#basic_authentication_scheme) instead.\n\nDo this by adding `\"http_basic_auth\": true` to the `datasette-auth-passwords` block in your plugin configuration.\n\nThis option introduces the following behaviour:\n\n- Account usernames and passwords are configured in the same way as form-based authentication\n- Every page within Datasette - even pages that normally do not use authentication, such as static assets - will display a browser login prompt\n- Users will be unable to log out without closing their browser entirely\n\nThere is a demo of this mode at https://datasette-auth-passwords-http-basic-demo.datasette.io/ - sign in with username `root` and password `password!`\n\n### Using with datasette publish\n\nIf you are publishing data using a [datasette publish](https://datasette.readthedocs.io/en/stable/publish.html#datasette-publish) command you can use the `--plugin-secret` option to securely configure your password hashes (see [secret configuration values](https://datasette.readthedocs.io/en/stable/plugins.html#secret-configuration-values)).\n\nYou would run the command something like this:\n\n datasette publish cloudrun mydatabase.db \\\n --install datasette-auth-passwords \\\n --plugin-secret datasette-auth-passwords root_password_hash 'pbkdf2_sha256$...' \\\n --service datasette-auth-passwords-demo\n\nThis will allow you to log in as username `root` using the password that you used to create the hash.\n\n## Development\n\nTo set up this plugin locally, first checkout the code. Then create a new virtual environment:\n\n cd datasette-auth-passwords\n python3 -mvenv venv\n source venv/bin/activate\n\nOr if you are using `pipenv`:\n\n pipenv shell\n\nNow install the dependencies and tests:\n\n pip install -e '.[test]'\n\nTo run the tests:\n\n pytest\n",
"bugtrack_url": null,
"license": "Apache License, Version 2.0",
"summary": "Datasette plugin for authenticating access using passwords",
"version": "1.1.1",
"project_urls": {
"CI": "https://github.com/simonw/datasette-auth-passwords/actions",
"Changelog": "https://github.com/simonw/datasette-auth-passwords/releases",
"Homepage": "https://github.com/simonw/datasette-auth-passwords",
"Issues": "https://github.com/simonw/datasette-auth-passwords/issues"
},
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "3a2533eff736b8ebeacbd69bd323f8b52348686150ef67228b119936343c967b",
"md5": "2c11dd9d9b7c6a2b3656af3f4a469486",
"sha256": "95a933214fbd8ad1218d11bc37a17e074c66141e593ce202cf0f45cd3562c734"
},
"downloads": -1,
"filename": "datasette_auth_passwords-1.1.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "2c11dd9d9b7c6a2b3656af3f4a469486",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 7726,
"upload_time": "2024-09-03T17:54:08",
"upload_time_iso_8601": "2024-09-03T17:54:08.904775Z",
"url": "https://files.pythonhosted.org/packages/3a/25/33eff736b8ebeacbd69bd323f8b52348686150ef67228b119936343c967b/datasette_auth_passwords-1.1.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "41272e613ed17c92effac6d3a23c9b16bb983fcaa56a223f62ead61070f37f83",
"md5": "a8f4e09566f4c65bb41d368c8f441cd1",
"sha256": "403a53cb6a29617e91ea3de212dd54e7270c2bdb3e9e8dba350d540e1c5adfca"
},
"downloads": -1,
"filename": "datasette_auth_passwords-1.1.1.tar.gz",
"has_sig": false,
"md5_digest": "a8f4e09566f4c65bb41d368c8f441cd1",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 8293,
"upload_time": "2024-09-03T17:54:10",
"upload_time_iso_8601": "2024-09-03T17:54:10.052882Z",
"url": "https://files.pythonhosted.org/packages/41/27/2e613ed17c92effac6d3a23c9b16bb983fcaa56a223f62ead61070f37f83/datasette_auth_passwords-1.1.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-09-03 17:54:10",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "simonw",
"github_project": "datasette-auth-passwords",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "datasette-auth-passwords"
}
JSON
