Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/-/config debug endpoint revealing datasette.yml #2254

Closed
simonw opened this issue Feb 6, 2024 · 5 comments
Closed

/-/config debug endpoint revealing datasette.yml #2254

simonw opened this issue Feb 6, 2024 · 5 comments
Labels
enhancement
Milestone
Datasette 1.0a8

Comments

@simonw
Copy link
Owner

simonw commented Feb 6, 2024

Similar to https://latest.datasette.io/-/metadata and https://latest.datasette.io/-/settings
@simonw simonw added this to the Datasette 1.0a8 milestone Feb 6, 2024
@simonw
Copy link
Owner Author

simonw commented Feb 6, 2024

I can reuse /-/config which I setup to redirect to /-/settings a while ago:

datasette/datasette/app.py

Lines 1431 to 1442 in 85a1dfe

add_route(
JsonDataView.as_view(self, "settings.json", lambda: self._settings),
r"/-/settings(\.(?P<format>json))?$",
)
add_route(
permanent_redirect("/-/settings.json"),
r"/-/config.json",
)
add_route(
permanent_redirect("/-/settings"),
r"/-/config",
)

@simonw
Copy link
Owner Author

simonw commented Feb 6, 2024

For /-/metadata I got so paranoid about accidentally leaking configured secrets that I invented that weird https://docs.datasette.io/en/stable/plugins.html#secret-configuration-values syntax:

{
    "plugins": {
        "datasette-auth-github": {
            "client_secret": {
                "$env": "GITHUB_CLIENT_SECRET"
            }
        }
    }
}

For /-/config I'm going to go with a simpler approach: I'm going to automatically redact any keys with _secret or _token or _key in them.

@simonw
Copy link
Owner Author

simonw commented Feb 6, 2024

datasette-sentry has dsn which should be redacted too.

@simonw simonw closed this as completed in 1e901aa Feb 6, 2024
@simonw simonw mentioned this issue Feb 6, 2024
Open
simonw added a commit that referenced this issue Feb 6, 2024
@simonw
/-/config in changelog, refs #2254
38f727d
@simonw
Copy link
Owner Author

simonw commented Feb 6, 2024

Now live:

simonw added a commit that referenced this issue Feb 6, 2024
@simonw
/-/config example, refs #2254
5d21057
@simonw
Copy link
Owner Author

simonw commented Feb 7, 2024
edited
Loading

I'm regretting using permanent_redirect() for the old /-/config page now - my Firefox STILL follows that redirect when I click on https://latest.datasette.io/-/config several hours after I shipped this change.

datasette/datasette/app.py

Lines 1868 to 1881 in 5d21057

def permanent_redirect(path, forward_query_string=False, forward_rest=False):
return wrap_view(
lambda request, send: Response.redirect(
path
+ (request.url_vars["rest"] if forward_rest else "")
+ (
("?" + request.query_string)
if forward_query_string and request.query_string
else ""
),
status=301,
),
datasette=None,
)

simonw added a commit that referenced this issue Feb 7, 2024
@simonw
1.0a8 release notes
ad01f9d 
Closes #2243

* Changelog for jinja2_environment_from_request and plugin_hook_slots
* track_event() in changelog
* Remove Using YAML for metadata section - no longer necessary now we show YAML and JSON examples everywhere.
* Configuration via the command-line section - #2252
* JavaScript plugins in release notes, refs #2052
* /-/config in changelog, refs #2254

Refs #2052, #2156, #2243, #2247, #2249, #2252, #2254
simonw added a commit that referenced this issue Feb 7, 2024
@simonw
Release 1.0a8
9989f25 
Refs Refs #2052, #2156, #2243, #2247, #2249, #2252, #2254, #2258
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
Datasette 1.0a8
Development

No branches or pull requests
1 participant
@simonw