Support direct API uploads

[simonw]

It would be nice if the plugin could support entirely automated uploads though, in which case deriving a name from the file would be useful.

(Supporting direct uploads needs some thought, need to protect against CSRF etc).

Originally posted by @simonw in https://github.com/simonw/datasette-upload-dbs/issues/1#issuecomment-1126565199

[simonw]

Goal here is to support things like a GitHub Actions workflow that builds a SQLite file and then uploads it at the end.

Which means there should be a way to replace an existing database with the newly uploaded one too - since that will be a common use-case.

Authentication is tricky: I'd like to outsource that to plugins like https://github.com/simonw/datasette-auth-tokens but I will need to think carefully about how CSRF protection works. Does Datasette already know not to apply CSRF protection if the incoming request has a Accept: Bearer ... header?

[simonw]

This actually works now (at least with Datasette 1.0a2 or higher), thanks to this issue:

• 9

I installed the plugin and ran Datasette like this:

mkdir /tmp/demo
cd /tmp/demo
datasette --root . -p 3344 -m config.yml

Where config.yml contained:

plugins:
  datasette-upload-dbs:
    directory: /tmp/demo

Then I created an API token scoped for uploading databases on http://127.0.0.1:3344/-/create-token

I downloaded fixtures.db:

cd /tmp
wget https://latest.datasette.io/fixtures.db

And then uploaded it to my local instance like this:

export API_TOKEN='dstok_eyJhIjoicm9vdCIsInQiOjE2OTE2ODgwNTgsIl9yIjp7ImEiOlsidXBsb2FkLWRicyJdfX0.v3elkNUP3qlgoOHf4iAkeu4p8Aw'
curl -X POST \
  -H "Authorization: Bearer $API_TOKEN" \
  -F "db=@fixtures.db" \
  -F "db_name=fixtures" \
  -F "xhr=true" \
  http://127.0.0.1:3344/-/upload-dbs

And it worked!

I'm seeing double databases there because I started datasette . in the /tmp/demo directory and the plugin is configured for that directory as well.