Simon Willison’s Weblog


Weeknotes: datasette-indieauth, datasette-graphql, PyCon Argentina

22nd November 2020

Last week’s weeknotes took the form of my Personal Data Warehouses: Reclaiming Your Data talk write-up, which represented most of what I got done that week. This week I mainly worked on datasette-indieauth, but I also gave a keynote at PyCon Argentina and released a version of datasette-graphql with a small security fix.


I wrote about this project in detail in Implementing IndieAuth for Datasette—it was inspired by last weekend’s IndieWebCamp East and provides Datasette with a password-less sign in option with the least possible amount of configuration.

Shortly after release version 1.0 of the plugin I realized it had a critical security vulnerability, where a malicious authorization server could fake a sign-in as any user! I fixed this in version 1.1 and released that along with a GitHub security advisory: Implementation trusts the “me” field returned by the authorization server without verifying it.

The IndieAuth community has an active #dev chat channel, available in Slack and through IRC and their web chat interface. I’ve had some very productive conversations there about parts of the specification that I found confusing.


This week I also issued a security advisory for my datasette-graphql plugin. This one was thankfully much less severe: I realized that the plugin was leaking details of the schema of otherwise private databases, if they were protected by Datasette’s permission system.

Here’s the advisory: datasette-graphql leaks details of the schema of private database files. It’s important to note that the actual content of the tables was not exposed—just the schema details such as the names of the tables and columns.

To my knowledge no-one has installed that plugin on an internet-exposed Datasette instance that includes private databases, so I don’t think anyone was affected by the vulnerability. The fix is available in datasette-graphql 1.2.

Also in that release: I’ve added table action items that link to an example GraphQL query for each table. This is a pretty neat usability enhancement, since the example includes all of the non-foreign-key columns making it a useful starting point for iterating on a query. You can try that out starting on this page.

Animated demo showing the cog menu linking to an example query in the GraphiQL API explorer

Keynoting PyCon Argentina

On Friday I presented a keynote at PyCon Argentina. I actually recorded this several weetks ago, but the keynote was broadcast live on YouTube so I got to watch the talk and post real-time notes and links to an accompanying Google Doc, which I also used for Q&A after tha talk.

The conference was really well organized, with top notch production values. They made a pixel-art version of my for the poster!

My PyCon Argentina poster

The video isn’t available yet, but I’ll link to it when they share it (UPDATE: the video is here). I’m particularly excited about the professionally translated subtitles en Español.


Since Datasette depends on Python 3.6 these days, I decided to try out f-strings. I used flynt to automatically convert all of my usage of .format() to use f-strings instead. Flynt is built on top of astor, a really neat looking library for more productively manipulating Python source code using Python’s AST.

I’ve long been envious of the JavaScript community’s aggressive use of codemods for automated refactoring, so I’m excited to see that kind of thing become more common in the Python community.

datasette-search-all is my plugin that returns search results from ALL attached searchable database tables, using a barrage of fetch() calls. I bumped it to a 1.0 release adding loading indicators, more reliable URL construction (with the new datasette.urls utilities) and a menu item in Datasette’s new navigation menu.

Releases in the past two weeks