什么是认证(Authentication)
通俗地讲就是验证当前用户的身份,证明 “你是你自己”(比如:你每天上下班打卡,都需要通过指纹打卡,当你的指纹和系统里录入的指纹相匹配时,就打卡成功)
互联网中的认证:
- 用户名密码登录
- 邮箱发送登录链接
- 手机号接收验证码
- 只要你能收到邮箱 / 验证码,就默认你是账号的主人
传统认证方式
# models
class UserInfo(models.Models):
username = models.CharField(max_length=32)
password = models.CharField(max_length=64)
class UserToken(models.Models):
user = models.OneToOneField(to='UserInfo')
token = models.CharField(max_length=64)
# views
def md5(user):
import hashlib
import time
ctime = str(time.time())
m = hashlib.md5(bytes(user,enceding='utf-8'))
m.update(bytes(ctime,enceding='utf-8'))
return m.hexdigest()
class AuthView(APIView):
def post(self,request,*args,**kwargs):
ret = {"code":'1000','msg':None}
try:
user = request._request.POST.get('username')
pwd = reuqest._request.POST.get('password')
obj = models.UserInfo.objects.filter(username=name,password=pwd).first()
if not obj:
ret['code']='1001'
ret['msg']='用户名秘密错误'
token = md5(user)
models.UserToken.objects.update_or_create(user=obj,default={'token':token})
ret['token']=token
except Excepion as e:
ret['code']='1002'
ret['msg']='请求异常'
return JsonResponse(ret)
源码分析
#认证中的基类,主要实现authenticate 和 authenticate_header方法
class BaseAuthentication:
"""
All authentication classes should extend BaseAuthentication.
"""
def authenticate(self, request):
"""
Authenticate the request and return a two-tuple of (user, token).
"""
raise NotImplementedError(".authenticate() must be overridden.")
def authenticate_header(self, request):
"""
Return a string to be used as the value of the `WWW-Authenticate`
header in a `401 Unauthenticated` response, or `None` if the
authentication scheme should return `403 Permission Denied` responses.
"""
pass
#基于用户名和密码的认证
class BasicAuthentication(BaseAuthentication):
#基于session的认证
class SessionAuthentication(BaseAuthentication):
#基于token的认证
class TokenAuthentication(BaseAuthentication): ---
#远程用户认证
class RemoteUserAuthentication(BaseAuthentication):
"""
REMOTE_USER authentication.
To use this, set up your web server to perform authentication, which will
set the REMOTE_USER environment variable. You will need to have
'django.contrib.auth.backends.RemoteUserBackend in your
AUTHENTICATION_BACKENDS setting
"""
认证流程
authentication_classes
请求到dispatch方式
def dispatch(self, request, *args, **kwargs):
"""
`.dispatch()` is pretty much the same as Django's regular dispatch,
but with extra hooks for startup, finalize, and exception handling.
"""
self.args = args
self.kwargs = kwargs
request = self.initialize_request(request, *args, **kwargs)
self.request = request
self.headers = self.default_response_headers # deprecate?
try:
self.initial(request, *args, **kwargs)
调用self.initial()
def initial(self, request, *args, **kwargs):
self.perform_authentication(request)
调用 perform_authentication() 返回request.user
def perform_authentication(self, request):
request.user
**在dispatch中initialize_request封装了Request **
def initialize_request(self, request, *args, **kwargs):
parser_context = self.get_parser_context(request)
return Request(
request,
parsers=self.get_parsers(),
authenticators=self.get_authenticators(),
negotiator=self.get_content_negotiator(),
parser_context=parser_context
)
Request 有方法注解 user 调用_authenticate 循环认证对象 执行方法
@property
def user(self):
if not hasattr(self, '_user'):
with wrap_attributeerrors():
self._authenticate()
return self._user
def _authenticate(self):
for authenticator in self.authenticators:
try:
user_auth_tuple = authenticator.authenticate(self)
except exceptions.APIException:
self._not_authenticated()
raise
if user_auth_tuple is not None:
self._authenticator = authenticator
self.user, self.auth = user_auth_tuple
return
self._not_authenticated()
使用方法
- 全局使用
自定义的认证类可以通过全局设置 放在setting文件中 源码中会读取setting中的
REST_FRAMEWORK={
'DEFAULT_AUTHENTICATION_CLASSES'=('自定义的认证类'),
'UNAUTHENTICATED_USER':None,
'UNAUTHENTICATED_TOKEN':None
}
- 局部使用(视图级别的认证)
内置的认证类 rest_framework.authentication BasicAuthentication
from rest_framework.authentication import BaseAuthentication
from rest_framework.exceptions import AuthenticationFailed
class MyAuth(BaseAuthentication):
def authenticate(self, request):
if request.method in ["POST", "PUT", "DELETE"]:
request_token = request.data.get("token", None)
if not request_token:
raise AuthenticationFailed('缺少token')
token_obj = models.Token.objects.filter(token_code=request_token).first()
if not token_obj:
raise AuthenticationFailed('无效的token')
return token_obj.user.username, None
else:
return None, None
继承 BasicAuthentication 创建自定义的认证类 实现 authenticate方法
添加到视图类的 authentication_classes
class CommentViewSet(ModelViewSet):
queryset = models.Comment.objects.all()
serializer_class = app01_serializers.CommentSerializer
authentication_classes = [MyAuth, ]