django-rest-framework源码分析2—认证(Authentication)源码解析

最新推荐文章于 2024-07-31 08:40:10 发布

liuwangleoooO

最新推荐文章于 2024-07-31 08:40:10 发布

阅读量494

点赞数

分类专栏： # DRF源码解析文章标签： drf 认证源码解析 authentication

本文链接：https://blog.csdn.net/qq_36581961/article/details/111212166

版权

DRF源码解析专栏收录该内容

5 篇文章 1 订阅

订阅专栏

本文详细介绍了认证的概念，包括互联网中的常见认证方式，如用户名密码、邮箱验证和手机验证码。接着，通过Django的源码分析了传统认证模式，如MD5加密，并展示了基于API视图的认证流程。最后，讨论了如何在全局和局部层面应用自定义认证类，提供了一种基于token的认证实现示例。

摘要由CSDN通过智能技术生成

认证源码解析

什么是认证（Authentication）

通俗地讲就是验证当前用户的身份，证明 “你是你自己”（比如：你每天上下班打卡，都需要通过指纹打卡，当你的指纹和系统里录入的指纹相匹配时，就打卡成功）

互联网中的认证：

用户名密码登录
邮箱发送登录链接
手机号接收验证码
只要你能收到邮箱 / 验证码，就默认你是账号的主人

传统认证方式

# models
class UserInfo(models.Models):
    username = models.CharField(max_length=32)
    password = models.CharField(max_length=64)
    
class UserToken(models.Models):
    user = models.OneToOneField(to='UserInfo')
    token = models.CharField(max_length=64)
# views
def md5(user):
    import hashlib
    import time
    ctime = str(time.time())
    m = hashlib.md5(bytes(user,enceding='utf-8'))
    m.update(bytes(ctime,enceding='utf-8'))
    return m.hexdigest()
    
class AuthView(APIView):
    def post(self,request,*args,**kwargs):
        ret = {"code":'1000','msg':None}
        try:
            user = request._request.POST.get('username')
            pwd = reuqest._request.POST.get('password')
            obj = models.UserInfo.objects.filter(username=name,password=pwd).first()
            if not obj:
                ret['code']='1001'
                ret['msg']='用户名秘密错误'
            token = md5(user)
            models.UserToken.objects.update_or_create(user=obj,default={'token':token})
            ret['token']=token
        except Excepion as e:
            ret['code']='1002'
            ret['msg']='请求异常'
        return JsonResponse(ret)

源码分析

#认证中的基类，主要实现authenticate 和 authenticate_header方法


class BaseAuthentication:
    """
    All authentication classes should extend BaseAuthentication.
    """

    def authenticate(self, request):
        """
        Authenticate the request and return a two-tuple of (user, token).
        """
        raise NotImplementedError(".authenticate() must be overridden.")

    def authenticate_header(self, request):
        """
        Return a string to be used as the value of the `WWW-Authenticate`
        header in a `401 Unauthenticated` response, or `None` if the
        authentication scheme should return `403 Permission Denied` responses.
        """
        pass

#基于用户名和密码的认证

class BasicAuthentication(BaseAuthentication):

#基于session的认证

class SessionAuthentication(BaseAuthentication):

#基于token的认证

class TokenAuthentication(BaseAuthentication): ---

#远程用户认证


class RemoteUserAuthentication(BaseAuthentication):
    """
    REMOTE_USER authentication.

    To use this, set up your web server to perform authentication, which will
    set the REMOTE_USER environment variable. You will need to have
    'django.contrib.auth.backends.RemoteUserBackend in your
    AUTHENTICATION_BACKENDS setting
    """

认证流程

authentication_classes
请求到dispatch方式

def dispatch(self, request, *args, **kwargs):
      """
      `.dispatch()` is pretty much the same as Django's regular dispatch,
      but with extra hooks for startup, finalize, and exception handling.
      """
      self.args = args
      self.kwargs = kwargs
      request = self.initialize_request(request, *args, **kwargs)
      self.request = request
      self.headers = self.default_response_headers  # deprecate?
      try:
          self.initial(request, *args, **kwargs)

调用self.initial()

def initial(self, request, *args, **kwargs):
    self.perform_authentication(request)

调用 perform_authentication() 返回request.user

def perform_authentication(self, request):
     request.user

**在dispatch中initialize_request封装了Request **

def initialize_request(self, request, *args, **kwargs):
    parser_context = self.get_parser_context(request)
    return Request(
        request,
        parsers=self.get_parsers(),
        authenticators=self.get_authenticators(),
        negotiator=self.get_content_negotiator(),
        parser_context=parser_context
    )

Request 有方法注解 user 调用_authenticate 循环认证对象执行方法

@property
def user(self):
    if not hasattr(self, '_user'):
        with wrap_attributeerrors():
            self._authenticate()
    return self._user

def _authenticate(self):
    for authenticator in self.authenticators:
        try:
            user_auth_tuple = authenticator.authenticate(self)
        except exceptions.APIException:
            self._not_authenticated()
            raise
        if user_auth_tuple is not None:
            self._authenticator = authenticator
            self.user, self.auth = user_auth_tuple
            return
    self._not_authenticated()

使用方法

全局使用

自定义的认证类可以通过全局设置放在setting文件中源码中会读取setting中的

REST_FRAMEWORK={
       'DEFAULT_AUTHENTICATION_CLASSES'=('自定义的认证类'),
       'UNAUTHENTICATED_USER':None,
       'UNAUTHENTICATED_TOKEN':None
   }

局部使用（视图级别的认证）

内置的认证类 rest_framework.authentication BasicAuthentication

from rest_framework.authentication import BaseAuthentication
from rest_framework.exceptions import AuthenticationFailed
class MyAuth(BaseAuthentication):
	def authenticate(self, request):
		if request.method in ["POST", "PUT", "DELETE"]:
			request_token = request.data.get("token", None)
			if not request_token:
				raise AuthenticationFailed('缺少token')
			token_obj = models.Token.objects.filter(token_code=request_token).first()
			if not token_obj:
				raise AuthenticationFailed('无效的token')
			return token_obj.user.username, None
		else:
			return None, None

继承 BasicAuthentication 创建自定义的认证类实现 authenticate方法
添加到视图类的 authentication_classes

class CommentViewSet(ModelViewSet):
	queryset = models.Comment.objects.all()
	serializer_class = app01_serializers.CommentSerializer
	authentication_classes = [MyAuth, ]