JWT是什么
- 参考:https://www.cnblogs.com/cjsblog/p/9277677.html
生成以及验证token
- 因为本来也是django项目,所以运用了djangorestframework-jwt这个库。当然也可以用jwt直接encode生成token,decode验证token,djangorestframework-jwt只是封装了一些其他功能。
- djangorestframework-jwt文档:https://jpadilla.github.io/django-rest-framework-jwt/
- 以下是手动生成和验证token简单例子:
from rest_framework_jwt.settings import api_settings
jwt_payload_handler = api_settings.JWT_PAYLOAD_HANDLER
jwt_encode_handler = api_settings.JWT_ENCODE_HANDLER
jwt_decode_handler = api_settings.JWT_DECODE_HANDLER
payload = jwt_payload_handler(user) # 生成payload
token = jwt_encode_handler(payload) # 生成token
payload = jwt_decode_handler(token) # 验证token获取payload
rest_framework_jwt.utils中的几个核心方法:
def jwt_payload_handler(user):
username_field = get_username_field()
username = get_username(user)
warnings.warn(
'The following fields will be removed in the future: '
'`email` and `user_id`. ',
DeprecationWarning
)
payload = {
'user_id': user.pk,
'username': username,
'exp': datetime.utcnow() + api_settings.JWT_EXPIRATION_DELTA
}
if hasattr(user, 'email'):
payload['email'] = user.email
if isinstance(user.pk, uuid.UUID):
payload['user_id'] = str(user.pk)
payload[username_field] = username
# Include original issued at time for a brand new token,
# to allow token refresh
if api_settings.JWT_ALLOW_REFRESH:
payload['orig_iat'] = timegm(
datetime.utcnow().utctimetuple()
)
if api_settings.JWT_AUDIENCE is not None:
payload['aud'] = api_settings.JWT_AUDIENCE
if api_settings.JWT_ISSUER is not None:
payload['iss'] = api_settings.JWT_ISSUER
return payload
def jwt_encode_handler(payload):
key = api_settings.JWT_PRIVATE_KEY or jwt_get_secret_key(payload)
return jwt.encode(
payload,
key,
api_settings.JWT_ALGORITHM
).decode('utf-8')
def jwt_decode_handler(token):
options = {
'verify_exp': api_settings.JWT_VERIFY_EXPIRATION,
}
# get user from token, BEFORE verification, to get user secret key
unverified_payload = jwt.decode(token, None, False)
secret_key = jwt_get_secret_key(unverified_payload)
return jwt.decode(
token,
api_settings.JWT_PUBLIC_KEY or secret_key,
api_settings.JWT_VERIFY,
options=options,
leeway=api_settings.JWT_LEEWAY,
audience=api_settings.JWT_AUDIENCE,
issuer=api_settings.JWT_ISSUER,
algorithms=[api_settings.JWT_ALGORITHM]
)
jwt_payload_handler生成的payload中有user_id、user_name、exp(过期时间)等,如想要修改payload的内容可以做下加减法重写一个payload_handler。
jwt_encode_handler根据paylaod、密钥、所用算法生成token。
jwt_decode_handler验证token是否过期或签名是否正确。
Settings:
# JSON Web Token Settings
JWT_AUTH = {
'JWT_VERIFY_EXPIRATION': False, # 是否过期时间进行验证
'JWT_EXPIRATION_DELTA': datetime.timedelta(days=7), # 7天过期
}
文档还有一些有用配置项可以参考。