安装需要的包
# 安装jwt及pydantic相关依赖包
pip install passlib
pip install pydantic[email]
pip install python-multipart
pip install bcrypt
pip install jwt
pip install python-jose
哈希并校验密码
# 1、创建对象,进行哈希和校验密码
from passlib.context import CryptContext
# 使用的算法是Bcrypt
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
# 2、哈希密码:hash(password)
def get_password_hash(password):
"""
哈希来自用户的密码
:param password: 原密码
:return: 哈希后的密码
"""
return pwd_context.hash(password)
# 哈希后的密码
# $2b$12$sErK932BEaLyIisz30PubepN7w91RLwkISWbAFYgUgoIqh8goJLEW
# 3、校验密码:verify(plain_password, hashed_password)
def verify_password(plain_password, hashed_password):
"""
校验接收的密码是否与存储的哈希值匹配
:param plain_password: 原密码
:param hashed_password: 哈希后的密码
:return: 返回值为bool类型,校验成功返回True,反之False
"""
return pwd_context.verify(plain_password, hashed_password)
JWT令牌验证加密相关配置,及数据模型创建
###############
# JWT令牌验证加密相关配置,及数据模型创建
###############
# 1、生成一个随机的密钥,用于对JWT令牌进行签名 windos 或linux 操作系统环境下执行
# openssl rand -hex 32
# 4a2ca2b5dac83fcfcdc97aeab073ee4bf9f99c3e116345e69c874941da247027
# 2、创建密钥变量
SECRET_KEY = "4a2ca2b5dac83fcfcdc97aeab073ee4bf9f99c3e116345e69c874941da247027"
# 3、创建用于设定JWT令牌签名算法的变量 -- 算法
ALGORITHM = "HS256"
# 4、创建设置令牌过期时间变量(单位:分钟)
ACCESS_TOKEN_EXPIRE_MINUTES = 30
# 5、模拟数据库用户信息
users_db = {
"zhang san":{
"id": 1,
"username": "zhang san",
"email": "zhang_san@user.com",
"hashed_password": "$2b$12$nmpXZ.WdL3fbSDMC2UaAWuOK5f4vf08Wx71bgnQxJUsIt3qKKzuKe",
"disabled": False,
},
"li si":{
"id": 2,
"username": "li si",
"email": "li_si@user.com",
"hashed_password": "$2b$12$nmpXZ.WdL3fbSDMC2UaAWuOK5f4vf08Wx71bgnQxJUsIt3qKKzuKe",
"disabled": True,
}
}
# 6、创建所需模型类
from typing import Optional,Union
from pydantic import BaseModel, EmailStr
# 1) 用户模型基类
class UserBase(BaseModel):
id: Optional[int] = False
username: str = None
# pip install pydantic[email] 使用email验证的时候需要增加这个库
email: Optional[EmailStr] = None
disabled: Union[bool, None] = None
# 2)登录成功返回token模型
class TokenModel(BaseModel):
access_token: str = None
token_type:Union[str, None] = None
# 3)用户密码
class UserInDB(UserBase):
hashed_password: str
查看登录用户是否在数据库,及创建用户token
#################
# 查看登录用户是否在数据库,及创建用户token
#################
from datetime import datetime, timedelta
import jwt
# 模拟在数据库中查找用户,找到之后初始化UserInDB类并返回实例
def get_user(db: dict, username: str) -> UserInDB:
"""模拟在数据库中查找用户,找到之后初始化UserInDB类并返回实例"""
if username in db:
user_dict = db[username]
return UserInDB(**user_dict)
# 校验用户功能函数
def authenticate_user( db : dict, username: str, password: str) :
"""
先验证$username用户是否在数据库中存在,存在则继续验证用户输入的明文密码与数据库中记录的hash密码是否匹配
如果都没问题就返回<class '__main__.UserInDB'>
:param db:
:param username:
:param password:
:return:
"""
user = get_user(db, username)
if not user:
return False
if not verify_password(password, user.hashed_password): # user是UserInDB类的实例,所以可以点属性
return False
return user
# 创建生成访问令牌的函数
def create_access_token(data: dict, expires_delta: Union[timedelta, None] = None) -> str:
"""创建带exp字段的JWT字符串"""
to_encode = data.copy()
if expires_delta:
expire = datetime.utcnow() + expires_delta # 这里是utc时间,不是东八区时间
# print(expire) # 2023-01-18 08:14:02.453944
else:
expire = datetime.utcnow() + timedelta(minutes=15)
to_encode.update({"exp": expire}) # datetime.datetime(2023, 1, 18, 8, 14, 02, 453944)
# SECRET_KEY对声明集进行签名的密钥
# jwt.encode()对声明集进行编码并返回 JWT 字符串。
encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
return encoded_jwt
判断是否为活动用户,并返回用户信息
#################
# 判断是否为活动用户,并返回用户信息
#################
# 注意:依赖于oauth2_schema 及用户token认证入口,及登录后使用该方法
def get_current_user(token: str = Depends(oauth2_schema)) -> Union[UserBase, None]:
"""
解密JWT,即验证JWT字符串的SIGNATURE签名并返回claims(也称PAYLOAD)的信息
:param token: 用户token
:return: 用户信息数据
"""
credentials_exception = HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
# detail="用户名或密码错误",
detail="Incorrect username or password",
headers={"WWW-Authenticate": "Bearer"},
)
try:
payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
# print(payload) # {'sub': 'johndoe', 'exp': 1674033230}
username: str = payload.get("sub")
if username is None:
raise credentials_exception
except JWTError as e:
raise credentials_exception
token_data = TokenModel(username=username)
user = get_user(users_db, username=username)
if user is None:
raise credentials_exception
return user
def get_current_active_user(current_user: dict = Depends(get_current_user)) -> Union[UserBase, None]:
"""
验证当前用户为活动用户,否则返回报错
:param current_user: 用户属性数据
:return: 用户属性数据
"""
credentials_exception = HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
# detail="用户名或密码错误",
detail="Incorrect username or password",
headers={"WWW-Authenticate": "Bearer"},
)
if current_user.disabled:
raise credentials_exception
return current_user
fastapi 接口封装
# 使用表单格式参数需要安装模块:python-multipart
@app.post("/jwt/token", response_model=TokenModel)
async def login_for_access_token(username: str = Form(...), password: str = Form(...)):
user = authenticate_user(users_db, username, password)
if not user:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
# detail="用户名或密码错误",
detail="Incorrect username or password",
headers={"WWW-Authenticate": "Bearer"},
)
# 过期时间
access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
# 把id进行username加密,要使用str类型
access_token = create_access_token(
data={"sub": user.username}, expires_delta=access_token_expires
)
# user.update({"access_token": access_token})
return {"access_token": access_token,"token_type":"bearer"}
# 访问当前用户信息接口api
# 定义返回数据格式为UserBase模型格式数据
# 把校验token函数当做依赖项进行赋值给user
# 验证成功,并返回user
@app.get("/user", response_model=UserBase)
async def get_user_info(*, user: UserBase = Depends(get_current_active_user)):
return user
fastapi-jwt源码-全(可生产使用)
from fastapi import FastAPI,Form,Depends,HTTPException,status
from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
app = FastAPI()
# 创建token请求依赖
oauth2_schema= OAuth2PasswordBearer(tokenUrl="/jwt/token")
###############
# 哈希并校验密码原理
###############
# 1、创建对象,进行哈希和校验密码
from passlib.context import CryptContext
# 使用的算法是Bcrypt
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
# 2、哈希密码:hash(password)
def get_password_hash(password):
"""
哈希来自用户的密码
:param password: 原密码
:return: 哈希后的密码
"""
return pwd_context.hash(password)
# 哈希后的密码
# $2b$12$sErK932BEaLyIisz30PubepN7w91RLwkISWbAFYgUgoIqh8goJLEW
# 3、校验密码:verify(plain_password, hashed_password)
def verify_password(plain_password, hashed_password):
"""
校验接收的密码是否与存储的哈希值匹配
:param plain_password: 原密码
:param hashed_password: 哈希后的密码
:return: 返回值为bool类型,校验成功返回True,反之False
"""
return pwd_context.verify(plain_password, hashed_password)
###############
# JWT令牌验证加密相关配置,及数据模型创建
###############
# 1、生成一个随机的密钥,用于对JWT令牌进行签名 windos 或linux 操作系统环境下执行
# openssl rand -hex 32
# 4a2ca2b5dac83fcfcdc97aeab073ee4bf9f99c3e116345e69c874941da247027
# 2、创建密钥变量
SECRET_KEY = "4a2ca2b5dac83fcfcdc97aeab073ee4bf9f99c3e116345e69c874941da247027"
# 3、创建用于设定JWT令牌签名算法的变量 -- 算法
ALGORITHM = "HS256"
# 4、创建设置令牌过期时间变量(单位:分钟)
ACCESS_TOKEN_EXPIRE_MINUTES = 30
# 5、模拟数据库用户信息
users_db = {
"zhang san":{
"id": 1,
"username": "zhang san",
"email": "zhang_san@user.com",
"hashed_password": "$2b$12$nmpXZ.WdL3fbSDMC2UaAWuOK5f4vf08Wx71bgnQxJUsIt3qKKzuKe",
"disabled": False,
},
"li si":{
"id": 2,
"username": "li si",
"email": "li_si@user.com",
"hashed_password": "$2b$12$nmpXZ.WdL3fbSDMC2UaAWuOK5f4vf08Wx71bgnQxJUsIt3qKKzuKe",
"disabled": True,
}
}
# 6、创建所需模型类
from typing import Optional,Union
from pydantic import BaseModel, EmailStr
# 1) 用户模型基类
class UserBase(BaseModel):
id: Optional[int] = False
username: str = None
# pip install pydantic[email] 使用email验证的时候需要增加这个库
email: Optional[EmailStr] = None
disabled: Union[bool, None] = None
# 2)登录成功返回token模型
class TokenModel(BaseModel):
access_token: str = None
token_type:Union[str, None] = None
# 3)用户密码
class UserInDB(UserBase):
hashed_password: str
#################
# 查看登录用户是否在数据库,及创建用户token
#################
from datetime import datetime, timedelta
import jwt
# 模拟在数据库中查找用户,找到之后初始化UserInDB类并返回实例
def get_user(db: dict, username: str) -> UserInDB:
"""模拟在数据库中查找用户,找到之后初始化UserInDB类并返回实例"""
if username in db:
user_dict = db[username]
return UserInDB(**user_dict)
# 校验用户功能函数
def authenticate_user( db : dict, username: str, password: str) :
"""
先验证$username用户是否在数据库中存在,存在则继续验证用户输入的明文密码与数据库中记录的hash密码是否匹配
如果都没问题就返回<class '__main__.UserInDB'>
:param db:
:param username:
:param password:
:return:
"""
user = get_user(db, username)
if not user:
return False
if not verify_password(password, user.hashed_password): # user是UserInDB类的实例,所以可以点属性
return False
return user
# 创建生成访问令牌的函数
def create_access_token(data: dict, expires_delta: Union[timedelta, None] = None) -> str:
"""创建带exp字段的JWT字符串"""
to_encode = data.copy()
if expires_delta:
expire = datetime.utcnow() + expires_delta # 这里是utc时间,不是东八区时间
# print(expire) # 2023-01-18 08:14:02.453944
else:
expire = datetime.utcnow() + timedelta(minutes=15)
to_encode.update({"exp": expire}) # datetime.datetime(2023, 1, 18, 8, 14, 02, 453944)
# SECRET_KEY对声明集进行签名的密钥
# jwt.encode()对声明集进行编码并返回 JWT 字符串。
encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
return encoded_jwt
#################
# 判断是否为活动用户,并返回用户信息
#################
def get_current_user(token: str = Depends(oauth2_schema)) -> Union[UserBase, None]:
"""
解密JWT,即验证JWT字符串的SIGNATURE签名并返回claims(也称PAYLOAD)的信息
:param token: 用户token
:return: 用户信息数据
"""
credentials_exception = HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
# detail="用户名或密码错误",
detail="Incorrect username or password",
headers={"WWW-Authenticate": "Bearer"},
)
try:
payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
# print(payload) # {'sub': 'johndoe', 'exp': 1674033230}
username: str = payload.get("sub")
if username is None:
raise credentials_exception
except JWTError as e:
raise credentials_exception
token_data = TokenModel(username=username)
user = get_user(users_db, username=username)
if user is None:
raise credentials_exception
return user
def get_current_active_user(current_user: dict = Depends(get_current_user)) -> Union[UserBase, None]:
"""
验证当前用户为活动用户,否则返回报错
:param current_user: 用户属性数据
:return: 用户属性数据
"""
credentials_exception = HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
# detail="用户名或密码错误",
detail="Incorrect username or password",
headers={"WWW-Authenticate": "Bearer"},
)
if current_user.disabled:
raise credentials_exception
return current_user
#################
# fastapi 接口封装
#################
# 使用表单格式参数需要安装模块:python-multipart
@app.post("/jwt/token", response_model=TokenModel)
async def login_for_access_token(username: str = Form(...), password: str = Form(...)):
user = authenticate_user(users_db, username, password)
if not user:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
# detail="用户名或密码错误",
detail="Incorrect username or password",
headers={"WWW-Authenticate": "Bearer"},
)
# 过期时间
access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
# 把id进行username加密,要使用str类型
access_token = create_access_token(
data={"sub": user.username}, expires_delta=access_token_expires
)
# user.update({"access_token": access_token})
return {"access_token": access_token,"token_type":"bearer"}
# 访问当前用户信息接口api
# 定义返回数据格式为UserBase模型格式数据
# 把校验token函数当做依赖项进行赋值给user
# 验证成功,并返回user
@app.get("/user", response_model=UserBase)
async def get_user_info(*, user: UserBase = Depends(get_current_active_user)):
return user