[Python自学] DRF (3) (认证组件)

参考博客：https://www.cnblogs.com/yuanchenqi/articles/8719520.html

一、实现登录验证

1.创建User和Token表

User表用作用户名密码认证，Token表用于存放用户每次成功登陆后的随机Token。

在models.py中添加以下两张表：

# 用户表
class User(models.Model):
    username = models.CharField(max_length=32)
    password = models.CharField(max_length=32)


# token表
class Token(models.Model):
    user = models.OneToOneField("User", on_delete=models.CASCADE)
    token = models.CharField(max_length=128)

执行命令，生成数据库表：

python manage.py makemigrations
python manage.py migrate

2.实现登录验证操作

添加路由条目：

urlpatterns = [
    path(\'admin/\', admin.site.urls),
    re_path(\'^publishes/$\', views.PublishView.as_view(), name="publish"),
    re_path(\'^publishes/(?P<pk>\d+)/$\', views.PublishDetailView.as_view(), name="publishdetail"),
    re_path(\'^books/$\', views.BookView.as_view(), name="book"),
    re_path(\'^books/(?P<pk>\d+)/$\', views.BookDetailView.as_view(), name="bookdetail"),
    re_path(\'^authors/$\', views.AuthorViewSet.as_view({"get": "list", "post": "create"}), name="author"),
    re_path(\'^authors/(?P<pk>\d+)/$\', views.AuthorViewSet.as_view(
        {"get": "retrieve", "put": "update", "patch": "partial_update", "delete": "destroy"}), name="authordetail"),
    re_path(\'^login/$\', views.LoginView.as_view(), name="login"),
]

实现视图类LoginView：

# 导入User和Token的model类
from .models import User
from .models import Token


# 生成一个随机token，username和ctime的MD5加密值
def get_random_str(user):
    import hashlib
    import time
    # 获取当前时间
    ctime = str(time.time())
    # username的md5
    md5 = hashlib.md5(bytes(user, encoding=\'utf-8\'))
    # 加上ctime
    md5.update(bytes(ctime, encoding=\'utf-8\'))
    return md5.hexdigest()


class LoginView(APIView):
    def post(self, request):
        res = {\'code\': 1000, "msg": None}
        try:
            # 从post请求中获取用户提交的用户名和密码
            username = request.data.get("username")
            password = request.data.get("password")
            # 判断数据库中的数据是否匹配
            user_obj = User.objects.filter(username=username, password=password).first()
            # 如果不匹配，返回登录失败
            if not user_obj:
                res[\'code\'] = 1001
                res[\'msg\'] = "用户名或密码错误"
            else:
                # 如果匹配，则生成一个随机token
                token = get_random_str(username)
                # 如果token已经存在，则更新，如果不存在，则创建
                Token.objects.update_or_create(user=user_obj, defaults={\'token\': token})
                res["token"] = token
        except Exception as e:
            res[\'code\'] = 1002
            res[\'msg\'] = e

        return HttpResponse(json.dumps(res))

二、实现token认证

1.实现token认证

要实现认证，只需要在需要认证的视图类中添加 authentication_classes 列表。restframe认证组件会自动去该列表中寻找认证使用的类（类由我们来定义）。例如BookView视图类中：

class BookView(APIView):
    authentication_classes = [TokenAuth,]
    pass

查看restframework调用authentication_classes中类的源码，可以看到TokenAuth中必须实现 authenticate方法，以及 authenticate_header 方法：

class TokenAuth(object):
    # 认证token过程
    def authenticate(self, request):
        token = request.GET.get("token")
        token_obj = Token.objects.filter(token=token).first()
        if not token_obj:
            raise exceptions.AuthenticationFailed("验证失败")
        return (token_obj.user, token_obj)

    def authenticate_header(self, request):
        return None

或者，继承 BaseAuthentication也可以：

from rest_framework.authentication import BaseAuthentication

class TokenAuth(BaseAuthentication):
    # 认证token过程
    def authenticate(self, request):
        token = request.GET.get("token")
        token_obj = Token.objects.filter(token=token).first()
        if not token_obj:
            raise exceptions.AuthenticationFailed("验证失败")
        return (token_obj.user, token_obj)

然后应用于BookView：

class BookView(APIView):
    authentication_classes = [TokenAuth]

    def get(self, request):
        book_list = Book.objects.all()
        bs = BookModelSerializers(book_list, many=True, context={\'request\': request})

        return Response(bs.data)

    def post(self, request):
        bs = BookModelSerializers(data=request.data)
        if bs.is_valid():
            bs.save()
            return Response(bs.data)
        else:
            return Response(bs.errors)

这样，我们想要通过GET请求获取book数据的时候，就需要先访问login页面，获取token，然后在GET请求中附带token，才能正确获取book数据：

 

2.测试

POST请求访问http://127.0.0.1:8000/login/，附带用户名和密码，进行登录验证：

 

获得返回值：

{"code": 1000, "msg": null, "token": "91dc33a308cd4e8b04e14bb3d23d492b"}

然后GET请求访问http://127.0.0.1:8000/books/?token=91dc33a308cd4e8b04e14bb3d23d492b：

获得返回结果：

[{"id":8,"publish":"http://127.0.0.1:8000/publishes/1/","title":"Python2标准库3","price":99,"pub_date":"2012-11-20T13:03:33Z","authors":[1,2]},{"id":9,"publish":"http://127.0.0.1:8000/publishes/1/","title":"Python2标准库4","price":99,"pub_date":"2012-11-20T13:03:33Z","authors":[1,2]},{"id":10,"publish":"http://127.0.0.1:8000/publishes/1/","title":"Python2标准库5","price":99,"pub_date":"2012-11-20T13:03:33Z","authors":[1,2]},{"id":11,"publish":"http://127.0.0.1:8000/publishes/1/","title":"Python2标准库6","price":99,"pub_date":"2012-11-20T13:03:33Z","authors":[1,2]},{"id":12,"publish":"http://127.0.0.1:8000/publishes/1/","title":"Python2标准库7","price":99,"pub_date":"2012-11-20T13:03:33Z","authors":[1,2]},{"id":13,"publish":"http://127.0.0.1:8000/publishes/1/","title":"Python2标准库","price":99,"pub_date":"2012-11-20T13:03:33Z","authors":[1,2]},{"id":14,"publish":"http://127.0.0.1:8000/publishes/1/","title":"Python3","price":99,"pub_date":"2020-01-20T13:03:04Z","authors":[3]},{"id":15,"publish":"http://127.0.0.1:8000/publishes/1/","title":"JAVA","price":99,"pub_date":"2020-01-20T13:03:04Z","authors":[3]},{"id":16,"publish":"http://127.0.0.1:8000/publishes/1/","title":"JAVA","price":99,"pub_date":"2020-01-20T13:03:04Z","authors":[3]},{"id":17,"publish":"http://127.0.0.1:8000/publishes/1/","title":"JAVA","price":99,"pub_date":"2020-01-20T13:03:04Z","authors":[3]},{"id":18,"publish":"http://127.0.0.1:8000/publishes/1/","title":"hello","price":99,"pub_date":"2020-01-20T13:03:04Z","authors":[3]}]

如果未携带token，或携带的token错误：

返回结果：

{"detail":"验证失败"}

三、restframework配置

1.引子

在第二节中，我们实现了token的生成和认证，在认证时，我们使用自定义的TokenAuth类来进行认证，但是如果在每个视图类中都加上 authentication_classes 列表，比较冗余。

我们观察restframe的源码，可以看到，当我们不添加 authentication_classes 列表变量时，APIView中 authentication_classes 变量会读取一个默认值：

class APIView(View):

    # The following policies may be set at either globally, or per-view.
    renderer_classes = api_settings.DEFAULT_RENDERER_CLASSES
    parser_classes = api_settings.DEFAULT_PARSER_CLASSES
    authentication_classes = api_settings.DEFAULT_AUTHENTICATION_CLASSES
    throttle_classes = api_settings.DEFAULT_THROTTLE_CLASSES
    ...
    ...

继续查看api_settings所属类的源码：

class APISettings:
    def __init__(self, user_settings=None, defaults=None, import_strings=None):
        if user_settings:
            self._user_settings = self.__check_user_settings(user_settings)
        self.defaults = defaults or DEFAULTS
        self.import_strings = import_strings or IMPORT_STRINGS
        self._cached_attrs = set()
    ...
    ...

这里的DEFAULTS就是restframework的默认配置：

DEFAULTS = {
    # Base API policies
    \'DEFAULT_RENDERER_CLASSES\': [
        \'rest_framework.renderers.JSONRenderer\',
        \'rest_framework.renderers.BrowsableAPIRenderer\',
    ],
    \'DEFAULT_PARSER_CLASSES\': [
        \'rest_framework.parsers.JSONParser\',
        \'rest_framework.parsers.FormParser\',
        \'rest_framework.parsers.MultiPartParser\'
    ],
    \'DEFAULT_AUTHENTICATION_CLASSES\': [
        \'rest_framework.authentication.SessionAuthentication\',
        \'rest_framework.authentication.BasicAuthentication\'
    ],
    \'DEFAULT_PERMISSION_CLASSES\': [
        \'rest_framework.permissions.AllowAny\',
    ],
    \'DEFAULT_THROTTLE_CLASSES\': [],
    \'DEFAULT_CONTENT_NEGOTIATION_CLASS\': \'rest_framework.negotiation.DefaultContentNegotiation\',
    \'DEFAULT_METADATA_CLASS\': \'rest_framework.metadata.SimpleMetadata\',
    \'DEFAULT_VERSIONING_CLASS\': None,

    # Generic view behavior
    \'DEFAULT_PAGINATION_CLASS\': None,
    \'DEFAULT_FILTER_BACKENDS\': [],

    # Schema
    \'DEFAULT_SCHEMA_CLASS\': \'rest_framework.schemas.openapi.AutoSchema\',

    # Throttling
    \'DEFAULT_THROTTLE_RATES\': {
        \'user\': None,
        \'anon\': None,
    },
    \'NUM_PROXIES\': None,

    # Pagination
    \'PAGE_SIZE\': None,

    # Filtering
    \'SEARCH_PARAM\': \'search\',
    \'ORDERING_PARAM\': \'ordering\',

    # Versioning
    \'DEFAULT_VERSION\': None,
    \'ALLOWED_VERSIONS\': None,
    \'VERSION_PARAM\': \'version\',

    # Authentication
    \'UNAUTHENTICATED_USER\': \'django.contrib.auth.models.AnonymousUser\',
    \'UNAUTHENTICATED_TOKEN\': None,

    # View configuration
    \'VIEW_NAME_FUNCTION\': \'rest_framework.views.get_view_name\',
    \'VIEW_DESCRIPTION_FUNCTION\': \'rest_framework.views.get_view_description\',

    # Exception handling
    \'EXCEPTION_HANDLER\': \'rest_framework.views.exception_handler\',
    \'NON_FIELD_ERRORS_KEY\': \'non_field_errors\',

    # Testing
    \'TEST_REQUEST_RENDERER_CLASSES\': [
        \'rest_framework.renderers.MultiPartRenderer\',
        \'rest_framework.renderers.JSONRenderer\'
    ],
    \'TEST_REQUEST_DEFAULT_FORMAT\': \'multipart\',

    # Hyperlink settings
    \'URL_FORMAT_OVERRIDE\': \'format\',
    \'FORMAT_SUFFIX_KWARG\': \'format\',
    \'URL_FIELD_NAME\': \'url\',

    # Input and output formats
    \'DATE_FORMAT\': ISO_8601,
    \'DATE_INPUT_FORMATS\': [ISO_8601],

    \'DATETIME_FORMAT\': ISO_8601,
    \'DATETIME_INPUT_FORMATS\': [ISO_8601],

    \'TIME_FORMAT\': ISO_8601,
    \'TIME_INPUT_FORMATS\': [ISO_8601],

    # Encoding
    \'UNICODE_JSON\': True,
    \'COMPACT_JSON\': True,
    \'STRICT_JSON\': True,
    \'COERCE_DECIMAL_TO_STRING\': True,
    \'UPLOADED_FILES_USE_URL\': True,

    # Browseable API
    \'HTML_SELECT_CUTOFF\': 1000,
    \'HTML_SELECT_CUTOFF_TEXT\': "More than {count} items...",

    # Schemas
    \'SCHEMA_COERCE_PATH_PK\': True,
    \'SCHEMA_COERCE_METHOD_NAMES\': {
        \'retrieve\': \'read\',
        \'destroy\': \'delete\'
    },
}

View Code

 

前面代码中，使用 api_settings.DEFAULT_AUTHENTICATION_CLASSES ，api_settings没有这个属性，所以会自动调用 APISettings 的__getattr__()方法：

def __getattr__(self, attr):
    if attr not in self.defaults:
        raise AttributeError("Invalid API setting: \'%s\'" % attr)
    try:
        # Check if present in user settings
        val = self.user_settings[attr]
    except KeyError:
        # Fall back to defaults
        val = self.defaults[attr]
    # Coerce import strings into classes
    if attr in self.import_strings:
        val = perform_import(val, attr)
    # Cache the result
    self._cached_attrs.add(attr)
    setattr(self, attr, val)
    return val

__getattr__()方法先判断DEFAULTS中是否存在 DEFAULT_AUTHENTICATION_CLASSES ，如果不存在则报错。然后去user_settings中获取 DEFAULT_AUTHENTICATION_CLASSES 的值，user_settings是一个属性方法：

@property
def user_settings(self):
    if not hasattr(self, \'_user_settings\'):
        self._user_settings = getattr(settings, \'REST_FRAMEWORK\', {})
    return self._user_settings

这段代码会先去django的settings中查看是否存在名为"REST_FRAMEWORK"的配置项。所以我们要使用自定义的认证类，可以在django的settings中配置REST_FRAMEWORK来指定。

首先，将TokenAuth类从views.py移到单独的一个模块，例如utils.py：

# utils.py

from rest_framework import exceptions
from .models import Token
from rest_framework.authentication import BaseAuthentication

class TokenAuth(BaseAuthentication):
    # 认证token过程
    def authenticate(self, request):
        token = request.GET.get("token")
        token_obj = Token.objects.filter(token=token).first()
        if not token_obj:
            raise exceptions.AuthenticationFailed("验证失败")
        return (token_obj.user, token_obj)

然后在django的settings中添加配置：

REST_FRAMEWORK = {
    "DEFAULT_AUTHENTICATION_CLASSES": ["demo.utils.TokenAuth"]
}

这样，我们的所有视图类在被访问时都会使用TokenAuth类来对token进行验证，但是在访问/login/页面时，由于还没有登录认证，所以不能进行token验证。

可以在LoginView视图类中，加上一个空的 authentication_classes 列表来处理：

class LoginView(APIView):
    authentication_classes = []
    ...
    ...

这样，访问/login/的时候不会验证token，而访问其他资源的时候会验证token。

 

ღ♋