"""
1、系统的认证类:都很少使用,常用的前后台分类认证 ——jwt(json web token)
系统自带的权限类:
AllowAny: 不限制 # allow:允许
IsAuthenticated: 必须是登录用户
IsAdminUser: 必须是后台用户
IsAuthenticatedOrReadOnly: 读操作无限制,其它操作需要登录
2、自定义User表
继承AbstractUser、配置AUTH_USER_MODEL = '应用名.表名'、配置admin(UserAdmin密文操作密码)
3.登录接口必须完成所有认证权限局部禁用,权限接口在权限类中局部配置自定义认证权限类(或在全局配置)
"""
jwt认证规则
"""
jwt全称:json web token
解释:加密字符串(token)的原始数据是json格式,后台产生,通过 web 传输给前台储存
格式类型:三段式 - 头.载荷.签名
头和载荷采用的是base64可逆加密(可反解密拿到头和载荷),签名采用的是 md5 不可逆加 密(只能采用碰撞解密)
内容:
头:包含基础信息,也可以为空;如:加密方式、公司信息、项目组信息等
载荷:包含核心信息;如:用户信息、过期时间等
签名:属于安全保障; 组成:头加密结果+载荷加密结果+服务器秘钥的 md5 加密结果
认证规则:
后台一定要保障 服务器秘钥 的安全性(它是jwt的唯一安全保障)
后台签发token -->前台储存 --> 前台发送需要认证的请求要携带token -->后台校验token,校验成功得到合法的用户
为什么要采用 jwt认证:
1.后台不需要储存token,只需要储存签发与校验token的算法,效率远远大于后台储存和取出token完成校验(优化效率)
2.jwt算法认证,更适合服务器集群部署(降低服务器压力)
"""
jwt模块
"""
安装:pip install djangorestframework-jwt
模块包:rest_framework_jwt
采用drf-jwt框架,后期任务只需要书写登录
为什么要重写登录:drf-jwt只完成了账号和密码登录,我们还需要手机登=登录、邮箱登录等
为什么不需要重写认证类:因为认证规则已经完成且固定不变,变得只有认证字符串的前缀,前缀可以在配置文件中配置
"""
前后台分离模式下信息交互规则
"""
1.任何人都能直接访问的接口
请求不管是get、还是post等,不需要做任何校验
2.必须登录后才能访问的接口
任何请求方式都可以做该方式的限制,请求必须在请求头中携带认证信息 - authorization
3.前台的认证信息(token)获取只能通过登录接口
前台提供账号密码等信息,去后台登录换取认证信息token
4.前台如何完成登录注销
前台登录成功后一般在cookie中保存认证信息token,分离注销就是前台主动清除保存的token信息
"""
基于jwt的登录 (单方式与多方式)
models.py
from django.db import models
# Create your models here.
from django.contrib.auth.models import AbstractUser
class User(AbstractUser):
mobile = models.CharField(max_length=11, unique=True)
class Meta:
db_table = 'od_user'
verbose_name = '用户表'
verbose_name_plural = verbose_name
def __str__(self):
return self.username
admin.py
from django.contrib import admin
# Register your models here.
from . import models
from django.contrib.auth.admin import UserAdmin as AuthUserAdmin
class UserAdmin(AuthUserAdmin):
add_fieldsets = (
(None, {
'classes': ('wide',),
# 添加用户界面可操作的字段
'fields': ('username', 'password1', 'password2', 'mobile', 'email', 'is_staff', 'is_active'),
}),
)
list_display = ('username', 'mobile', 'email', 'is_staff', 'is_active')
admin.site.register(models.User, UserAdmin)
urls.py
from django.conf.urls import url, include
from . import views
urlpatterns = [
url(r'^login/$', views.LoginAPIView.as_view()),
]
views.py
from django.shortcuts import render
# Create your views here.
from rest_framework.views import APIView
from . import serializers
from utils.response import APIResponse
class LoginAPIView(APIView):
# 登录接口必须做所有认证权限局部禁用
authentication_classes = []
permission_classes = []
def post(self, request, *args, **kwargs):
serializer = serializers.LoginSerializer(data=request.data)
serializer.is_valid(raise_exception=True)
return APIResponse(msg='login success', data={
'username': serializer.user.username,
'token': serializer.token
})
serializers.py
from rest_framework import serializers
from rest_framework.serializers import ModelSerializer
from . import models
import re
from rest_framework.serializers import ValidationError
from rest_framework_jwt.serializers import jwt_payload_handler, jwt_encode_handler
from django.contrib.auth import authenticate
class LoginSerializer(ModelSerializer):
# 自定义反序列化字段,只能写,不能读,password不能读出
username = serializers.CharField(write_only=True)
password = serializers.CharField(write_only=True)
class Meta:
model = models.User
fields = ('username', 'password',)
# 在全局钩子中签发token
# 单方式(账户,密码)登录
# def validate(self, attrs):
# username = attrs.get('username')
# password = attrs.get('password')
# # user = models.User.objects.filter(username=username, password=password).first() # filter的password是明文,匹配不上
#
# user = authenticate(username=username, password=password)
# print(user)
# print(username)
# print(password)
# if not user:
# raise ValidationError({'msg': '账户或密码错误'})
# payload = jwt_payload_handler(user)
# token = jwt_encode_handler(payload)
# self.user = user
# self.token = token
# return attrs
# 多方式登录
def validate(self, attrs):
# 账号密码登录 => 多方式登录
user = self._many_method_login(**attrs)
# 签发token,并将user和token存放在序列化对象中
payload = jwt_payload_handler(user)
token = jwt_encode_handler(payload)
self.user = user
self.token = token
return attrs
def _many_method_login(self, **attrs):
username = attrs.get('username')
password = attrs.get('password')
if re.match(r'.*@.*', username):
user = models.User.objects.filter(email=username).first()
elif re.match(r'^1[3-9][0-9]{9}$', username):
user = models.User.objects.filter(mobile=username).first()
else:
user = models.User.objects.filter(username=username).first()
if not user:
raise ValidationError({'username': '账户有误'})
if not user.check_password(password):
raise ValidationError({'password':'密码有误'})
return user
频率认证
自定义频率认证
utils.throttles.py
# 自定义频率类
from rest_framework.throttling import SimpleRateThrottle
# 1)定义类继承SimpleRateThrottle,重写get_cache_key方法,设置scope类属性
# 2)scope就是一个认证字符串,在配置文件中配置scope字符串对应的频率设置
# 3)get_cache_key的返回值是字符串,该字符串是缓存访问次数的缓存key
class ThreeTimeUserThrottle(SimpleRateThrottle):
scope = 'three'
# 当前用户缓存的key
def get_cache_key(self, request, view):
return 'throttle:user_%s' % (request.user.id)
settings.py
# drf的配置
REST_FRAMEWORK = {
# 异常模块
'EXCEPTION_HANDLER': 'utils.exception.exception_handler',
# 认证模块
'DEFAULT_AUTHENTICATION_CLASSES': [
# jwt认证类
'rest_framework_jwt.authentication.JSONWebTokenAuthentication',
],
# 权限模块
'DEFAULT_PERMISSION_CLASSES': [
# 'rest_framework.permissions.IsAuthenticated',
# 自定义权限类
],
# 频率设置
'DEFAULT_THROTTLE_RATES': {
'three': '3/min',
},
}
urls.py
rom django.conf.urls import url
from . import views
from rest_framework_jwt.views import ObtainJSONWebToken, obtain_jwt_token, verify_jwt_token, refresh_jwt_token
urlpatterns = [
# drf-jwt三个视图接口(了解)
# url(r'^login/$', obtain_jwt_token),
# url(r'^verify/$', verify_jwt_token),
# url(r'^refresh/$', refresh_jwt_token),
# url(r'^login/$', views.LoginAPIView.as_view()),
url(r'^user/center/$', views.UserCenterAPIView.as_view()),
]
views.py
from rest_framework.permissions import IsAuthenticated
from utils.throttles import ThreeTimeUserThrottle
class UserCenterAPIView(APIView):
# 认证全局配置吗,权限局部配置
# authentication_classes = []
permission_classes = [IsAuthenticated]
# 频率模块局部配置
throttle_classes = [ThreeTimeUserThrottle]
def get(self, request, *args, **kwargs):
user = request.user
serializer = serializers.UserModelSerializer(user)
return APIResponse(data=serializer.data)
serializers.py
# 只参与序列化
class UserModelSerializer(ModelSerializer):
# 改了原数据库字段的序列化方式
password = SerializerMethodField()
def get_password(self, obj):
return '########'
class Meta:
model = models.User
fields = ('username', 'password', 'mobile', 'email', 'first_name', 'last_name')
drf频率组件源码
1.APIView的dispatch方法的 self.initial(request,*args,**kwargs) 点进去
2.self.check_throttles(request) 进行频率认证
def initial(self, request, *args, **kwargs):
"""
Runs anything that needs to occur prior to calling the method handler.
"""
self.format_kwarg = self.get_format_suffix(**kwargs)
# Perform content negotiation and store the accepted info on the request
neg = self.perform_content_negotiation(request)
request.accepted_renderer, request.accepted_media_type = neg
# Determine the API version, if versioning is in use.
version, scheme = self.determine_version(request, *args, **kwargs)
request.version, request.versioning_scheme = version, scheme
# Ensure that the incoming request is permitted
self.perform_authentication(request)
self.check_permissions(request)
self.check_throttles(request) #频率认证
3.self.get_throttles() 频率组件最终要的两个方法:allow_request()和wait()
def check_throttles(self, request): #频率组件核心代码
"""
Check if request should be throttled.
Raises an appropriate exception if the request is throttled.
"""
throttle_durations = []
for throttle in self.get_throttles():
if not throttle.allow_request(request, self):
throttle_durations.append(throttle.wait())
3-1. self.throttle_classes 出现频率配置settings信息,经过查询源码的settings文件对频率配置为空
def get_throttles(self):
"""
Instantiates and returns the list of throttles that this view uses.
"""
return [throttle() for throttle in self.throttle_classes] #频率组件配置信息
- allow_request() 在自身、所在类都没有找到,那去父类找,在源码throttling.py中
class SimpleRateThrottle(BaseThrottle):
cache = default_cache
timer = time.time
cache_format = 'throttle_%(scope)s_%(ident)s'
scope = None
THROTTLE_RATES = api_settings.DEFAULT_THROTTLE_RATES
def __init__(self):
if not getattr(self, 'rate', None):
self.rate = self.get_rate() #3.rate值就是方法get_rate的返回值(频率次数)
self.num_requests, self.duration = self.parse_rate(self.rate)
def get_cache_key(self, request, view):
raise NotImplementedError('.get_cache_key() must be overridden')
#get_rate最后返回的结果是设置的频率次数
def get_rate(self):#1.在自定义类中要给scope属性赋值
if not getattr(self, 'scope', None):
msg = ("You must set either `.scope` or `.rate` for '%s' throttle" %
self.__class__.__name__)
raise ImproperlyConfigured(msg)
try:
return self.THROTTLE_RATES[self.scope] #2.在settings文件中配置scope属性值对应的value
except KeyError:
msg = "No default throttle rate set for '%s' scope" % self.scope
raise ImproperlyConfigured(msg)
def parse_rate(self, rate):
if rate is None:
return (None, None)
num, period = rate.split('/') #4.rate有值,根据源码,自定义的rate值是一个字符串,而且是这种格式:'数字/以s,m,h,d之类开头的字母'
num_requests = int(num) #5.获得的数字就是设置的频率次数
duration = {'s': 1, 'm': 60, 'h': 3600, 'd': 86400}[period[0]] #6.获得是间隔的时间(以秒为单位)
return (num_requests, duration) #7.数据返回给__init__,解压赋值
def allow_request(self, request, view):
if self.rate is None:
return True
#get_cache_key就是要重写的方法,若不重写,会直接抛出异常
self.key = self.get_cache_key(request, view) #8.自定义的时候需要重写的方法,有返回值,放入缓存中
if self.key is None:
return True
self.history = self.cache.get(self.key, []) #9.获取缓存,通过key取值
self.now = self.timer() #10.当前时间
# Drop any requests from the history which have now passed the
# throttle duration
while self.history and self.history[-1] <= self.now - self.duration:
self.history.pop()
if len(self.history) >= self.num_requests:
return self.throttle_failure()
return self.throttle_success()
def throttle_success(self):
self.history.insert(0, self.now)
self.cache.set(self.key, self.history, self.duration)
return True
def throttle_failure(self):
return False
#返回距下一次能请求的时间,限制的访问次数在parse_rate可以求出
def wait(self):
"""
Returns the recommended next request time in seconds.
"""
if self.history:
remaining_duration = self.duration - (self.now - self.history[-1])
else:
remaining_duration = self.duration
available_requests = self.num_requests - len(self.history) + 1
if available_requests <= 0:
return None
return remaining_duration / float(available_requests)
核心源码分析
def check_throttles(self, request):
throttle_durations = []
# 1)遍历配置的频率认证类,初始化得到一个个频率认证类对象(会调用频率认证类的 __init__() 方法)
# 2)频率认证类对象调用 allow_request 方法,判断是否限次(没有限次可访问,限次不可访问)
# 3)频率认证类对象在限次后,调用 wait 方法,获取还需等待多长时间可以进行下一次访问
# 注:频率认证类都是继承 SimpleRateThrottle 类
for throttle in self.get_throttles():
if not throttle.allow_request(request, self):
# 只要频率限制了,allow_request 返回False了,才会调用wait
throttle_durations.append(throttle.wait())
if throttle_durations:
# Filter out `None` values which may happen in case of config / rate
# changes, see #1438
durations = [
duration for duration in throttle_durations
if duration is not None
]
duration = max(durations, default=None)
self.throttled(request, duration)
注意:
主要流程在第四步中标出
自定义频率类
# 1) 自定义一个继承 SimpleRateThrottle 类 的频率类
# 2) 设置一个 scope 类属性,属性值为任意见名知意的字符串
# 3) 在settings配置文件中,配置drf的DEFAULT_THROTTLE_RATES,格式为 {scope字符串值: '次数/时间'}
# 4) 在自定义频率类中重写 get_cache_key 方法
# 限制的对象返回 与限制信息有关的字符串
# 不限制的对象返回 None (只能放回None,不能是False或是''等)
写一个短信接口,设置 1/min频率限制
utils.throttles.py
from rest_framework.throttling import SimpleRateThrottle
class SMSRateThrottle(SimpleRateThrottle):
scope = 'sms'
#只对提交手机号的get方法进行限制
def get_cache_key(self, request, view):
mobile = request.query_params.get('mobile')
#没有手机号就不做频率限制
if not mobile:
return None
#返回的信息可以用手机号动态变化,且不易重复的字符串,作为缓存的key
return 'throttle_%(scope)s_%(ident)s' % {'scope': self.scope, 'ident': mobile}
settings.py配置:
# drf配置
REST_FRAMEWORK = {
# 频率限制条件配置
'DEFAULT_THROTTLE_RATES': {
'sms': '1/min'
},
}
视图层:views.py
from .throttles import SMSRateThrottle
class TestSMSAPIView(APIView):
# 局部配置频率认证
throttle_classes = [SMSRateThrottle]
def get(self, request, *args, **kwargs):
return APIResponse(0, 'get 获取验证码 OK')
def post(self, request, *args, **kwargs):
return APIResponse(0, 'post 获取验证码 OK')
路由:urls.py
url(r'^sms/$', views.TestSMSAPIView.as_view()),
会限制的接口
# 只会对 /api/sms/?mobile=具体手机号 接口才会有频率限制,设置了限制频率,到达访问次数就会禁止
# 1)对 /api/sms/ 或其他接口发送无限制
# 2)对数据包提交mobile的/api/sms/接口无限制
# 3)对不是mobile(如phone)字段提交的电话接口无限制
JWT认证
优点
1) 服务器不要存储token,token交给每一个客户端自己存储,服务器压力小
2)服务器存储的是 签发和校验token 两段算法,签发认证的效率高
3)算法完成各集群服务器同步成本低,路由项目完成集群部署(适应高并发)
格式
1) jwt token采用三段式:头部.载荷.签名
2)每一部分都是一个json字典加密形参的字符串
3)头部和载荷采用的是base64可逆加密(前台后台都可以解密)
4)签名采用hash256不可逆加密(后台校验采用碰撞校验)
5)各部分字典的内容:
头部:基础信息 - 公司信息、项目组信息、可逆加密采用的算法
载荷:有用但非私密的信息 - 用户可公开信息、过期时间
签名:头部+载荷+秘钥 不可逆加密后的结果
注:服务器jwt签名加密秘钥一定不能泄露
签发token:固定的头部信息加密.当前的登陆用户与过期时间加密.头部+载荷+秘钥生成不可逆加密
校验token:头部可校验也可以不校验,载荷校验出用户与过期时间,头部+载荷+秘钥完成碰撞检测校验token是否被篡改
drf-jwt插件
官网
https://github.com/jpadilla/django-rest-framework-jwt
安装
pip install djangorestframework-jwt
登录-签发token(生成token):urls.py
# ObtainJSONWebToken视图类就是通过username和password得到user对象然后签发token(生成token)
from rest_framework_jwt.views import ObtainJSONWebToken, obtain_jwt_token
urlpatterns = [
# url(r'^jogin/$', ObtainJSONWebToken.as_view()),
url(r'^jogin/$', obtain_jwt_token),
]
认证-校验token(解析token):全局或者配置drf-jwt的认证类 JSONWebTokenAuthentication
from rest_framework.views import APIView
from utils.response import APIResponse
# 必须登录后才能访问 - 通过了认证权限组件
from rest_framework.permissions import IsAuthenticated
from rest_framework_jwt.authentication import JSONWebTokenAuthentication
class UserDetail(APIView):
authentication_classes = [JSONWebTokenAuthentication] # jwt-token校验request.user
permission_classes = [IsAuthenticated] # 结合权限组件筛选掉游客
def get(self, request, *args, **kwargs):
return APIResponse(results={'username': request.user.username})
路由与接口测试
# 路由
url(r'^user/detail/$', views.UserDetail.as_view()),
# 接口:/api/user/detail/
# 认证信息:必须在请求头的 Authorization 中携带 "jwt 后台签发的token" 格式的认证字符串
注意:
1.签发token的时候,只有post请求,没有get请求
2.生成token的时候需要通过json传入username和password
3.解析token的时候,get请求需要在Headers中传入参数
Authorization jwt 用户对应的token值