drf : 认证 频率 权限

编写登录功能引出认证,权限,频率:

前端通过接口测试工具Postman将用户名和密码通过HTTP请求发送至Django框架

models.py

from django.db import models
 
 
# Create your models here.
class Books(models.Model):
    name = models.CharField(max_length=32)
    price = models.IntegerField()
    publish = models.ForeignKey(to='Publish', on_delete=models.DO_NOTHING)
 
 
class Publish(models.Model):
    name = models.CharField(max_length=32)
    addr = models.CharField(max_length=32)
 
 
class User(models.Model):
    username = models.CharField(max_length=32)
    password = models.CharField(max_length=32)
 
 
"""
用户登录生成随机字符串,响应中携带字符串,发送至服务端后,服务端做逻辑判断。
一般一对一为垂直分表。数据库优化的手段
"""
class UserToken(models.Model):
    user = models.OneToOneField(to='User', on_delete=models.CASCADE)
    token = models.CharField(max_length=64)

模型层拓展:

字段参数可以填写函数名,但不是不能加括号。

views.py

from rest_framework.views import APIView
from . import models
import uuid
from rest_framework.response import Response
 
 
class UserAPIView(APIView):
    def post(self,request,*args,**kwargs):
        back_dic = {'code':200,'msg':''}
        username = request.data.get('username')
        password = request.data.get('password')
        # 过滤出user表中含有请求中携带的数据,username,password.
        user = models.User.objects.filter(username=username,password=password).first()
        print(user)
 
        if user:
            """
            有用户的情况下
            登录成功之后生成token
            user=user,根据user查询,查询不到使用defaults新增,查询到更新。
            """
            # 生成随机字符串,请求中携带随机字符传
        		token = str(uuid.uuid4())
            models.UserToken.objects.update_or_create(defaults={'token': token}, user=user)
            back_dic['msg'] = '随机字符串更新'
            back_dic['token'] = token
        else:
            back_dic['code'] = 201
            back_dic['msg'] = '用户名或者密码错误'
        return Response(back_dic)

此时客户端发送post请求,后端验证正确会产生一条新的token覆盖原有的token。

认证,权限,频率所在位置。

 
APIView --> dispath(重写了request方法) --> initial(认证,权限,频率)
    def initial(self, request, *args, **kwargs):
        """
        Runs anything that needs to occur prior to calling the method handler.
        """
        self.format_kwarg = self.get_format_suffix(**kwargs)
 
        # Perform content negotiation and store the accepted info on the request
        neg = self.perform_content_negotiation(request)
        request.accepted_renderer, request.accepted_media_type = neg
 
        # Determine the API version, if versioning is in use.
        version, scheme = self.determine_version(request, *args, **kwargs)
        request.version, request.versioning_scheme = version, scheme
 
        # Ensure that the incoming request is permitted
        """认证"""
        self.perform_authentication(request)
        """权限"""
        self.check_permissions(request)
        """频率"""
        self.check_throttles(request)

认证类的编写

之前提到过,如果代码不属于视图层就另开一个py文件。

认证:只有携带token随机字符串才可以访问某个路由。

urls.py

 
from app01 import views
from rest_framework.routers import SimpleRouter, DefaultRouter
from django.urls import path, include
 
router = SimpleRouter()
router.register('books', views.BookAPIView)
 
urlpatterns = [
    # path('books/',views.BookAPIView.as_view({'get':'login'})),
    path('', include(router.urls)),
    path('login/', views.UserAPIView.as_view())
]

views.py

from .auth import LoginAuth
from rest_framework.generics import ListAPIView
from rest_framework.viewsets import ViewSetMixin
 
 
class BookAPIView(ViewSetMixin, ListAPIView):
    queryset = Books.objects.all()
    serializer_class = BookSerializers
    # 增加登录认证
    authentication_classes = [LoginAuth]

auth.py

"""认证类"""
from rest_framework.authentication import BaseAuthentication
from . import models
from rest_framework.exceptions import AuthenticationFailed
 
class LoginAuth(BaseAuthentication):
    def authenticate(self,request):
        # 写认证规则
        # 取出用户携带的token
        # -注意:取get提交的数据,不要从request.GET中取,从request.query_params中取
        token = request.query_params.get('token')
        print(token)
        # 去数据库查询,token是否存在,存在表示登录了,不存在表示为登录
        user_token = models.UserToken.objects.filter(token=token).first()
        if user_token:
          	# 943ffc46-3826-47f9-a4de-ea9cd4bd23d6
            print(user_token.token)
            # User object (1),模型类对象
            print(user_token.user)
            # junjie
            print(user_token.user.username)
            return user_token.user,user_token.token
        raise AuthenticationFailed('您没有登录,认证失败')

此时想要访问books必须携带token才可以访问。

认证类的全局和局部使用

全局配置:

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES':[
        'app01.auth.LoginAuth'
    ]
}

局部禁用配置:

class UserAPIView(APIView):
    authentication_classes = []

源码分析:

# APIView--->dispathch方法的-----》self.initial(request, *args, **kwargs)(497行)---》APIView的initial方法----》有三句话
self.perform_authentication(request)  # 认证
self.check_permissions(request)       # 权限
self.check_throttles(request)         # 频率
 
 
 
# self.perform_authentication(request)----》新的request对象的.user(是个方法,包装成了数据数属性)---》新的Request类中找到了user方法---》self._authenticate()-----》Request类中的_authenticate
    def _authenticate(self):
        for authenticator in self.authenticators: # 配置在视图类中认证类列表,实例化得到的对象
            try:
                user_auth_tuple = authenticator.authenticate(self)
            except exceptions.APIException:
                self._not_authenticated()
                raise
 
            if user_auth_tuple is not None:
                self._authenticator = authenticator
                self.user, self.auth = user_auth_tuple
                return
            
            
 #  self.authenticators,self是Request类的对象,authenticators属性是Request这个类在实例化的时候,传入的
 
# Request类在实例化的时候代码
    return Request(
            request,
            parsers=self.get_parsers(),
            authenticators=self.get_authenticators(),  # 要看的
            negotiator=self.get_content_negotiator(),
            parser_context=parser_context
        )
 
 
# self.get_authenticators()是APIView的方法
def get_authenticators(self):
   	 	# 列表推导式
        return [auth() for auth in self.authentication_classes]
    	# 返回结果是我们配在视图类中自己写的认证类列表的对象
        return [LoginAuth(),]

权限组件

导入模块

from rest_framework.permissions import BasePermission

auth.py

from rest_framework.permissions import BasePermission
 
class UserPermission(BasePermission):
    def has_permission(self, request, view):
        """
        认证类走完再走权限类,所以request.user可以拿到当前登录用户
        """
        if request.user.user_type == 1:
            return True
        return False

全局配置使用:

REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': [
        'app01.auth.UserPermission',
    ],
}

局部使用:

class BookAPIView(ViewSetMixin, ListAPIView):
    queryset = Books.objects.all()
    serializer_class = BookSerializers
    # 增加登录认证
    authentication_classes = [LoginAuth]
    # 增加权限类
    permission_classes = [UserPermission]
```python
#### 局部禁用:
```python
    permission_classes = []

权限类源码解读

APIView --> dispath --> initial --> self.check_permissions(request) --》
def check_permissions(self, request):
  """
  for permission in self.get_permissions(),self.get_permissions()在哪?
  		通过源码可以看到是权限类的全局和局部配置。局部有优先局部,局部没有定义取全局,全局没有去内置。
      def get_permissions(self):
        return [permission() for permission in self.permission_classes]
  """
  for permission in self.get_permissions():
    """
    对应到auth.py中的权限类,如果为True,代码正常执行,如果为False,执行self.permission_denied
    """
    if not permission.has_permission(request, self):
      self.permission_denied(
        request,
        """
        反射,现在auth.py中的权限类找massage.
        """
        message=getattr(permission, 'message', None),
        code=getattr(permission, 'code', None)
      )
# message 自定义报错信息
def permission_denied(self, request, message=None, code=None):
    """
    If request is not permitted, determine what kind of exception to raise.
    """
    if request.authenticators and not request.successful_authenticator:
        raise exceptions.NotAuthenticated()
    raise exceptions.PermissionDenied(detail=message, code=code)

auth.py

class UserPermission(BasePermission):
    def has_permission(self, request, view):
        """
        认证类走完再走权限类,所以request.user可以拿到当前登录用户
        """
        if request.user.user_type == 1:
            return True
        return False

频率组件的使用

频率的作用: 可以对接口访问的频次进行限制,以减轻服务器压力。一般用于付费购买次数,投票等场景使用.

**导入模块: **

from rest_framework.throttling import SimpleRateThrottle

auth.py,写一个类,继承基类,重写get_cache_key方法

 
class MyThrottle(SimpleRateThrottle):
    # scope一定要写,字符串对应到settings.py中配置REST_FRAMEWORK。
    scope = 'ip_Throttle'
 
    def get_cache_key(self, request, view):
        # 请求头所包含的信息在META中
        # 127.0.0.1
        print(request.META.get('REMOTE_ADDR'))
        return request.META.get('REMOTE_ADDR')
#### settings.py,配置文件中一定要配置。
 
REST_FRAMEWORK = {
	# (一分钟访问三次),key要跟类中的scope对应
    'DEFAULT_THROTTLE_RATES':{
        'ip_Throttle':'3/m'  
    }
}

settings.py ,全局配置。

REST_FRAMEWORK = {
  	 # (一分钟访问三次),key要跟类中的scope对应
    'DEFAULT_THROTTLE_RATES':{
        'ip_Throttle':'3/m'  
    },
 		 # 全局配置
    'DEFAULT_THROTTLE_CLASSES': (
        'app01.auth.MyThrottle',
    ),
}

views.py,视图类中配置

class BookAPIView(ViewSetMixin, ListAPIView):
    # 局部使用
    throttle_classes = [MyThrottle,]

posted @   冀未然  阅读(3)  评论(0编辑  收藏  举报
(评论功能已被禁用)
相关博文:
· drf : 请求(Request)与响应(Response),全局设置和局部设置drf的默认配置项。
· drf : source,定制序列化字段以及反序列化新增。局部钩子(validate_字段名),全局钩子(validate)
· drf : 认证 频率 权限
· drf 认证、权限、频率限制以及其源码
· drf 认证 频率和权限
阅读排行:
· 分享4款.NET开源、免费、实用的商城系统
· 全程不用写代码,我用AI程序员写了一个飞机大战
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· 记一次.NET内存居高不下排查解决与启示
· 白话解读 Dapr 1.15:你的「微服务管家」又秀新绝活了
点击右上角即可分享
微信分享提示