DRF框架(七) ——三大认证组件之频率组件、jwt认证
drf频率组件源码
1.APIView的dispatch方法的 self.initial(request,*args,**kwargs) 点进去
2.self.check_throttles(request) 进行频率认证
def initial(self, request, *args, **kwargs): """ Runs anything that needs to occur prior to calling the method handler. """ self.format_kwarg = self.get_format_suffix(**kwargs) # Perform content negotiation and store the accepted info on the request neg = self.perform_content_negotiation(request) request.accepted_renderer, request.accepted_media_type = neg # Determine the API version, if versioning is in use. version, scheme = self.determine_version(request, *args, **kwargs) request.version, request.versioning_scheme = version, scheme # Ensure that the incoming request is permitted self.perform_authentication(request) self.check_permissions(request) self.check_throttles(request) #频率认证
3.self.get_throttles() 频率组件最终要的两个方法:allow_request()和wait()
def check_throttles(self, request): #频率组件核心代码 """ Check if request should be throttled. Raises an appropriate exception if the request is throttled. """ throttle_durations = [] for throttle in self.get_throttles(): if not throttle.allow_request(request, self): throttle_durations.append(throttle.wait())
3-1. self.throttle_classes 出现频率配置settings信息,经过查询源码的settings文件对频率配置为空
def get_throttles(self): """ Instantiates and returns the list of throttles that this view uses. """ return [throttle() for throttle in self.throttle_classes] #频率组件配置信息
4. allow_request() 在自身、所在类都没有找到,那去父类找,在源码throttling.py中
class SimpleRateThrottle(BaseThrottle): cache = default_cache timer = time.time cache_format = 'throttle_%(scope)s_%(ident)s' scope = None THROTTLE_RATES = api_settings.DEFAULT_THROTTLE_RATES def __init__(self): if not getattr(self, 'rate', None): self.rate = self.get_rate() #3.rate值就是方法get_rate的返回值(频率次数) self.num_requests, self.duration = self.parse_rate(self.rate) def get_cache_key(self, request, view): raise NotImplementedError('.get_cache_key() must be overridden')
#get_rate最后返回的结果是设置的频率次数 def get_rate(self):#1.在自定义类中要给scope属性赋值 if not getattr(self, 'scope', None): msg = ("You must set either `.scope` or `.rate` for '%s' throttle" % self.__class__.__name__) raise ImproperlyConfigured(msg) try: return self.THROTTLE_RATES[self.scope] #2.在settings文件中配置scope属性值对应的value except KeyError: msg = "No default throttle rate set for '%s' scope" % self.scope raise ImproperlyConfigured(msg) def parse_rate(self, rate): if rate is None: return (None, None) num, period = rate.split('/') #4.rate有值,根据源码,自定义的rate值是一个字符串,而且是这种格式:'数字/以s,m,h,d之类开头的字母' num_requests = int(num) #5.获得的数字就是设置的频率次数 duration = {'s': 1, 'm': 60, 'h': 3600, 'd': 86400}[period[0]] #6.获得是间隔的时间(以秒为单位) return (num_requests, duration) #7.数据返回给__init__,解压赋值 def allow_request(self, request, view): if self.rate is None: return True #get_cache_key就是要重写的方法,若不重写,会直接抛出异常 self.key = self.get_cache_key(request, view) #8.自定义的时候需要重写的方法,有返回值,放入缓存中 if self.key is None: return True self.history = self.cache.get(self.key, []) #9.获取缓存,通过key取值 self.now = self.timer() #10.当前时间 # Drop any requests from the history which have now passed the # throttle duration while self.history and self.history[-1] <= self.now - self.duration: self.history.pop() if len(self.history) >= self.num_requests: return self.throttle_failure() return self.throttle_success() def throttle_success(self): self.history.insert(0, self.now) self.cache.set(self.key, self.history, self.duration) return True def throttle_failure(self): return False
#返回距下一次能请求的时间,限制的访问次数在parse_rate可以求出 def wait(self): """ Returns the recommended next request time in seconds. """ if self.history: remaining_duration = self.duration - (self.now - self.history[-1]) else: remaining_duration = self.duration available_requests = self.num_requests - len(self.history) + 1 if available_requests <= 0: return None return remaining_duration / float(available_requests)
核心源码分析
def check_throttles(self, request): throttle_durations = [] # 1)遍历配置的频率认证类,初始化得到一个个频率认证类对象(会调用频率认证类的 __init__() 方法) # 2)频率认证类对象调用 allow_request 方法,判断是否限次(没有限次可访问,限次不可访问) # 3)频率认证类对象在限次后,调用 wait 方法,获取还需等待多长时间可以进行下一次访问 # 注:频率认证类都是继承 SimpleRateThrottle 类 for throttle in self.get_throttles(): if not throttle.allow_request(request, self): # 只要频率限制了,allow_request 返回False了,才会调用wait throttle_durations.append(throttle.wait()) if throttle_durations: # Filter out `None` values which may happen in case of config / rate # changes, see #1438 durations = [ duration for duration in throttle_durations if duration is not None ] duration = max(durations, default=None) self.throttled(request, duration)
注意:
主要流程在第四步中标出
自定义频率类
# 1) 自定义一个继承 SimpleRateThrottle 类 的频率类 # 2) 设置一个 scope 类属性,属性值为任意见名知意的字符串 # 3) 在settings配置文件中,配置drf的DEFAULT_THROTTLE_RATES,格式为 {scope字符串值: '次数/时间'} # 4) 在自定义频率类中重写 get_cache_key 方法 # 限制的对象返回 与限制信息有关的字符串 # 不限制的对象返回 None (只能放回None,不能是False或是''等)
写一个短信接口,设置 1/min频率限制
utils.throttles.py
from rest_framework.throttling import SimpleRateThrottle class SMSRateThrottle(SimpleRateThrottle): scope = 'sms' #只对提交手机号的get方法进行限制 def get_cache_key(self, request, view): mobile = request.query_params.get('mobile') #没有手机号就不做频率限制 if not mobile: return None #返回的信息可以用手机号动态变化,且不易重复的字符串,作为缓存的key return 'throttle_%(scope)s_%(ident)s' % {'scope': self.scope, 'ident': mobile}
settings.py配置:
# drf配置 REST_FRAMEWORK = { # 频率限制条件配置 'DEFAULT_THROTTLE_RATES': { 'sms': '1/min' }, }
视图层:views.py
from .throttles import SMSRateThrottle class TestSMSAPIView(APIView): # 局部配置频率认证 throttle_classes = [SMSRateThrottle] def get(self, request, *args, **kwargs): return APIResponse(0, 'get 获取验证码 OK') def post(self, request, *args, **kwargs): return APIResponse(0, 'post 获取验证码 OK')
路由:urls.py
url(r'^sms/$', views.TestSMSAPIView.as_view()),
会限制的接口
# 只会对 /api/sms/?mobile=具体手机号 接口才会有频率限制,设置了限制频率,到达访问次数就会禁止 # 1)对 /api/sms/ 或其他接口发送无限制 # 2)对数据包提交mobile的/api/sms/接口无限制 # 3)对不是mobile(如phone)字段提交的电话接口无限制
JWT认证
优点
1) 服务器不要存储token,token交给每一个客户端自己存储,服务器压力小 2)服务器存储的是 签发和校验token 两段算法,签发认证的效率高 3)算法完成各集群服务器同步成本低,路由项目完成集群部署(适应高并发)
格式
1) jwt token采用三段式:头部.载荷.签名 2)每一部分都是一个json字典加密形参的字符串 3)头部和载荷采用的是base64可逆加密(前台后台都可以解密) 4)签名采用hash256不可逆加密(后台校验采用碰撞校验) 5)各部分字典的内容: 头部:基础信息 - 公司信息、项目组信息、可逆加密采用的算法 载荷:有用但非私密的信息 - 用户可公开信息、过期时间 签名:头部+载荷+秘钥 不可逆加密后的结果 注:服务器jwt签名加密秘钥一定不能泄露 签发token:固定的头部信息加密.当前的登陆用户与过期时间加密.头部+载荷+秘钥生成不可逆加密 校验token:头部可校验也可以不校验,载荷校验出用户与过期时间,头部+载荷+秘钥完成碰撞检测校验token是否被篡改
drf-jwt插件
官网
https://github.com/jpadilla/django-rest-framework-jwt
安装
pip install djangorestframework-jwt
登录-签发token(生成token):urls.py
# ObtainJSONWebToken视图类就是通过username和password得到user对象然后签发token(生成token) from rest_framework_jwt.views import ObtainJSONWebToken, obtain_jwt_token urlpatterns = [ # url(r'^jogin/$', ObtainJSONWebToken.as_view()), url(r'^jogin/$', obtain_jwt_token), ]
认证-校验token(解析token):全局或者配置drf-jwt的认证类 JSONWebTokenAuthentication
from rest_framework.views import APIView from utils.response import APIResponse # 必须登录后才能访问 - 通过了认证权限组件 from rest_framework.permissions import IsAuthenticated from rest_framework_jwt.authentication import JSONWebTokenAuthentication class UserDetail(APIView): authentication_classes = [JSONWebTokenAuthentication] # jwt-token校验request.user permission_classes = [IsAuthenticated] # 结合权限组件筛选掉游客 def get(self, request, *args, **kwargs): return APIResponse(results={'username': request.user.username})
路由与接口测试
# 路由 url(r'^user/detail/$', views.UserDetail.as_view()), # 接口:/api/user/detail/ # 认证信息:必须在请求头的 Authorization 中携带 "jwt 后台签发的token" 格式的认证字符串
注意:
1.签发token的时候,只有post请求,没有get请求 2.生成token的时候需要通过json传入username和password 3.解析token的时候,get请求需要在Headers中传入参数 Authorization jwt 用户对应的token值
