1.第一种情况:
client端
# ############### a. 发令牌: 静态 ############### import requests key = "asdfasdfasdfasdf098712sdfs" response = requests.get("http://127.0.0.1:8000/api/asset.html",headers={'OpenKey':key}) print(response.text) import requests response = requests.get("http://127.0.0.1:8000/api/asset.html") print(response.text)
server端
for k,v in request.META.items():
print(k,v)
key = request.META.get('HTTP_OPENKEY') if key != settings.AUTH_KEY: return HttpResponse('认证失败。。。。') if request.method == "GET": ys = '重要的不能被闲杂人等看的数据' return HttpResponse(ys)
2.第二种情况:生成了动态令牌,客户端发送 headers={'OpenKey':md5_time_key},跟服务端的server_md5_key进行比较,如果成功客户端才可以看到,但是有缺点:客户端发送给服务端的请求容易被截获
client端
# ############### b. 改良: 动态令牌, ############### import time import requests import hashlib import uuid#根据主板时间网络信息生成随机字符串 # ctime = time.time() key = "asdfasdfasdfasdf098712sdfs" new_key = "%s|%s" %(key,ctime,)#格式化 m = hashlib.md5() m.update(bytes(new_key,encoding='utf-8')) md5_key = m.hexdigest()#<class 'str'> md5_time_key = "%s|%s" %(md5_key,ctime) print(md5_time_key)#9dbc01bb70d8d47a625749af1882eb80|1501519015.0595002#生成md5值和时间的随机字符串 response = requests.get("http://127.0.0.1:8000/api/asset.html",headers={'OpenKey':md5_time_key}) print(response.text)
server端:
client_md5_time_key = request.META.get('HTTP_OPENKEY') client_md5_key,client_ctime = client_md5_time_key.split('|')#客户端的md5_key temp = "%s|%s" %(settings.AUTH_KEY,client_ctime) m = hashlib.md5() m.update(bytes(temp,encoding='utf-8')) server_md5_key = m.hexdigest()#服务端的md5_key if server_md5_key != client_md5_key:#进行比较,不相等,则认证失败 return HttpResponse('认证失败。。。。') if request.method == "GET": ys = '重要的不能被闲杂人等看的数据' return HttpResponse(ys)
API验证
a. 发令牌: 静态
PS: 隐患 key被别人获取
b. 动态令牌
PS: (问题越严重)用户生成的每个令牌被黑客获取到,都会破解
c. 终极版本
a. 客户端和服务端都有一个相同的key
客户端把key发给服务端,服务端拿着自己的key和客户端的key做比较 ###客户端 import time import requests key = "asdfasdfasdfasdf098712sdfs" response = requests.get("http://127.0.0.1:8000/api/asset.html",headers={'OpenKey':key}) print(response.text) ###服务端 #print(request.META) key = request.META.get("HTTP_OPENKEY") if key != settings.AUTH_KEY: return HttpResponse("验证失败")
b. key和时间
#客户端和服务端都有一个相同的key #客户端把加密key和当前时间发给服务端,服务端收到后把客户端发来的时间和自己的key加密 #然后把加密后的字串和客户端的字串比较 #客户端 import time import requests import hashlib ctime = time.time() key = "asdfasdfasdfasdf098712sdfs" new_key = "%s|%s" %(key,ctime,) m = hashlib.md5() m.update(bytes(new_key,encoding='utf-8')) #里面是字节数据 md5_key = m.hexdigest() #返回值是字符窜类型 md5_time_key = "%s|%s" %(md5_key,ctime) response = requests.get("http://127.0.0.1:8000/api/asset.html",headers={'OpenKey':md5_time_key}) print(response.text) #服务端 client_md5_time_key = request.META.get("HTTP_OPENKEY") client_md5_key,client_ctime = client_md5_time_key.split("|") temp = "%s|%s"%(settings.AUTH_KEY,client_ctime) m = hashlib.md5() m.update(bytes(temp, encoding='utf-8')) server_md5_key = m.hexdigest() if server_md5_key != client_md5_key: return HttpResponse("验证失败")
c. 终极版本
#客户端和服务端都有一个相同的key #客户端把加密key和当前时间发给服务端 #服务端验证: #1)服务端判断服务器当前的时间是否比客户端时间快10s,如果在10s内通过,有效的杜绝了案例二成千上万的key #2)服务器获取客户端时间和自己key加密然后和 客户端获取到的key比较 #3)删除与现在时间相差10s的数据(之后用memcache,redis) #3)在字典里判断是否有这个key,如果有不通过,没有加入字典(之后用memcache,redis) #客户端 import time import requests import hashlib ctime = time.time() key = "asdfasdfasdfasdf098712sdfs" new_key = "%s|%s" %(key,ctime,) m = hashlib.md5() m.update(bytes(new_key,encoding='utf-8')) #里面是字节数据 md5_key = m.hexdigest() #返回值是字符窜类型 md5_time_key = "%s|%s" %(md5_key,ctime) print(md5_time_key) response = requests.get("http://127.0.0.1:8000/api/asset.html",headers={'OpenKey':md5_time_key}) #黑客获取调用 #response = requests.get("http://127.0.0.1:8000/api/asset.html",headers={'OpenKey':"f610077a7001c53b5a74868c5544b388|1501514254.455578"}) print(response.text) #服务端 api_key_record ={ "76942d662d98ebe3b920a7b791bf5040|1501510243.92804":1501510243.92804, } def asset(request): client_md5_time_key = request.META.get("HTTP_OPENKEY") client_md5_key,client_ctime = client_md5_time_key.split("|") client_ctime = float(client_ctime) server_ctime = time.time() #第一关 时间关 if server_ctime - client_ctime > 10: return HttpResponse("第一关 小伙子,别虎我,太长了") #第二关 客户端时间和服务端key加密和 客户端的密钥对比 temp = "%s|%s"%(settings.AUTH_KEY,client_ctime) m = hashlib.md5() m.update(bytes(temp, encoding='utf-8')) server_md5_key = m.hexdigest() if server_md5_key != client_md5_key: return HttpResponse("第二关 规则正确") #以后基于memcache,目前先写入内存删除超过10s的值 for k in list(api_key_record.keys()): v = api_key_record[k] if server_ctime > v: del api_key_record[k] #第三关 判断字典里是否有之前访问的key,如果有不通过,没有加入字典 if client_md5_time_key in api_key_record: return HttpResponse("第三关 已经有人来过了") else: api_key_record[client_md5_time_key] = client_ctime + 10