day-85drf

自定义字段,不参与反/序列化:

反序列化之前拦截

 

Django基于角色的权限认证(6表)

Django基于角色的权限认证(6表多对多字段,正反查询)

 

admin设置显示中文

 drf认证组件与权限组件

REST_FRAMEWORK = {
    
    1.'DEFAULT_AUTHENTICATION_CLASSES': [                               # 自定义认证类 - 重写authenticate - 通过(user和auth | None) 失败(raise)
        
        'rest_framework.authentication.SessionAuthentication',          # 前台sessionid与后台django_session完成认证,赋值给request.user   
        'rest_framework.authentication.BasicAuthentication',
       
    ],
   
    2.'DEFAULT_PERMISSION_CLASSES': [                                     # 自定义权限类 (主要获取request.user)- has_permission - 通过(True) | 失败(False)
        'rest_framework.permissions.AllowAny',
      
        'rest_framework.permissions.IsAuthenticated',                     # 校验是否有request.user
       
        'rest_framework.permissions.IsAuthenticatedOrReadOnly',           # 查操作不校验request.user,增改删校验request.user
      
        'rest_framework.permissions.IsAdminUser',                         # 是否是在职用户(request.user.is_staff)

    ],
}

自定义权限组件

settings.py:

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': [
    
        'rest_framework.authentication.SessionAuthentication',             
        'rest_framework.authentication.BasicAuthentication',
 
    ],

    'DEFAULT_PERMISSION_CLASSES': [
       
        # 'api.permissions.IsSuperUserPermission'                        # 自定义是否是超级管理员(request.user.is_superuser)

    
    ],
}

自定义权限类:

视图是否使用权限组件:

admin密文操作密码

 jwt:json web tokens(发展史)

jwt的tokens

组成:
  头+体+签名
  头:{公司基本信息,加密方式} => base64加密
  体(载荷):{用户信息,过期时间} => base64加密
  签名:{头,体,密钥} => hash256加密

签发token:
  登陆的用户、过期时间、服务器密钥 + 基础信息们
校验token:
  前台的头、前台的体、服务器密钥

安装:

  pip3 install djangorestframework-jwt

自定义jwt登录实现签发token

from rest_framework.views import APIView
from rest_framework_jwt.serializers import jwt_payload_handler
from rest_framework_jwt.serializers import jwt_encode_handler
from django.contrib import auth
# 自定义jwt登陆
class LoginAPIView(APIView):
    def post(self, request, *args, **kwargs):
        username = request.data.get('username')
        password = request.data.get('password')
        if not (username and password):
            return Response({
                'error': 'username与password为必须字段'
            })
        user_obj = auth.authenticate(username=username, is_active=True, password=password)
        if user_obj:
            # 签发token
            payload = jwt_payload_handler(user_obj)
            token = jwt_encode_handler(payload)
            return Response({
                'status': 0,
                'msg': 'ok',
                'token': token
            })
        else:
            return Response({
                'status': 1,
                'msg': 'username与password有误'
            })

自定义jwt实现验证token

自定义验证token类:

import jwt
from rest_framework_jwt.authentication import BaseJSONWebTokenAuthentication
from rest_framework_jwt.authentication import jwt_decode_handler
from rest_framework import exceptions
class JWTAuthentication(BaseJSONWebTokenAuthentication):
    def authenticate(self, request):
        jwt_value = request.META.get('HTTP_TOKEN')
        if jwt_value is None:
            return None
        try:
            payload = jwt_decode_handler(jwt_value)
        except jwt.ExpiredSignature:
            raise exceptions.AuthenticationFailed('token已过期')
        except jwt.InvalidTokenError:
            raise exceptions.AuthenticationFailed('token非法')

        user = self.authenticate_credentials(payload)

        return (user, jwt_value)

view视图:

from rest_framework.viewsets import ModelViewSet
from . import models, serializers
from rest_framework.response import Response


from . import permissions
from rest_framework.permissions import IsAuthenticated
from rest_framework_jwt.authentication import JSONWebTokenAuthentication
from api.authentications import JWTAuthentication
class CarsModelViewSet(ModelViewSet):
   

    # 必须完成jwt校验才能得到登陆状态    
    # authentication_classes = [JSONWebTokenAuthentication]     #系统验证token
    authentication_classes = [JWTAuthentication]                #自定义验证token
    
    # 登陆后才能查看
    permission_classes = [IsAuthenticated]


    queryset = models.Car.objects.filter(is_delete=False)
    serializer_class = serializers.CarsModelSerializer

    def destroy(self, request, *args, **kwargs):
        return Response('该功能暂无提供')

设置token过期时间

import datetime
JWT_AUTH = {
    
    'JWT_EXPIRATION_DELTA': datetime.timedelta(seconds=300),        # 过期时间
}

系统验证token反扒措施

原文地址:https://www.cnblogs.com/klw1/p/11379602.html