其余的Django框架 - 理解认证和登录 [英] django rest framework - understanding authentication and logging in

问题描述

我是Django的休息框架（和一般的休息）初学者，我有（现在）有一个UserViewSet它允许注册新用户，我可以从我的Andr​​oid应用POST到URL只是一个服务器端罚款（我得到201创建）。

I am a beginner to django rest framework (and to REST in general) and I have a server side which (for now) has a UserViewSet which allows to register new users and I can POST to the url from my android app just fine (I get 201 CREATED).

我读了很多关于它，但我似乎并没有完全理解的登录名和验证的REST框架，特别在Django的REST框架的概念，它是如何工作的。

I read a lot about it, but I don't seem to fully the understand the concept of Login and Authentication in REST frameworks and specifically in django rest framework, and how it works.

你登录（如在Facebook的为例），然后你可以提出请求？

Do you "Log in" (like in facebook for example) and then you can make requests?

我明白\\听说过：

您可以使用您的用户名和密码登录到API \\网站（假设关你已经注册为用户的课程，你在用户数据库）。

you can Login to a API\website using your username and password (assuming off course that you have registered as a user and you are in the user database).

在您登录 - 你将能够使请求视图，仅允许登录\\身份验证的用户访问

After you are Logged in - you will be able to make requests to views that allow access only to logged in\authenticated users.

• 是有些正确的？我的意思是，有一个登录链接，你登录，这就是它？您进行身份验证？

• Is that somewhat correct? I mean, is there a "Log in" url where you login and that's it? you are authenticated?

此外读的地方，那里的不是实际上是一个登录URL，你有你的用户名和密码添加到每个请求，然后要求有检查您的详细信息都在用户数据库？

Also read somewhere that there isn't actually a login url, and you have to add your username and password to each request and then the request has to check if your details are in the User database?

要总结起来，我真的不知道如何（是一回事吗？）发生在Django的REST框架做认证/日志...并会真的AP preciate一个很好的解释或例子..

To sum up, I am not really sure how does authentication/logging in (same thing?) happens in django REST framework... and would really appreciate a good explanation or an example..

非常感谢！

推荐答案

在一个正常的Web应用程序（去除问题的API），用户将日志，在与他们的凭据（用户名/密码，社会令牌等），并会得到一个会话cookie（由Django的分配），使他们能够在将来的请求代表用户（实际上，他们自己）的身份验证。这个会话Cookie保持其系统上进行的有限的一段时间（2周默认情况下），并允许他们自由地使用该网站，而无需再次认证。如果会话cookie需要被移除，这样的人不能再进行身份验证，Web应用程序通常会破坏会话cookie（或清除会话）的有生力量注销出来。

In a normal web application (removing the API from the question), a user would "log" in with their credentials (username/password, social tokens, etc.) and would receive a session cookie (assigned by Django) that allows them to authenticate in future requests on behalf of a user (realistically, themselves). This session cookie stays on their system for a limited period of time (two weeks by default) and allows them to freely use the website without authenticating again. If the session cookie needs to be removed, such that the person can no longer authenticate, the web application typically destroys the session cookie (or clears the session) which effectives "logs them out".

在API的情况下，这一切都取决于认证是如何工作的。

In the case of an API, it all depends on how the authentication works.

• SessionAuthentication 和上述一样，因为它使用Django的内部会话系统。


• TokenAuthentication 记得通过数据库支持令牌身份验证信息（这是在授权头中传输），而不是会话cookie的。


• BasicAuthentication 传递在每个请求的用户名和密码（BASE64 EN codeD通过验证每一个会话（没有持久会话）的授权头）。


• 其他身份验证方法一般以同样的方式工作，为 TokenAuthentication 。

• SessionAuthentication works just like as described above, as it uses Django's internal session system.
• TokenAuthentication remembers the authentication information through a database-backed token (which is transmitted in the Authorization header) instead of a session cookie.
• BasicAuthentication authenticates on every session (no persistent session) by passing the username and password on every request (base64 encoded through the Authorization header).
• Other authentication methods generally work in the same way as TokenAuthentication.

所以，这里有一些特定问题的答案在成长

So, here are some answers to specific questions which were raised

你登录（如在Facebook的为例），然后你可以提出请求？

Do you "Log in" (like in facebook for example) and then you can make requests?

使用 BasicAuthentication ，你通过提供凭据的每个请求登录。随着基于令牌的认证（ TokenAuthentication ，OAuth的2，智威汤逊等），你登录，以接收初始令牌，然后授权已证实在每次请求。

Using BasicAuthentication, you "log in" on every request by providing your credentials. With token-based authentication (TokenAuthentication, OAuth 2, JWT, etc.), you "log in" to receive the initial token and then your authorization is confirmed on every request.

此外读的地方，那里实际上不是一个登录URL，你有你的用户名和密码添加到每个请求，然后要求有检查您的详细信息在用户数据库？

Also read somewhere that there isn't actually a login url, and you have to add your username and password to each request and then the request has to check if your details are in the User database?

这是基本访问身份验证，您可以在DR​​F使用 > BasicAuthentication 类。

This is basic access authentication which you can use in DRF using the BasicAuthentication class.

这篇关于其余的Django框架 - 理解认证和登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！