Django REST Framework深入研究-确定某个点需要身份验证令牌 [英] Django REST Framework Deep Dive - Where is it determined that an enpoint needs an auth token
问题描述
对那些比我更有经验的人的一般django问题,
我正在阅读为thinkster.io上的教程发布的代码:
https://github.com/howardderekl/conduit-django/tree/master/conduit/apps
有一个与用户模型 authenticion/models.py
有关的终结点,该终结点需要 Authorization
标头才能返回在 authentication/views中定义的用户信息..py
:
class UserRetrieveUpdateAPIView(RetrieveUpdateAPIView):Permission_classes =(IsAuthenticated,)renderer_classes =(UserJSONRenderer,)serializer_class = UserSerializerdef检索(自我,请求,* args,** kwargs):序列化器= self.serializer_class(request.user)返回响应(serializer.data,status = status.HTTP_200_OK)
我的问题是(如何)确定端点是否需要此 Authorization
(授权).我的想法是,它与上面的UserRetrieveUpdateAPIVIiew类中声明的Permission_classes变量相关.我挖了这个包的导入位置(从 from rest_framework.permissions import IsAuthenticated
),但是似乎没有包含与HTTP标头有关的任何内容:
class BasePermissionMetaclass(OperationHolderMixin,类型):经过类BasePermission(metaclass = BasePermissionMetaclass):"所有权限类都应从中继承的基类."def has_permission(自己,请求,查看):"如果授予许可,则返回True,否则返回False."返回Truedef has_object_permission(self,request,view,obj):"如果授予许可,则返回True,否则返回False."返回True
.........
class IsAuthenticated(BasePermission):"只允许经过身份验证的用户访问."def has_permission(自己,请求,查看):返回布尔值(request.user和request.user.is_authenticated)
我正在寻找有关如何在后端为HTTP方法构造标头的最佳实践.可能在settings.py中的某个地方有关于我应该看的地方的想法吗?
谢谢!
奖金问题:
此标头在您的请求中需要两个字符串.首先是令牌",然后是空格,然后是该用户的实际JWT.这种标准做法是使用两个这样的字符串吗?如果是这样,那是什么原因.我之前在第一个字符串'Token'
如令牌认证方案,标题 Authorization:Token ...
将导致 request.user
的设置,而 request.user.is_autenticated
将被设置为对于视图为真.
通过将其与 IsAuthenticated
权限类结合使用,只有在设置了授权令牌(并且如果您不允许其他身份验证方案)的情况下,视图才可以访问
对于第二个问题,您确实可以放入任何想要的字符串.在这里,DRF使用 Token
来更清楚地说明使用哪种身份验证方案.由于许多应用程序也使用令牌",因此许多应用程序使用相同的词.您也经常可以找到 Bearer
.
general django question for those who are more experienced than myself,
I'm reading through the code posted for a tutorial on thinkster.io:
https://github.com/howardderekl/conduit-django/tree/master/conduit/apps
There's an endpoint pertaining to the User model authenticion/models.py
that requires an Authorization
header for it to return user information defined here in authentication/views.py
:
class UserRetrieveUpdateAPIView(RetrieveUpdateAPIView):
permission_classes = (IsAuthenticated,)
renderer_classes = (UserJSONRenderer,)
serializer_class = UserSerializer
def retrieve(self, request, *args, **kwargs):
serializer = self.serializer_class(request.user)
return Response(serializer.data, status=status.HTTP_200_OK)
My question is how/where is it (supposed to be) determined that an endpoint requires this Authorization
. My thought is that it is tied to the permission_classes variable stated in the UserRetrieveUpdateAPIVIiew class above. I dug into the package location where this was imported from (from rest_framework.permissions import IsAuthenticated
), but that doesn't appear to contain anything pertaining to an HTTP header:
class BasePermissionMetaclass(OperationHolderMixin, type):
pass
class BasePermission(metaclass=BasePermissionMetaclass):
"""
A base class from which all permission classes should inherit.
"""
def has_permission(self, request, view):
"""
Return `True` if permission is granted, `False` otherwise.
"""
return True
def has_object_permission(self, request, view, obj):
"""
Return `True` if permission is granted, `False` otherwise.
"""
return True
... ... ...
class IsAuthenticated(BasePermission):
"""
Allows access only to authenticated users.
"""
def has_permission(self, request, view):
return bool(request.user and request.user.is_authenticated)
I'm looking for best practices on how to structure headers like this for HTTP methods in my backend. Any ideas on where I should look, somewhere in settings.py maybe?
Thanks!
Bonus question:
This header requires two strings in your request. First being 'Token', followed by a space, then the actual JWT for that user. Is this standard practice to use two strings like this? If so, what's the reasoning. I've seen this before with other seemingly arbitrary words used for the first string, 'Token'
As shown in the documentation :
REST framework will attempt to authenticate with each class in the list, and will set request.user and request.auth using the return value of the first class that successfully authenticates.
So if you use a token authentication scheme, the header Authorization: Token ...
will result in the setup of the request.user
and request.user.is_autenticated
will be set to true for the view.
By combining it with the IsAuthenticated
permission class, the view will only be accessible if the authorization token is set (and if you don't allow other authentication schemes)
For your second question, you can indeed put any string you want. Here DRF uses Token
to make it clearer for which authentication scheme it is used. Since a lot of apps also uses a "Token", a lot of them use the same word. You can also often find Bearer
.
这篇关于Django REST Framework深入研究-确定某个点需要身份验证令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!