- TokenAuthentication: 此身份验证方案使用基于令牌的简单HTTP身份验证方案。令牌认证适用于客户端 - 服务器设置,例如本机桌面和移动客户端。
- SessionAuthentication: 此身份验证方案使用Django的默认会话后端进行身份验证。会话身份验证适用于与您的网站在同一会话上下文中运行的AJAX客户端。
四:自定义验证(了解原理)
一 浏览器账号密码认证
# views
from rest_framework.authentication import BasicAuthentication
class CartView(APIView):
# 基于浏览器账号密码/可以支持多个,按照顺序认证成功即可
authentication_classes = [BasicAuthentication]
# 只有登陆才能访问
permission_classes = [IsAuthenticated]
二:基于token认证
# views
from rest_framework.authentication import BasicAuthentication
class CartView(APIView):
# 可以支持多个,按照顺序认证成功即可
# 基于token认证 url需要配置,获取token接口
authentication_classes = [BasicAuthentication,TokenAuthentication]
# 只有登陆才能访问
permission_classes = [IsAuthenticated]
# 注册
INSTALLED_APPS = [
........
'rest_framework',
'rest_framework.authtoken',
]
# url配置
urlpatterns = [
path('admin/', admin.site.urls),
path('api-token-auth/', obtain_auth_token),
]
三 SessionAuthentication 认证
会话身份验证适用于与您的网站在同一会话上下文中运行的AJAX客户端 post delete等需要进行csrf 验证 postman不太好生成, 使用django自带的管理后台来生成
class CartView(APIView):
# 基于什么登陆认证
authentication_classes = [BasicAuthentication, TokenAuthentication, SessionAuthentication]
# 只有登陆才能访问
permission_classes = [IsAuthenticated]
四:自定义验证(了解原理)
# models
from django.db import models
class User(models.Model):
username = models.CharField(max_length=32, unique=True)
password = models.CharField(max_length=64)
class UserToken(models.Model):
user = models.OneToOneField('User', models.CASCADE)
token = models.CharField(max_length=64)
# 自定义token认证和自定义权限 permissions.py 文件
from rest_framework.permissions import BasePermission
from rest_framework.authentication import BaseAuthentication
from .models import UserToken
from rest_framework import exceptions
# 自定义token认证
class MyAuthentication(BaseAuthentication):
def authenticate(self, request):
token = request.META.get('HTTP_TOKEN')
obj = UserToken.objects.filter(token=token).first()
if not obj:
raise exceptions.AuthenticationFailed('验证失败')
else:
return obj.user, obj
# 自定义权限
class MyPermission(BasePermission):
def has_permission(self, request, view):
if not request.user:
return False
return True
# url配置
from django.urls import path
from . import views
urlpatterns = [
path('carts/', views.CartView.as_view(), name='cart-list'),
path('login/', views.LoginView.as_view(), name='login'),
]
# 登陆接口 views配置
class LoginView(APIView):
def post(self, request, *args, **kwargs):
ret = {'code': 1, 'msg': None, 'data': {}}
# user = request._request.POST.get('username')
# user = request._request.POST.get('username')
user = request.POST.get('username')
pwd = request.POST.get('password')
obj = User.objects.filter(username=user, password=pwd).first()
if not obj:
ret['code'] = -1
ret['msg'] = "用户名或密码错误"
token = get_md5(user)
UserToken.objects.update_or_create(user=obj, defaults={'token': token})
ret['token'] = token
return JsonResponse(ret)
# 测试接口
class CartView(APIView):
# 自己写的认证类
authentication_classes = [MyAuthentication]
# 自己的权限
permission_classes = [MyPermission]
def get(self, request, *args, **kwargs):
return JsonResponse({"code":0})