# JWT token认证
pip install djangorestframework-jwt
# url
urlpatterns = [
......
path('api-token-auth/', obtain_jwt_token),
]
# settings 全局配置
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework_jwt.authentication.JSONWebTokenAuthentication', # 配置验证方式为Token验证
),
}
import datetime
JWT_AUTH = {
'JWT_EXPIRATION_DELTA': datetime.timedelta(days=1),
'JWT_REFRESH_EXPIRATION_DELTA': datetime.timedelta(days=7),
'JWT_ALLOW_REFRESH': False,
'JWT_AUTH_HEADER_PREFIX': 'JWT',
# 重写返回内容/不仅返回token还返回用户信息
'JWT_RESPONSE_PAYLOAD_HANDLER': 'utils.jwt_response_payload_handler',
}
# utils.jwt_response_payload_handler
def jwt_response_payload_handler(token, user=None, request=None):
return {
'token': token,
'id': user.id,
'username': user.username,
'last_login': user.last_login.strftime('%Y-%m-%d %H:%M:%S') if user.last_login else None ,
'firstname': user.first_name,
'lastname': user.last_name,
'is_staff': user.is_staff
}
# 局部
from rest_framework_jwt.authentication import JSONWebTokenAuthentication
class CartView(APIView):
authentication_classes = [JSONWebTokenAuthentication]
# 只有登录才能访问
permission_classes = [IsAuthenticated]
#如果局部不用认证则把内容设置为空
authentication_classes = []
permission_classes = []
# POST访问
http://127.0.0.1:8003/api-token-auth/
二: 权限控制
REST_FRAMEWORK = {
# 权限 全局
'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.IsAuthenticated',
# "rest_framework.permissions.DjangoModelPermissions",
),
}
# 自定用权限类
from rest_framework import permissions
class IsOwnOrReadOnly(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
if request.method in permissions.SAFE_METHODS: # 是否在安全方法内
return True
return obj.user == request.user
# views
from .permissions import IsOwnOrReadOnly # 导入自定义的权限
from rest_framework import permissions
class GameViewSet(viewsets.ModelViewSet):
# 如果接口不控制权限/ 则留空
# 认证
# authentication_classes = []
# 权限
# permission_classes = []
permission_classes = [permissions.IsAuthenticatedOrReadOnly, IsOwnOrReadOnly]
queryset = Game.objects.all()
serializer_class = GameSerializer
def perform_create(self, serializer):
serializer.save(user=self.request.user)
# 到底给request.user赋值的