Django JWT身份验证_django jwtauthentication

0X00 安装及基础使用

Django JWT是基于Django的auth模块和user model的，所以如果不使用Django的model那么是无法使用Django JWT的。其视图的实现方法是基于Django restframework的APIView和serializers。修正一下，准确的来说Django restframework JWT默认是基于auth模块和user model的，如果你对源码足够熟悉，将各个模块重写，那么将JWT结合到你自己的认证系统也是没有任何问题，不过使用自己的认证系统的话完全可以使用Token模块自己生成Token了，这种情况下使用JWT有点多此一举了。

废话讲到这里，正文开始

1.使用pip安装

pip install djangorestframework-jwt

2.在你的settings.py，添加JSONWebTokenAuthentication到Django REST框架DEFAULT_AUTHENTICATION_CLASSES

SessionAuthentication和BasicAuthentication在使用restframework的调试界面需要用到的模块。

REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.IsAuthenticated',
    ),
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework_jwt.authentication.JSONWebTokenAuthentication',
        'rest_framework.authentication.SessionAuthentication',
        'rest_framework.authentication.BasicAuthentication',
    ),
}

3.urls.py

from django.conf.urls import url
from rest_framework_jwt.views import obtain_jwt_token, verify_jwt_token
 
urlpatterns = [
    url(r'^login/', obtain_jwt_token), # 用于获取token
    url(r'^token-verify/', verify_jwt_token), # 验证令牌是否合法
    path(r'api-auth/', include('rest_framework.urls')), # 为restframework调试页面也开启验证
]

（1）obtain_jwt_token：提交用户名和密码，后台判定是否合法，合法的话返回一个Token，否则认证失败

- URL:/login/
- Request:
    - 请求方法:POST(表单)
    - 请求参数:username:'',password:''
Response:
    - 200,登录成功，返回{"token":"xxxxxx"}
    - 400,身份验证未通过

（2）verify_jwt_token：提交一个Token，后台判定Token是否过期

- URL:/token-verify/
- Request:
    - 请求方法:POST(application/json)
    - 请求参数:{"token":"xxxx"}
Response:
    - 200,验证通过，Token合法
    - 400,Token不合法或已过期
 

4.携带token请求接口

Token需要添加到HTTP请求头中，见下图
 
Key:Authorization
Value:JWT xxxxxxx

 

0X01 扩展Django User Model并与Django JWT结合

大概率会出现Django默认User Model字段不够用的情况，那么就需要继承User模块并添加字段。

添加一个APP用于新的User model

python manage.py startapp user_auth

1.models.py

User也是直接继承于AbsractUser的，所以我们直接继承该model并添加字段即可。

from django.contrib.auth.models import AbstractUser
from django.db import models
 
class UserInfo(AbstractUser):
    choice = (
        (1, 'admin'),
        (2, 'user')
    )
    user_type = models.IntegerField(choices=choice)

2.settings.py

修改Django Auth模块指向的model，改为我们重写后的model

AUTH_USER_MODEL = "user_auth.UserInfo"  # 重写user model后将用户认证指向重写后的model

3.保存更改

python manage.py makemigrations
python manage.py migrate

4.使用ModelViewSet和ModelSerializer

class UserSerializer(serializers.ModelSerializer):
 
    def create(self, validated_data):
        instance = UserInfo.objects.create_user(**validated_data)
        return instance
 
    def update(self, instance, validated_data):
        """
        只允许更新password字段
        :param instance:
        :param validated_data:
        :return:
        """
        instance.set_password(validated_data['password'])
        instance.save()
        return instance
 
    class Meta:
        model = UserInfo
        fields = ('id', 'username', 'user_type', 'date_joined', 'password')
        read_only_fields = ['date_joined']
        extra_kwargs = {'password': {'write_only': True}}
 
class UserViewSet(ModelViewSet):
    permission_classes = (UserReadAdminWrite,)
    queryset = UserInfo.objects.all()
    serializer_class = UserSerializer
 
    def destroy(self, request, *args, **kwargs):
        instance = self.get_object()
        if request.user.id == instance.id:
            return Response({'ERROR': '不能删除正在使用的用户'} ,status=status.HTTP_403_FORBIDDEN)
        self.perform_destroy(instance)
        return Response(status=status.HTTP_204_NO_CONTENT)

JWT更多设置参数及用法见 http://getblimp.github.io/django-rest-framework-jwt/

0X02 

REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': (
        #   设置访问权限为只读
        # 'rest_framework.permissions.IsAuthenticatedOrReadOnly',
        #   设置访问权限为必须登录
        'rest_framework.permissions.IsAuthenticated',
    ),
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework_jwt.authentication.JSONWebTokenAuthentication',
        #  使用rest_framework的界面需要下列认证模块
        #'rest_framework.authentication.SessionAuthentication',
        #'rest_framework.authentication.BasicAuthentication',
    ),
}

如果加载了sessionAuthentication和BasicAuthentication模块，那么通过了JWT身份认证后，会设置一个cookide，session_id=xxx，使用该session_id，不使用Token也可以正常访问后台接口，如果只允许Token验证，需要注释掉session模块和basic模块。

源码：

Authentication类都必须继承于BaseAuthentication类：

class BaseAuthentication(object):
    """
    All authentication classes should extend BaseAuthentication.
    """
 
    def authenticate(self, request):
        """
        Authenticate the request and return a two-tuple of (user, token).
        """
        raise NotImplementedError(".authenticate() must be overridden.")
 
    def authenticate_header(self, request):
        """
        Return a string to be used as the value of the `WWW-Authenticate`
        header in a `401 Unauthenticated` response, or `None` if the
        authentication scheme should return `403 Permission Denied` responses.
        """
        pass
'
运行
运行

 

定义的Authentication类会在调用视图函数之前被调用：

class APIView(View):
 
    # The following policies may be set at either globally, or per-view.
    renderer_classes = api_settings.DEFAULT_RENDERER_CLASSES
    parser_classes = api_settings.DEFAULT_PARSER_CLASSES
    authentication_classes = api_settings.DEFAULT_AUTHENTICATION_CLASSES # ！！！#
    throttle_classes = api_settings.DEFAULT_THROTTLE_CLASSES
    permission_classes = api_settings.DEFAULT_PERMISSION_CLASSES
    content_negotiation_class = api_settings.DEFAULT_CONTENT_NEGOTIATION_CLASS
    metadata_class = api_settings.DEFAULT_METADATA_CLASS
    versioning_class = api_settings.DEFAULT_VERSIONING_CLASS
 
    # Allow dependency injection of other settings to make testing easier.
    settings = api_settings
 
    schema = DefaultSchema()

 

dispatch方法应该是用于处理所有请求，dispatch函数：

    def dispatch(self, request, *args, **kwargs):
        """
        `.dispatch()` is pretty much the same as Django's regular dispatch,
        but with extra hooks for startup, finalize, and exception handling.
        """
        self.args = args
        self.kwargs = kwargs
        request = self.initialize_request(request, *args, **kwargs)
        self.request = request
        self.headers = self.default_response_headers  # deprecate?
 
        try:
            self.initial(request, *args, **kwargs) # 该方法尤为重要，如下
 
            # Get the appropriate handler method
            if request.method.lower() in self.http_method_names:
                handler = getattr(self, request.method.lower(),
                                  self.http_method_not_allowed)
            else:
                handler = self.http_method_not_allowed
 
            response = handler(request, *args, **kwargs)
 
        except Exception as exc:
            response = self.handle_exception(exc)
 
        self.response = self.finalize_response(request, response, *args, **kwargs)
        return self.response

    def initial(self, request, *args, **kwargs):
        """
        运行所有在视图函数前应该被调用的东西
        """
        self.format_kwarg = self.get_format_suffix(**kwargs)
 
        # Perform content negotiation and store the accepted info on the request
        neg = self.perform_content_negotiation(request)
        request.accepted_renderer, request.accepted_media_type = neg
 
        # Determine the API version, if versioning is in use.
        version, scheme = self.determine_version(request, *args, **kwargs)
        request.version, request.versioning_scheme = version, scheme
 
        # Ensure that the incoming request is permitted
        self.perform_authentication(request) # 用户认证
        self.check_permissions(request) # 权限认证
        self.check_throttles(request) # 访问频率限制

用户认证的具体方法：

perform_authentication:该函数只有一个request.user属性，利用了property的特性，通过属性转换为方法。

    def perform_authentication(self, request):
        """
        Perform authentication on the incoming request.
        Note that if you override this and simply 'pass', then authentication
        will instead be performed lazily, the first time either
        `request.user` or `request.auth` is accessed.
        """
        request.user
'
运行
运行

调用的具体方法：

request.py的Request类的方法：

    @property
    def user(self):
        """
        Returns the user associated with the current request, as authenticated
        by the authentication classes provided to the request.
        """
        if not hasattr(self, '_user'):
            with wrap_attributeerrors():
                self._authenticate()  # 调用所有认证方法
        return self._user

_authenticate方法：遍历加载的所有authentication方法并认证，如果认证通过就添加request.user属性

    def _authenticate(self):
        """
        Attempt to authenticate the request using each authentication instance
        in turn.
        """
        for authenticator in self.authenticators:
            try:
                user_auth_tuple = authenticator.authenticate(self)
            except exceptions.APIException:
                self._not_authenticated()
                raise
 
            if user_auth_tuple is not None:
                self._authenticator = authenticator
                self.user, self.auth = user_auth_tuple
                return
 
        self._not_authenticated()
'
运行
运行

0X03 关于JWT的认证逻辑

1.登录，对应的是obtain_jwt_token这个视图，上面说过登录成功会返回一个Token

from rest_framework_jwt.views import obtain_jwt_token
urlpatterns = [
    path(r'login/', obtain_jwt_token),
]

在该视图使用的序列化器（JsonWebTokenSerializer）中，验证用户名密码的方法如下：

    def validate(self, attrs):
        credentials = {
            self.username_field: attrs.get(self.username_field),
            'password': attrs.get('password')
        }
 
        if all(credentials.values()):
            user = authenticate(**credentials)
 
            if user:
                if not user.is_active:
                    msg = _('User account is disabled.')
                    raise serializers.ValidationError(msg)
 
                payload = jwt_payload_handler(user)
 
                return {
                    'token': jwt_encode_handler(payload),
                    'user': user
                }
            else:
                msg = _('Unable to log in with provided credentials.')
                raise serializers.ValidationError(msg)
        else:
            msg = _('Must include "{username_field}" and "password".')
            msg = msg.format(username_field=self.username_field)
            raise serializers.ValidationError(msg)

进一步查看autenticate(**credentials)方法：

def authenticate(request=None, **credentials):
    """
    If the given credentials are valid, return a User object.
    """
    for backend, backend_path in _get_backends(return_tuples=True):
        try:
            inspect.getcallargs(backend.authenticate, request, **credentials)
        except TypeError:
            # This backend doesn't accept these credentials as arguments. Try the next one.
            continue
        try:
            user = backend.authenticate(request, **credentials)
        except PermissionDenied:
            # This backend says to stop in our tracks - this user should not be allowed in at all.
            break
        if user is None:
            continue
        # Annotate the user object with the path of the backend.
        user.backend = backend_path
        return user
'
运行
运行

这个认证利用的是Django的AUTHENTICATION_BACKENDS，_get_backends方法会获取所有注册的认证后台：

def _get_backends(return_tuples=False):
    backends = []
    for backend_path in settings.AUTHENTICATION_BACKENDS:
        backend = load_backend(backend_path)
        backends.append((backend, backend_path) if return_tuples else backend)
    if not backends:
        raise ImproperlyConfigured(
            'No authentication backends have been defined. Does '
            'AUTHENTICATION_BACKENDS contain anything?'
        )
    return backends

当调用 django.contrib.auth.authenticate() 方法时，Django将获取注册的所有认证后台，然后按顺序进行调用，直到某个认证后台认证成功，成功返回User对象，成功返回User对象后不会再进行后续的认证。认证后台的设置在settings.py中，默认没有该字段，但是具有默认值，默认值为(‘django.contrib.auth.backends.ModelBackend’,)，使用Django默认的用户认证进行认证。

2.登录成功后将获取到的Token携带到HTTP请求头中，即可完成验证，下面说下后台对Token的验证机制。

验证机制其实非常简单，就是对Token进行反序列化，获取Token中存取的username和过期时间，如果无法解析或用户名不存在或已过期，都会造成认证失败。

    def authenticate(self, request):
        """
        Returns a two-tuple of `User` and token if a valid signature has been
        supplied using JWT-based authentication.  Otherwise returns `None`.
        """
        jwt_value = self.get_jwt_value(request)
        if jwt_value is None:
            return None
 
        try:
            payload = jwt_decode_handler(jwt_value)
        except jwt.ExpiredSignature:
            msg = _('Signature has expired.')
            raise exceptions.AuthenticationFailed(msg)
        except jwt.DecodeError:
            msg = _('Error decoding signature.')
            raise exceptions.AuthenticationFailed(msg)
        except jwt.InvalidTokenError:
            raise exceptions.AuthenticationFailed()
 
        user = self.authenticate_credentials(payload)
 
        return (user, jwt_value)
'
运行
运行

3.

用户可以自行编写认证后台。在settings.py中添加：

AUTHENTICATION_BACKENDS = ('django.contrib.auth.backends.ModelBackend',) # 此为默认配置

用户自己的认证后台直接继承rest_framework authentication.py中的BaseAuthentication，然后按照要求编写即可。