RESTful接口的Token身份验证: token是否需要定期更换?
我正在使用Django和django-rest-framework构建一个RESTful应用程序接口。
作为身份验证机制,我们选择了"Token Authentication“,我已经按照Django-REST-Framework的文档实现了它,问题是,应用程序是否应该定期更新/更改令牌,如果是,如何更新?应该是移动应用程序需要更新令牌,还是web应用程序应该自主更新令牌?
最佳实践是什么?
这里有谁有过Django REST框架的经验,能给出一个技术解决方案吗?
(最后一个问题优先级较低)
回答 8
Stack Overflow用户
发布于 2013-03-13 16:56:55
让移动客户端定期更新其身份验证令牌是一种很好的做法。当然,这要由服务器来执行。
默认的TokenAuthentication类不支持此功能,但是您可以对其进行扩展以实现此功能。
例如:
from rest_framework.authentication import TokenAuthentication, get_authorization_header
from rest_framework.exceptions import AuthenticationFailed
class ExpiringTokenAuthentication(TokenAuthentication):
def authenticate_credentials(self, key):
try:
token = self.model.objects.get(key=key)
except self.model.DoesNotExist:
raise exceptions.AuthenticationFailed('Invalid token')
if not token.user.is_active:
raise exceptions.AuthenticationFailed('User inactive or deleted')
# This is required for the time comparison
utc_now = datetime.utcnow()
utc_now = utc_now.replace(tzinfo=pytz.utc)
if token.created < utc_now - timedelta(hours=24):
raise exceptions.AuthenticationFailed('Token has expired')
return token.user, token它还需要覆盖默认的rest框架登录视图,以便在登录完成时刷新令牌:
class ObtainExpiringAuthToken(ObtainAuthToken):
def post(self, request):
serializer = self.serializer_class(data=request.data)
if serializer.is_valid():
token, created = Token.objects.get_or_create(user=serializer.validated_data['user'])
if not created:
# update the created time of the token to keep it valid
token.created = datetime.datetime.utcnow()
token.save()
return Response({'token': token.key})
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
obtain_expiring_auth_token = ObtainExpiringAuthToken.as_view()别忘了修改urls:
urlpatterns += patterns(
'',
url(r'^users/login/?$', '<path_to_file>.obtain_expiring_auth_token'),
)Stack Overflow用户
发布于 2018-04-24 09:27:13
我想我应该用DRY给出一个Django 2.0的答案。已经有人为我们构建了这个,google Django OAuth ToolKit。可与pip、pip install django-oauth-toolkit一起使用。使用routers:https://django-oauth-toolkit.readthedocs.io/en/latest/rest-framework/getting_started.html添加标记ViewSets的说明。它类似于官方教程。
所以从根本上讲,OAuth1.0更像是过去的安全性,这就是TokenAuthentication。为了获得即将到期的令牌,OAuth2.0现在非常流行。您将获得一个AccessToken、RefreshToken和scope变量来微调权限。你最终会得到这样的证书:
{
"access_token": "<your_access_token>",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "<your_refresh_token>",
"scope": "read"
}Stack Overflow用户
发布于 2013-05-25 00:18:34
我尝试过@odedfos answer但I had misleading error。下面是相同的答案,固定的,并使用适当的导入。
views.py
from django.utils import timezone
from rest_framework import status
from rest_framework.response import Response
from rest_framework.authtoken.models import Token
from rest_framework.authtoken.views import ObtainAuthToken
class ObtainExpiringAuthToken(ObtainAuthToken):
def post(self, request):
serializer = self.serializer_class(data=request.DATA)
if serializer.is_valid():
token, created = Token.objects.get_or_create(user=serializer.object['user'])
if not created:
# update the created time of the token to keep it valid
token.created = datetime.datetime.utcnow().replace(tzinfo=utc)
token.save()
return Response({'token': token.key})
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)authentication.py
from datetime import timedelta
from django.conf import settings
from django.utils import timezone
from rest_framework.authentication import TokenAuthentication
from rest_framework import exceptions
EXPIRE_HOURS = getattr(settings, 'REST_FRAMEWORK_TOKEN_EXPIRE_HOURS', 24)
class ExpiringTokenAuthentication(TokenAuthentication):
def authenticate_credentials(self, key):
try:
token = self.model.objects.get(key=key)
except self.model.DoesNotExist:
raise exceptions.AuthenticationFailed('Invalid token')
if not token.user.is_active:
raise exceptions.AuthenticationFailed('User inactive or deleted')
if token.created < timezone.now() - timedelta(hours=EXPIRE_HOURS):
raise exceptions.AuthenticationFailed('Token has expired')
return (token.user, token)https://stackoverflow.com/questions/14567586
复制相似问题