Django REST Framework版本,认证,权限和频率

时间:Nov. 13, 2019 分类:Python web框架

目录:

版本

dispatch中执行了initial,里边有很多方法

def initial(self, request, *args, **kwargs):
        """
        Runs anything that needs to occur prior to calling the method handler.
        """
        self.format_kwarg = self.get_format_suffix(**kwargs)

        # Perform content negotiation and store the accepted info on the request
        neg = self.perform_content_negotiation(request)
        request.accepted_renderer, request.accepted_media_type = neg

        # Determine the API version, if versioning is in use.
        version, scheme = self.determine_version(request, *args, **kwargs)
        request.version, request.versioning_scheme = version, scheme

        # Ensure that the incoming request is permitted
        self.perform_authentication(request)
        self.check_permissions(request)
        self.check_throttles(request)
  • 版本 determine_version
  • 认证 perform_authentication
  • 权限 check_permissions
  • 频率 check_throttles

rest_framework.versioning中有很多的版本控制方法,例如AcceptHeaderVersioning,URLPathVersioning,NamespaceVersioning,HostNameVersioning和QueryParameterVersioning

version会被赋值到request.version,然后根据version做对应的处理

setting配置

REST_FRAMEWORK = {
    # 默认使用的版本控制类
    'DEFAULT_VERSIONING_CLASS': 'rest_framework.versioning.URLPathVersioning',
    # 允许的版本
    'ALLOWED_VERSIONS': ['v1', 'v2'],
    # 版本使用的参数名称
    'VERSION_PARAM': 'version',
    # 默认使用的版本
    'DEFAULT_VERSION': 'v1',
}

url配置

urlpatterns = [
    url(r"^(?P<version>[v1|v2]+)/test01", TestView.as_view()),
]

view逻辑

class TestView(APIView):
    def get(self, request, *args, **kwargs):
        print(request.versioning_scheme)
        ret = request.version
        if ret == "v1":
            return Response("版本v1的信息")
        elif ret == "v2":
            return Response("版本v2的信息")
        else:
            return Response("根本就匹配不到这个路由")

认证

model

class UserInfo(models.Model):
    username = models.CharField(max_length=32)
    token = models.UUIDField()

认证类

class MyAuth(BaseAuthentication):

    def authenticate(self, request):
        request_token = request.query_params.get("token", None)
        if not request_token:
            raise AuthenticationFailed({"code": 1001, "error": "缺少token"})
        token_obj = UserInfo.objects.filter(token=request_token).first()
        if not token_obj:
            raise AuthenticationFailed({"code": 1001, "error": "无效的token"})
        return token_obj.username, token_obj

视图使用认证

class TestAuthView(APIView):
    authentication_classes = [MyAuth, ]

    def get(self, request, *args, **kwargs):
        return Response("测试认证")

配置全局认证

REST_FRAMEWORK = {
    # 配置全局认证
    'DEFAULT_AUTHENTICATION_CLASSES': ["BRQP.utils.MyAuth", ]
}

权限

权限类

class MyPermission(BasePermission):
    message = "VIP用户才能访问"

    def has_permission(self, request, view):
        """
        自定义权限只有vip用户能访问,
        注意我们初始化时候的顺序是认证在权限前面的,所以只要认证通过~
        我们这里就可以通过request.user,拿到我们用户信息
        request.auth就能拿到用户对象
        """
        if request.user and request.auth.type == 2:
            return True
        else:
            return False

局部注册

class TestAuthView(APIView):
    permission_classes = [MyPermission, ]

    def get(self, request, *args, **kwargs):
        print(request.user)
        print(request.auth)
        username = request.user
        return Response(username)

全局注册

REST_FRAMEWORK = {
# 配置全局权限
    "DEFAULT_PERMISSION_CLASSES": ["BROP.utils.MyPermission"]
}

频率限制

from rest_framework.throttling import BaseThrottle
import time

VISIT_RECORD = {}


class MyThrottle(BaseThrottle):

    def __init__(self):
        self.history = None

    def allow_request(self, request, view):
        # 实现限流的逻辑
        # 以IP限流
        # 访问列表 {IP: [time1, time2, time3]}
        # 1, 获取请求的IP地址
        ip = request.META.get("REMOTE_ADDR")
        # 2,判断IP地址是否在访问列表
        now = time.time()
        if ip not in VISIT_RECORD:
            # --1, 不在 需要给访问列表添加key,value
            VISIT_RECORD[ip] = [now,]
            return True
            # --2 在 需要把这个IP的访问记录 把当前时间加入到列表
        history = VISIT_RECORD[ip]
        history.insert(0, now)
        # 3, 确保列表里最新访问时间以及最老的访问时间差 是1分钟
        while history and history[0] - history[-1] > 60:
            history.pop()
        self.history = history
        # 4,得到列表长度,判断是否是允许的次数
        if len(history) > 3:
            return False
        else:
            return True

    def wait(self):
        # 返回需要再等多久才能访问
        time = 60 - (self.history[0] - self.history[-1])
        return time

全局注册

REST_FRAMEWORK = {
    # ......
    # 频率限制的配置
    "DEFAULT_THROTTLE_CLASSES": ["Throttle.throttle.MyThrottle"],
    }
}

使用现成的

from rest_framework.throttling import SimpleRateThrottle


class MyVisitThrottle(SimpleRateThrottle):
    scope = "WD"

    def get_cache_key(self, request, view):
        return self.get_ident(request)

全局注册

REST_FRAMEWORK = {
    # 频率限制的配置
    "DEFAULT_THROTTLE_CLASSES": ["Throttle.throttle.MyVisitThrottle"],
    "DEFAULT_THROTTLE_RATES":{
        'WD':'5/m',         #速率配置每分钟不能超过5次访问,WD是scope定义的值,

    }
}