如果我们不用使用drf那套认证规则,我们想自定义认证类,那么我们首先要知道,drf本身是如何定义认证规则的,也就是要查看它的源码是如何写的
源码的入口在APIView.py文件下的dispatch方法下的self.initial方法中的self.perform_authentication(request),点击查看后如下
def perform_authentication(self, request): """ Perform authentication on the incoming request. Note that if you override this and simply 'pass', then authentication will instead be performed lazily, the first time either `request.user` or `request.auth` is accessed. """ request.user返回了一个request的user方法,request代表的是drf的Request,所以我们进入drf的Request类中查找user方法属性,源码如下:
def user(self): """ Returns the user associated with the current request, as authenticated by the authentication classes provided to the request. """ if not hasattr(self, '_user'): with wrap_attributeerrors(): self._authenticate() return self._user上述代码的意思是:返回与当前请求关联的用户,由提供给请求的身份验证类进行身份验证。如果没有用户,我们需要通过_authenticate方法验证,我们查看下它的源码
def _authenticate(self): """ 尝试依次使用每个身份验证实例对请求进行身份验证。 """ for authenticator in self.authenticators: try: user_auth_tuple = authenticator.authenticate(self) except exceptions.APIException: self._not_authenticated() raise if user_auth_tuple is not None: self._authenticator = authenticator self.user, self.auth = user_auth_tuple return self._not_authenticated()我们可以看到self.authenticators验证器其实是调用父类APIView的authenticators,APIView的authenticators在源码initialize_request方法下的get_authenticators,我们查看源码
def get_authenticators(self): """ Instantiates and returns the list of authenticators that this view can use. """ return [auth() for auth in self.authentication_classes]再点击authentication_classes查看
authentication_classes = api_settings.DEFAULT_AUTHENTICATION_CLASSES我们就知道了drf默认的认证器在settings文件下的DEFAULT_AUTHENTICATION_CLASSES类下面
'DEFAULT_AUTHENTICATION_CLASSES': [ 'rest_framework.authentication.SessionAuthentication', 'rest_framework.authentication.BasicAuthentication' ],我们发现drf默认有2个认证类一个基础的认证,另一个session认证,这两个认证类都继承自BaseAuthentication,我们来看下源码
class BaseAuthentication: """ 所有的认证类都继承自BaseAuthentication. """ def authenticate(self, request): """ 认证请求返回一个二元组(user, token),并且此方法必须重写,否则抛出异常 """ raise NotImplementedError(".authenticate() must be overridden.") def authenticate_header(self, request): """ Return a string to be used as the value of the `WWW-Authenticate` header in a `401 Unauthenticated` response, or `None` if the authentication scheme should return `403 Permission Denied` responses. """ pass接下来我们看下BasicAuthentication如何写的,后续我们依葫芦画瓢
class BasicAuthentication(BaseAuthentication): """ 针对用户名密码的 HTTP 基本身份验证 """ www_authenticate_realm = 'api' def authenticate(self, request): """ 如果使用 HTTP 基本身份验证提供了正确的用户名和密码,则返回“User”。否则返回“None”。 """ # 获取请求头中`HTTP_AUTHORIZATION`,并进行分割 auth = get_authorization_header(request).split() # 如果没有auth或者auth的第一个索引值的小写不等于basic,则返回None if not auth or auth[0].lower() != b'basic': return None # auth列表的长度必须等于2,格式['basic', 'abc.xyz.123'] # 如果auth的长度等于1,则抛出异常 if len(auth) == 1: msg = _('Invalid basic header. No credentials provided.') raise exceptions.AuthenticationFailed(msg) # 如果长度大于2,也抛出异常 elif len(auth) > 2: msg = _('Invalid basic header. Credentials string should not contain spaces.') raise exceptions.AuthenticationFailed(msg) try: try: # auth[1]解码格式为utf-8 auth_decoded = base64.b64decode(auth[1]).decode('utf-8') except UnicodeDecodeError: auth_decoded = base64.b64decode(auth[1]).decode('latin-1') auth_parts = auth_decoded.partition(':') except (TypeError, UnicodeDecodeError, binascii.Error): msg = _('Invalid basic header. Credentials not correctly base64 encoded.') raise exceptions.AuthenticationFailed(msg) userid, password = auth_parts[0], auth_parts[2] return self.authenticate_credentials(userid, password, request) def authenticate_credentials(self, userid, password, request=None): """ Authenticate the userid and password against username and password with optional request for context. """ credentials = { get_user_model().USERNAME_FIELD: userid, 'password': password } user = authenticate(request=request, **credentials) if user is None: raise exceptions.AuthenticationFailed(_('Invalid username/password.')) if not user.is_active: raise exceptions.AuthenticationFailed(_('User inactive or deleted.')) return (user, None) def authenticate_header(self, request): return 'Basic realm="%s"' % self.www_authenticate_realm自定义认证类
创建继承BaseAuthentication的认证类
实现authenticate方法
实现体根据认证规则 确定 游客 正常用户 非法用户
进行全局或局部配置(一般采用全局配置)
认证规则
没有认证信息,返回None(游客)
有认证信息认证失败,抛异常(非法用户)
有认证信息认证成功,返回用户和认证信息的元组(合法用户)