我有一个使用 Flask-Restless 来提供 API 的 Flask 应用程序。
我刚刚写了一些身份验证来检查
- 如果消费者主机被识别
- 请求包括一个哈希(通过加密 POST 的请求内容和 GET 的 URL 以及秘密 API 密钥来计算)和
- 哈希有效
我希望能够为此编写一些单元测试,但我不确定如何,因为我的函数使用请求对象。我应该嘲笑请求对象吗?
希望对此有一些建议。
配置
API_CONSUMERS = [{'name': 'localhost',
'host': '12.0.0.1:5000',
'api_key': 'Ahth2ea5Ohngoop5'},
{'name': 'localhost2',
'host': '127.0.0.1:5001',
'api_key': 'Ahth2ea5Ohngoop6'}]
身份验证方法
import hashlib
from flask import request
def is_authenticated(app):
"""
Checks that the consumers host is valid, the request has a hash and the
hash is the same when we excrypt the data with that hosts api key
Arguments:
app -- instance of the application
"""
consumers = app.config.get('API_CONSUMERS')
host = request.host
try:
api_key = next(d['api_key'] for d in consumers if d['host'] == host)
except StopIteration:
app.logger.info('Authentication failed: Unknown Host (' + host + ')')
return False
if not request.headers.get('hash'):
app.logger.info('Authentication failed: Missing Hash (' + host + ')')
return False
if request.method == 'GET':
hash = calculate_hash_from_url(api_key)
elif request.method == 'POST':
hash = calculate_hash_from_content(api_key)
if hash != request.headers.get('hash'):
app.logger.info('Authentication failed: Hash Mismatch (' + host + ')')
return False
return True
def calculate_hash_from_url(api_key):
"""
Calculates the hash using the url and that hosts api key
Arguments:
api_key -- api key for this host
"""
data_to_hash = request.base_url + '?' + request.query_string
data_to_hash += api_key
return hashlib.sha1(request_uri).hexdigest()
def calculate_hash_from_content(api_key):
"""
Calculates the hash using the request data and that hosts api key
Arguments:
api_key -- api key for this host
"""
data_to_hash = request.data
data_to_hash += api_key
return hashlib.sha1(data_to_hash).hexdigest()