我正在使用 Django 和django-rest-framework构建一个 RESTful API 。
作为身份验证机制,我们选择了“令牌身份验证”,并且我已经按照 Django-REST-Framework 的文档实现了它,问题是,应用程序是否应该定期更新/更改令牌,如果是,如何?应该是需要更新令牌的移动应用程序还是网络应用程序应该自主执行?
最佳做法是什么?
这里的任何人都对 Django REST 框架有经验并且可以提出技术解决方案吗?
(最后一个问题的优先级较低)
问问题
63008 次
11 回答
122
让移动客户端定期更新其身份验证令牌是一种很好的做法。这当然是由服务器来强制执行的。
默认的 TokenAuthentication 类不支持这个,但是你可以扩展它来实现这个功能。
例如:
from rest_framework.authentication import TokenAuthentication, get_authorization_header
from rest_framework.exceptions import AuthenticationFailed
class ExpiringTokenAuthentication(TokenAuthentication):
def authenticate_credentials(self, key):
try:
token = self.model.objects.get(key=key)
except self.model.DoesNotExist:
raise exceptions.AuthenticationFailed('Invalid token')
if not token.user.is_active:
raise exceptions.AuthenticationFailed('User inactive or deleted')
# This is required for the time comparison
utc_now = datetime.utcnow()
utc_now = utc_now.replace(tzinfo=pytz.utc)
if token.created < utc_now - timedelta(hours=24):
raise exceptions.AuthenticationFailed('Token has expired')
return token.user, token
还需要覆盖默认的 rest 框架登录视图,以便在登录时刷新令牌:
class ObtainExpiringAuthToken(ObtainAuthToken):
def post(self, request):
serializer = self.serializer_class(data=request.data)
if serializer.is_valid():
token, created = Token.objects.get_or_create(user=serializer.validated_data['user'])
if not created:
# update the created time of the token to keep it valid
token.created = datetime.datetime.utcnow()
token.save()
return Response({'token': token.key})
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
obtain_expiring_auth_token = ObtainExpiringAuthToken.as_view()
并且不要忘记修改网址:
urlpatterns += patterns(
'',
url(r'^users/login/?$', '<path_to_file>.obtain_expiring_auth_token'),
)
于 2013-03-13T08:56:54.827 回答
30
如果有人对该解决方案感兴趣,但想要一个在一段时间内有效的令牌,那么会被一个新令牌替换,这是完整的解决方案(Django 1.6):
你的模块/views.py:
import datetime
from django.utils.timezone import utc
from rest_framework.authtoken.views import ObtainAuthToken
from rest_framework.authtoken.models import Token
from django.http import HttpResponse
import json
class ObtainExpiringAuthToken(ObtainAuthToken):
def post(self, request):
serializer = self.serializer_class(data=request.DATA)
if serializer.is_valid():
token, created = Token.objects.get_or_create(user=serializer.object['user'])
utc_now = datetime.datetime.utcnow()
if not created and token.created < utc_now - datetime.timedelta(hours=24):
token.delete()
token = Token.objects.create(user=serializer.object['user'])
token.created = datetime.datetime.utcnow()
token.save()
#return Response({'token': token.key})
response_data = {'token': token.key}
return HttpResponse(json.dumps(response_data), content_type="application/json")
return HttpResponse(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
obtain_expiring_auth_token = ObtainExpiringAuthToken.as_view()
你的模块/urls.py:
from django.conf.urls import patterns, include, url
from weights import views
urlpatterns = patterns('',
url(r'^token/', 'yourmodule.views.obtain_expiring_auth_token')
)
您的项目 urls.py(在 urlpatterns 数组中):
url(r'^', include('yourmodule.urls')),
你的模块/身份验证.py:
import datetime
from django.utils.timezone import utc
from rest_framework.authentication import TokenAuthentication
from rest_framework import exceptions
class ExpiringTokenAuthentication(TokenAuthentication):
def authenticate_credentials(self, key):
try:
token = self.model.objects.get(key=key)
except self.model.DoesNotExist:
raise exceptions.AuthenticationFailed('Invalid token')
if not token.user.is_active:
raise exceptions.AuthenticationFailed('User inactive or deleted')
utc_now = datetime.datetime.utcnow()
if token.created < utc_now - datetime.timedelta(hours=24):
raise exceptions.AuthenticationFailed('Token has expired')
return (token.user, token)
在您的 REST_FRAMEWORK 设置中,将 ExpiringTokenAuthentication 添加为 Authentification 类而不是 TokenAuthentication:
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.SessionAuthentication',
#'rest_framework.authentication.TokenAuthentication',
'yourmodule.authentication.ExpiringTokenAuthentication',
),
}
于 2014-02-02T06:22:11.870 回答
7
以为我会使用 DRY 给出 Django 2.0 答案。有人已经为我们构建了这个,谷歌 Django OAuth ToolKit。可用于 pip pip install django-oauth-toolkit,. 使用路由器添加令牌视图集的说明: https ://django-oauth-toolkit.readthedocs.io/en/latest/rest-framework/getting_started.html 。跟官方教程差不多。
所以基本上 OAuth1.0 更像是昨天的安全性,这就是 TokenAuthentication。为了获得精美的过期令牌,OAuth2.0 现在风靡一时。您将获得一个 AccessToken、RefreshToken 和范围变量来微调权限。你最终会得到这样的信任:
{
"access_token": "<your_access_token>",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "<your_refresh_token>",
"scope": "read"
}
于 2018-04-24T01:27:13.393 回答
6
我试过@odedfos 的回答,但我有误导性的错误。这是相同的答案,已修复并具有适当的导入。
views.py
from django.utils import timezone
from rest_framework import status
from rest_framework.response import Response
from rest_framework.authtoken.models import Token
from rest_framework.authtoken.views import ObtainAuthToken
class ObtainExpiringAuthToken(ObtainAuthToken):
def post(self, request):
serializer = self.serializer_class(data=request.DATA)
if serializer.is_valid():
token, created = Token.objects.get_or_create(user=serializer.object['user'])
if not created:
# update the created time of the token to keep it valid
token.created = datetime.datetime.utcnow().replace(tzinfo=utc)
token.save()
return Response({'token': token.key})
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
authentication.py
from datetime import timedelta
from django.conf import settings
from django.utils import timezone
from rest_framework.authentication import TokenAuthentication
from rest_framework import exceptions
EXPIRE_HOURS = getattr(settings, 'REST_FRAMEWORK_TOKEN_EXPIRE_HOURS', 24)
class ExpiringTokenAuthentication(TokenAuthentication):
def authenticate_credentials(self, key):
try:
token = self.model.objects.get(key=key)
except self.model.DoesNotExist:
raise exceptions.AuthenticationFailed('Invalid token')
if not token.user.is_active:
raise exceptions.AuthenticationFailed('User inactive or deleted')
if token.created < timezone.now() - timedelta(hours=EXPIRE_HOURS):
raise exceptions.AuthenticationFailed('Token has expired')
return (token.user, token)
于 2013-05-24T16:18:33.863 回答
5
作者问
问题是,应用程序是否应该定期更新/更改令牌,如果是,如何?应该是需要更新令牌的移动应用程序还是网络应用程序应该自主执行?
但是所有的答案都是关于如何自动更改令牌的。
我认为通过令牌定期更改令牌是没有意义的。 其余框架创建一个有 40 个字符的令牌,如果攻击者每秒测试 1000 个令牌,则需要16**40/1000/3600/24/365=4.6*10^7数年才能获得令牌。您不必担心攻击者会一一测试您的令牌。即使你改变了你的令牌,猜到你令牌的概率是一样的。
如果你担心攻击者可能会得到你的令牌,所以你定期更改它,而不是攻击者得到令牌后,他也可以更改你的令牌,而不是真正的用户被踢出去。
您真正应该做的是防止攻击者获取您的用户令牌,请使用 https。
顺便说一句,我只是说逐个令牌更改令牌是没有意义的,通过用户名和密码更改令牌有时是有意义的。也许令牌用于某些 http 环境(您应该始终避免这种情况)或某些第三方(在这种情况下,您应该创建不同类型的令牌,使用 oauth2)以及当用户执行一些危险的事情时,例如更改绑定邮箱或删除帐户,您应该确保不再使用原始令牌,因为它可能已被攻击者使用嗅探器或 tcpdump 工具泄露。
于 2018-12-27T02:31:43.340 回答
4
您可以利用http://getblimp.github.io/django-rest-framework-jwt
该库能够生成具有到期日期的令牌
要了解 DRF 默认令牌和 DRF 提供的令牌之间的区别,请查看:
于 2015-05-09T05:25:47.360 回答
1
无论是针对移动客户端还是 Web 客户端,在您的应用程序上设置过期机制都是一种很好的做法。有两种常见的解决方案:
系统令牌过期(在特定时间之后),用户必须再次登录才能获得新的有效令牌。
系统会自动过期旧令牌(在特定时间之后)并用新令牌替换它(更改令牌)。
两种解决方案的共同点:
settings.py 中的更改
DEFAULT_AUTHENTICATION_CLASSES = [
# you replace right path of 'ExpiringTokenAuthentication' class
'accounts.token_utils.ExpiringTokenAuthentication'
]
TOKEN_EXPIRED_AFTER_MINUTES = 300
创建 token_utils.py
from django.conf import settings
from datetime import timedelta
from django.conf import settings
from django.utils import timezone
from rest_framework.authentication import TokenAuthentication
from rest_framework.authtoken.models import Token
from rest_framework.exceptions import AuthenticationFailed
def expires_in(token: Token):
elapsed_time = timezone.now() - token.created
return timedelta(minutes=settings.TOKEN_EXPIRED_AFTER_MINUTES) - elapsed_time
def is_token_expired(token):
return expires_in(token) < timedelta(seconds=0)
您的观点的变化:
@api_view(['GET'])
@authentication_classes([ExpiringTokenAuthentication])
@permission_classes([IsAuthenticated])
def test(request):
...
return Response(response, stat_code)
如果使用选项 1,请将这些行添加到 token_utils.py
def handle_token_expired(token):
Token.objects.filter(key=token).delete()
class ExpiringTokenAuthentication(TokenAuthentication):
def authenticate_credentials(self, key):
try:
token = Token.objects.get(key=key)
except Token.DoesNotExist:
raise AuthenticationFailed("Invalid Token!")
if not token.user.is_active:
raise AuthenticationFailed("User inactive or deleted")
if is_token_expired(token):
handle_token_expired(token)
msg = "The token is expired!, user have to login again."
response = {"msg": msg}
raise AuthenticationFailed(response)
return token.user, token
如果使用选项 2,请将这些行添加到 token_utils.py
def handle_token_expired(token):
is_expired = is_token_expired(token)
if is_expired:
token.delete()
token = Token.objects.create(user = token.user)
return is_expired, token
class ExpiringTokenAuthentication(TokenAuthentication):
"""
when token is expired, it will be removed
and new one will be created
"""
def authenticate_credentials(self, key):
try:
token = Token.objects.get(key = key)
except Token.DoesNotExist:
raise AuthenticationFailed("Invalid Token")
if not token.user.is_active:
raise AuthenticationFailed("User is not active")
is_expired, token = handle_token_expired(token)
if is_expired:
raise AuthenticationFailed("The Token is expired")
return (token.user, token)
于 2021-05-16T08:43:53.177 回答
0
如果您注意到令牌就像会话 cookie,那么您可以坚持 Django 中会话 cookie 的默认生命周期:https ://docs.djangoproject.com/en/1.4/ref/settings/#session-cookie-age 。
我不知道 Django Rest Framework 是否会自动处理该问题,但您始终可以编写一个简短的脚本来过滤掉过时的脚本并将它们标记为过期。
于 2013-02-18T17:10:06.630 回答
0
只是想我会添加我的,因为这对我有帮助。我通常使用 JWT 方法,但有时这样的方法更好。我使用正确的导入更新了 django 2.1 的公认答案。
身份验证.py
from datetime import timedelta
from django.conf import settings
from django.core.exceptions import ObjectDoesNotExist
from django.utils import timezone
from rest_framework.authentication import TokenAuthentication
from rest_framework import exceptions
EXPIRE_HOURS = getattr(settings, 'REST_FRAMEWORK_TOKEN_EXPIRE_HOURS', 24)
class ExpiringTokenAuthentication(TokenAuthentication):
def authenticate_credentials(self, key):
try:
token = self.get_model().objects.get(key=key)
except ObjectDoesNotExist:
raise exceptions.AuthenticationFailed('Invalid token')
if not token.user.is_active:
raise exceptions.AuthenticationFailed('User inactive or deleted')
if token.created < timezone.now() - timedelta(hours=EXPIRE_HOURS):
raise exceptions.AuthenticationFailed('Token has expired')
return token.user, token
视图.py
import datetime
from pytz import utc
from rest_framework import status
from rest_framework.response import Response
from rest_framework.authtoken.models import Token
from rest_framework.authtoken.views import ObtainAuthToken
from rest_framework.authtoken.serializers import AuthTokenSerializer
class ObtainExpiringAuthToken(ObtainAuthToken):
def post(self, request, **kwargs):
serializer = AuthTokenSerializer(data=request.data)
if serializer.is_valid():
token, created = Token.objects.get_or_create(user=serializer.validated_data['user'])
if not created:
# update the created time of the token to keep it valid
token.created = datetime.datetime.utcnow().replace(tzinfo=utc)
token.save()
return Response({'token': token.key})
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
于 2018-08-28T23:45:48.987 回答
0
只是为了继续添加@odedfos 答案,我认为语法已经发生了一些变化,因此 ExpiringTokenAuthentication 的代码需要一些调整:
from rest_framework.authentication import TokenAuthentication
from datetime import timedelta
from datetime import datetime
import datetime as dtime
import pytz
class ExpiringTokenAuthentication(TokenAuthentication):
def authenticate_credentials(self, key):
model = self.get_model()
try:
token = model.objects.get(key=key)
except model.DoesNotExist:
raise exceptions.AuthenticationFailed('Invalid token')
if not token.user.is_active:
raise exceptions.AuthenticationFailed('User inactive or deleted')
# This is required for the time comparison
utc_now = datetime.now(dtime.timezone.utc)
utc_now = utc_now.replace(tzinfo=pytz.utc)
if token.created < utc_now - timedelta(hours=24):
raise exceptions.AuthenticationFailed('Token has expired')
return token.user, token
另外,不要忘记将其添加到 DEFAULT_AUTHENTICATION_CLASSES 而不是 rest_framework.authentication.TokenAuthentication
于 2020-04-14T17:07:07.563 回答
0
如果有人想在一段时间不活动后使令牌过期,下面的答案会有所帮助。我正在调整这里给出的答案之一。我在我添加的代码中添加了注释
from rest_framework.authentication import TokenAuthentication
from datetime import timedelta
from datetime import datetime
import datetime as dtime
import pytz
class ExpiringTokenAuthentication(TokenAuthentication):
def authenticate_credentials(self, key):
model = self.get_model()
try:
token = model.objects.get(key=key)
except model.DoesNotExist:
raise exceptions.AuthenticationFailed('Invalid token')
if not token.user.is_active:
raise exceptions.AuthenticationFailed('User inactive or deleted')
# This is required for the time comparison
utc_now = datetime.now(dtime.timezone.utc)
utc_now = utc_now.replace(tzinfo=pytz.utc)
if token.created < utc_now - timedelta(minutes=15): # TOKEN WILL EXPIRE AFTER 15 MINUTES OF INACTIVITY
token.delete() # ADDED THIS LINE SO THAT EXPIRED TOKEN IS DELETED
raise exceptions.AuthenticationFailed('Token has expired')
else:
token.created = utc_now #THIS WILL SET THE token.created TO CURRENT TIME WITH EVERY REQUEST
token.save() #SAVE THE TOKEN
return token.user, token
于 2020-11-06T15:56:21.890 回答