0

我正在为我的 API 使用 djangorestframework 和 django-oauth-toolkit。

我有一个相当简单的用户注销视图,它支持带有令牌撤销的 DOT 注销和常规 Django 会话注销:

class UserLogoutView(APIView):
    permission_classes = (IsAuthenticated,)

    @staticmethod
    def post(request):
        logout(request)

        if request.auth is None:
            return Response('OK')

        app = request.auth.application
        client_id = app.client_id
        client_secret = app.client_secret
        token = request.auth.token

        r = requests.post(settings.OAUTH_URL.format('revoke-token'), data={
            'client_id': client_id,
            'client_secret': client_secret,
            'token': token,
        })

        if r.status_code != 200:
            raise AuthenticationFailed('Failed to revoke token')

        return Response('OK')

如果令牌撤销有问题,我希望得到一个错误的 401 响应,但相反我在服务器端收到一个错误(这是AuthenticationFailed作为回溯状态引发的结果):

AttributeError: 'Request' object has no attribute 'oauth2_error'

我想 DRF + DOT 组合的异常处理有问题,但是如何解决呢?

UPD:settings.py与 DRF、身份验证或 DOT 相关的所有内容:

INSTALLED_APPS = [
    ...
    'rest_framework',
    'oauth2_provider',
    ...
]

MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'corsheaders.middleware.CorsMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

AUTHENTICATION_BACKENDS = [
    'oauth2_provider.backends.OAuth2Backend',
    'django.contrib.auth.backends.ModelBackend',
    'guardian.backends.ObjectPermissionBackend',
]

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'oauth2_provider.contrib.rest_framework.OAuth2Authentication',
        'rest_framework.authentication.SessionAuthentication',
    ),
}

UPD 2:我尝试根据模块文档(写在之后)删除SessionAuthentication和设置我的应用程序顺序,一切都没有运气。DEFAULT_AUTHENTICATION_CLASSESrest_frameworkoauth2_provider

4

1 回答 1

0

我遇到了同样的问题并找到了解决方案:django-oauth-tookit 1.2.0 中存在一个错误(请参阅https://github.com/jazzband/django-oauth-toolkit/pull/716),该错误已被修复在主分支中。不幸的是,没有新版本,所以我不得不继承 OAuth2Authentication 并提供缺失的属性:

 def authenticate_header(self, request):
     request.oauth2_error = {}
     return super().authenticate_header(request)
于 2019-10-23T09:17:20.027 回答