0

我想保护我的注册 api,因此也在注册过程中使用 client_id 和 client_secret(由 oauth2 应用程序创建)。我怎样才能做到这一点?

这是我对注册的看法

class RegisterUserView(generics.CreateAPIView):
    """
    POST auth/register/
    """
    serializer_class = UserRegistrationSerializer

    def post(self, request, *args, **kwargs):
        username = request.data.get("username", "")
        password = request.data.get("password", "")
        email = request.data.get("email", "")
        if not username and not password and not email:
            return Response(
                data={
                    "message": "username, password and email is required to register a user"
                },
                status=status.HTTP_400_BAD_REQUEST
            )
        new_user = User.objects.create_user(
            username=username, password=password, email=email
        )
        return Response(status=status.HTTP_201_CREATED)
4

1 回答 1

0

如果仅在收到 client_id 和 client_secret 时才应访问此 api,那么您可以尝试以下两种方法 -

  1. 进行自定义权限。这是正确的做法。链接 - https://www.django-rest-framework.org/api-guide/permissions/#custom-permissions

  2. 在 apiview 中检查 id 和 secret。这将是一个简单的出路。对于以下示例,我正在考虑您在请求标头中发送 client_id 和 client_secret

class RegisterUserView(generics.CreateAPIView):
    """
    POST auth/register/
    """
    serializer_class = UserRegistrationSerializer

    def post(self, request, *args, **kwargs):

        if((request.headers['Client-Id'] != client_id) or (request.headers['Client-Secret'] != client_secret):
            return Response(
                data={
                    "message": "Wrong Client id or Client Secret"
                },
                status=status.HTTP_400_BAD_REQUEST
            )


        username = request.data.get("username", "")
        password = request.data.get("password", "")
        email = request.data.get("email", "")
        if not username and not password and not email:
            return Response(
                data={
                    "message": "username, password and email is required to register a user"
                },
                status=status.HTTP_400_BAD_REQUEST
            )
        new_user = User.objects.create_user(
            username=username, password=password, email=email
        )
        return Response(status=status.HTTP_201_CREATED)
于 2020-02-11T07:58:03.613 回答