Django:一个视图的基本身份验证(避免中间件)
Django: Basic Auth for one view (avoid middleware)
我需要为一个视图提供http-basic-auth。
我想避免修改中间件设置。
背景:这是一个由远程应用程序填充的视图。
当您执行基本身份验证请求时,您实际上是在向 Authorization header 添加凭据。在传输之前,这些凭据是 base64 编码的,因此您需要在接收时对其进行解码。
以下代码片段假定只有一个有效的用户名和密码:
import base64
def my_view(request):
auth_header = request.META.get('HTTP_AUTHORIZATION', '')
token_type, _, credentials = auth_header.partition(' ')
expected = base64.b64encode(b'username:password').decode()
if token_type != 'Basic' or credentials != expected:
return HttpResponse(status=401)
# Your authenticated code here:
...
如果您想与 User 模型的用户名和密码进行比较,请尝试以下操作:
def my_view(request):
auth_header = request.META.get('HTTP_AUTHORIZATION', '')
token_type, _, credentials = auth_header.partition(' ')
username, password = base64.b64decode(credentials).split(':')
try:
user = User.objects.get(username=username)
except User.DoesNotExist:
return HttpResponse(status=401)
password_valid = user.check_password(password)
if token_type != 'Basic' or not password_valid:
return HttpResponse(status=401)
# Your authenticated code here:
...
请注意后一个版本不是很安全。乍一看,我可以看出它容易受到 timing attacks 的影响,例如
可以使用此库:https://github.com/hirokiky/django-basicauth
Basic auth utilities for Django.
文档展示了如何使用它:
Applying decorator to CBVs
To apply @basic_auth_requried decorator to Class Based Views, use
django.utils.decorators.method_decorator.
来源:https://github.com/hirokiky/django-basicauth#applying-decorator-to-cbvs
您可以尝试自定义装饰器(这似乎是推荐的方式 here and here)而不是添加新的中间件:
my_app/decorators.py:
import base64
from django.http import HttpResponse
from django.contrib.auth import authenticate
from django.conf import settings
def basicauth(view):
def wrap(request, *args, **kwargs):
if 'HTTP_AUTHORIZATION' in request.META:
auth = request.META['HTTP_AUTHORIZATION'].split()
if len(auth) == 2:
if auth[0].lower() == "basic":
uname, passwd = base64.b64decode(auth[1]).decode(
"utf8"
).split(':', 1)
user = authenticate(username=uname, password=passwd)
if user is not None and user.is_active:
request.user = user
return view(request, *args, **kwargs)
response = HttpResponse()
response.status_code = 401
response['WWW-Authenticate'] = 'Basic realm="{}"'.format(
settings.BASIC_AUTH_REALM
)
return response
return wrap
然后用它来装饰你的视图:
from my_app.decorators import basicauth
@basicauth
def my_view(request):
...
对于已经使用 django-rest-framework (DRF) 的用户:
DRF 有一个 BasicAuthentication class,它或多或少做了其他答案中描述的事情(参见 source)。
这个 class 也可以用在 "normal" Django 视图中。
例如:
from rest_framework.authentication import BasicAuthentication
def my_view(request):
# use django-rest-framework's basic authentication to get user
user = None
user_auth_tuple = BasicAuthentication().authenticate(request)
if user_auth_tuple is not None:
user, _ = user_auth_tuple
我需要为一个视图提供http-basic-auth。
我想避免修改中间件设置。
背景:这是一个由远程应用程序填充的视图。
当您执行基本身份验证请求时,您实际上是在向 Authorization header 添加凭据。在传输之前,这些凭据是 base64 编码的,因此您需要在接收时对其进行解码。
以下代码片段假定只有一个有效的用户名和密码:
import base64
def my_view(request):
auth_header = request.META.get('HTTP_AUTHORIZATION', '')
token_type, _, credentials = auth_header.partition(' ')
expected = base64.b64encode(b'username:password').decode()
if token_type != 'Basic' or credentials != expected:
return HttpResponse(status=401)
# Your authenticated code here:
...
如果您想与 User 模型的用户名和密码进行比较,请尝试以下操作:
def my_view(request):
auth_header = request.META.get('HTTP_AUTHORIZATION', '')
token_type, _, credentials = auth_header.partition(' ')
username, password = base64.b64decode(credentials).split(':')
try:
user = User.objects.get(username=username)
except User.DoesNotExist:
return HttpResponse(status=401)
password_valid = user.check_password(password)
if token_type != 'Basic' or not password_valid:
return HttpResponse(status=401)
# Your authenticated code here:
...
请注意后一个版本不是很安全。乍一看,我可以看出它容易受到 timing attacks 的影响,例如
可以使用此库:https://github.com/hirokiky/django-basicauth
Basic auth utilities for Django.
文档展示了如何使用它:
Applying decorator to CBVs
To apply @basic_auth_requried decorator to Class Based Views, use django.utils.decorators.method_decorator.
来源:https://github.com/hirokiky/django-basicauth#applying-decorator-to-cbvs
您可以尝试自定义装饰器(这似乎是推荐的方式 here and here)而不是添加新的中间件:
my_app/decorators.py:
import base64
from django.http import HttpResponse
from django.contrib.auth import authenticate
from django.conf import settings
def basicauth(view):
def wrap(request, *args, **kwargs):
if 'HTTP_AUTHORIZATION' in request.META:
auth = request.META['HTTP_AUTHORIZATION'].split()
if len(auth) == 2:
if auth[0].lower() == "basic":
uname, passwd = base64.b64decode(auth[1]).decode(
"utf8"
).split(':', 1)
user = authenticate(username=uname, password=passwd)
if user is not None and user.is_active:
request.user = user
return view(request, *args, **kwargs)
response = HttpResponse()
response.status_code = 401
response['WWW-Authenticate'] = 'Basic realm="{}"'.format(
settings.BASIC_AUTH_REALM
)
return response
return wrap
然后用它来装饰你的视图:
from my_app.decorators import basicauth
@basicauth
def my_view(request):
...
对于已经使用 django-rest-framework (DRF) 的用户:
DRF 有一个 BasicAuthentication class,它或多或少做了其他答案中描述的事情(参见 source)。
这个 class 也可以用在 "normal" Django 视图中。
例如:
from rest_framework.authentication import BasicAuthentication
def my_view(request):
# use django-rest-framework's basic authentication to get user
user = None
user_auth_tuple = BasicAuthentication().authenticate(request)
if user_auth_tuple is not None:
user, _ = user_auth_tuple