中间件更新 request.user,但 request.user 在视图中变为 AnonymousUser
middleware updates request.user, but request.user becomes AnonymousUser in view
我写了一个简单的 JWT 中间件来从 JWT 获取用户。方法 get_user_from_jwt returns 一个 User 对象。
# app.middlewares.py
class JwtMiddleware:
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
self.process_request(request)
return self.get_response(request)
def process_request(self, request):
request.user = self.get_user_from_jwt(request.headers)
def get_user_pk_from_jwt(self, auth_header: str) -> int:
_, token = auth_header.split(' ')
decoded_payload = jwt.decode(token, settings.SECRET_KEY)
user_pk = decoded_payload.get('user_id', None)
return user_pk
def get_user_from_jwt(self, auth_header: str) -> User:
auth_header = headers.get('Authorization', None)
if auth_header:
try:
user_pk = self.get_user_pk_from_jwt(auth_header)
user = get_object_or_404(User, pk=user_pk)
return user
except Exception as error:
logging.error(f'Error decoding JWT due to: {str(error)}')
raise AuthenticationFailed
else:
raise NotAuthenticated
在设置中:
MIDDLEWARE = [
'corsheaders.middleware.CorsMiddleware',
'whitenoise.middleware.WhiteNoiseMiddleware',
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'app.middlewares.JwtMiddleware',
]
当我登录时,request.user 在中间件级别设置为正确的用户实例,但在视图中,request.user 变为 AnonymousUser。我也尝试切换中间件的顺序。有什么想法可以使用中间件更新我的视图中 request.user 的含义吗?
如果您在 Django 休息框架中使用 JWT 令牌身份验证,那么您需要更新您的身份验证后端。 request.user 在用户通过身份验证时自动设置。因此,如果您不对用户进行身份验证,您的 request.user 将被 AnonymousUser 覆盖。
需要写一个鉴权Class,比如JWTAuth,需要继承BaseAuthetication
from rest_framework import authentication, exceptions
class JWTAuth(authentication.BaseAuthentication):
authentication_header_prefix = 'Bearer'
def authenticate(self, request):
request.user = None
auth_header = authentication.get_authorization_header(request).split()
auth_header_prefix = self.authentication_header_prefix.lower()
if not auth_header:
return None
prefix = auth_header[0].decode('utf-8')
token = auth_header[1].decode('utf-8')
if prefix.lower() != auth_header_prefix:
return None
return self._authenticate_credentials(request, token)
def _authenticate_credentials(self, request, token):
try:
payload = jwt.decode(token, settings.SECRET_KEY)
except:
msg = 'Invalid authentication. Could not decode token.'
raise exceptions.AuthenticationFailed(msg)
try:
user = User.objects.get(pk=payload['id'])
except User.DoesNotExist:
msg = 'No user matching this token was found.'
raise exceptions.AuthenticationFailed(msg)
if not user.is_active:
msg = 'This user has been deactivated.'
raise exceptions.AuthenticationFailed(msg)
return user, token
在您的设置文件中
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'JWTAuth',
)
如果您还尝试自定义登录过程,则必须更新设置文件中的 AUTHENTICATION_BACKENDS。
我写了一个简单的 JWT 中间件来从 JWT 获取用户。方法 get_user_from_jwt returns 一个 User 对象。
# app.middlewares.py
class JwtMiddleware:
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
self.process_request(request)
return self.get_response(request)
def process_request(self, request):
request.user = self.get_user_from_jwt(request.headers)
def get_user_pk_from_jwt(self, auth_header: str) -> int:
_, token = auth_header.split(' ')
decoded_payload = jwt.decode(token, settings.SECRET_KEY)
user_pk = decoded_payload.get('user_id', None)
return user_pk
def get_user_from_jwt(self, auth_header: str) -> User:
auth_header = headers.get('Authorization', None)
if auth_header:
try:
user_pk = self.get_user_pk_from_jwt(auth_header)
user = get_object_or_404(User, pk=user_pk)
return user
except Exception as error:
logging.error(f'Error decoding JWT due to: {str(error)}')
raise AuthenticationFailed
else:
raise NotAuthenticated
在设置中:
MIDDLEWARE = [
'corsheaders.middleware.CorsMiddleware',
'whitenoise.middleware.WhiteNoiseMiddleware',
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'app.middlewares.JwtMiddleware',
]
当我登录时,request.user 在中间件级别设置为正确的用户实例,但在视图中,request.user 变为 AnonymousUser。我也尝试切换中间件的顺序。有什么想法可以使用中间件更新我的视图中 request.user 的含义吗?
如果您在 Django 休息框架中使用 JWT 令牌身份验证,那么您需要更新您的身份验证后端。 request.user 在用户通过身份验证时自动设置。因此,如果您不对用户进行身份验证,您的 request.user 将被 AnonymousUser 覆盖。
需要写一个鉴权Class,比如JWTAuth,需要继承BaseAuthetication
from rest_framework import authentication, exceptions
class JWTAuth(authentication.BaseAuthentication):
authentication_header_prefix = 'Bearer'
def authenticate(self, request):
request.user = None
auth_header = authentication.get_authorization_header(request).split()
auth_header_prefix = self.authentication_header_prefix.lower()
if not auth_header:
return None
prefix = auth_header[0].decode('utf-8')
token = auth_header[1].decode('utf-8')
if prefix.lower() != auth_header_prefix:
return None
return self._authenticate_credentials(request, token)
def _authenticate_credentials(self, request, token):
try:
payload = jwt.decode(token, settings.SECRET_KEY)
except:
msg = 'Invalid authentication. Could not decode token.'
raise exceptions.AuthenticationFailed(msg)
try:
user = User.objects.get(pk=payload['id'])
except User.DoesNotExist:
msg = 'No user matching this token was found.'
raise exceptions.AuthenticationFailed(msg)
if not user.is_active:
msg = 'This user has been deactivated.'
raise exceptions.AuthenticationFailed(msg)
return user, token
在您的设置文件中
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'JWTAuth',
)
如果您还尝试自定义登录过程,则必须更新设置文件中的 AUTHENTICATION_BACKENDS。