用户验证源码剖析,注意:一定要看代码的中文注释及其下面的一行代码!!!

1、准备一个路由和视图类,全局路由配置暂时忽略,当流程执行到下面的url:groupsSelectAll——> GroupsView的视图类下的as_view()方法

from django.conf.urls import url

from . import views


app_name = '[words]'
urlpatterns = [
    url(r'groupsSelectAll/', views.GroupsView.as_view(), name="groupsSelectAll"),   # 词组信息查询所有

]
class GroupsView(APIView):

    def get(self, request):
        conditions = {
            "id": request.query_params.get("wid"),
            "name": request.query_params.get("name"),
            "start_time": request.query_params.get("start_time"),
            "end_time": request.query_params.get("end_time"),
        }
        res = DataManager.select_by_conditions("words_groups", None, **conditions)
        return Response(data={"code": 200, "result": res})

2、但是GroupsView类下没有as_view方法,我们就要去它的父类APIView查看(我们点进去看as_view方法),这里我只复制方法源代码,大家只需要看中文注释及其下的代码语句。在这个方法中值得一提的是super关键字,如果请求视图类(就是GroupsView类,如果继承了多个父类)还有另一个父类,它先会查看这个父类是否有as_view方法。在这里它是会执行APIView的父类View中的as_view方法,然后我们再次查看父类View的as_view方法。第一个as_view方法是APIView类的,第二个as_view方法是View类的。

SRE实战 互联网时代守护先锋,助力企业售后服务体系运筹帷幄!一键直达领取阿里云限量特价优惠。 Django restframework用户登录认证组件增加及源码分析 Python 第1张
    @classmethod
    def as_view(cls, **initkwargs):
        """
        Store the original class on the view function.

        This allows us to discover information about the view when we do URL
        reverse lookups.  Used for breadcrumb generation.
        """
        if isinstance(getattr(cls, 'queryset', None), models.query.QuerySet):
            def force_evaluation():
                raise RuntimeError(
                    'Do not evaluate the `.queryset` attribute directly, '
                    'as the result will be cached and reused between requests. '
                    'Use `.all()` or call `.get_queryset()` instead.'
                )
            cls.queryset._fetch_all = force_evaluation

        # 执行父类的as_view方法
        view = super(APIView, cls).as_view(**initkwargs)
        view.cls = cls
        view.initkwargs = initkwargs

        # Note: session based authentication is explicitly CSRF validated,
        # all other authentication is CSRF exempt.
        return csrf_exempt(view)
APIView.as_view() Django restframework用户登录认证组件增加及源码分析 Python 第3张
    @classonlymethod
    def as_view(cls, **initkwargs):
        """Main entry point for a request-response process."""
        for key in initkwargs:
            if key in cls.http_method_names:
                raise TypeError("You tried to pass in the %s method name as a "
                                "keyword argument to %s(). Don't do that."
                                % (key, cls.__name__))
            if not hasattr(cls, key):
                raise TypeError("%s() received an invalid keyword %r. as_view "
                                "only accepts arguments that are already "
                                "attributes of the class." % (cls.__name__, key))

        # 执行view方法
        def view(request, *args, **kwargs):
            # 这里的cls就是我们的请求视图类,显而易见,这个self是请求试图类的对象
            self = cls(**initkwargs)
            if hasattr(self, 'get') and not hasattr(self, 'head'):
                self.head = self.get
            self.request = request
            self.args = args
            self.kwargs = kwargs
            # 然后这里就是执行dispatch方法
            return self.dispatch(request, *args, **kwargs)
        view.view_class = cls
        view.view_initkwargs = initkwargs

        # take name and docstring from class
        update_wrapper(view, cls, updated=())

        # and possible attributes set by decorators
        # like csrf_exempt from dispatch
        update_wrapper(view, cls.dispatch, assigned=())
        return view
View.as_view()

3、我们在第二个as_view方法中可以知道self是我们的请求视图类的对象,通过这个self调用dispatch方法,请求视图类中没有dispatch方法,是不是又去APIView类中执行dispatch方法。

Django restframework用户登录认证组件增加及源码分析 Python 第5张
def dispatch(self, request, *args, **kwargs):
        """
        `.dispatch()` is pretty much the same as Django's regular dispatch,
        but with extra hooks for startup, finalize, and exception handling.
        """
        self.args = args
        self.kwargs = kwargs
        # 这里是对原生的request加工处理,返回一个新的request对象
        request = self.initialize_request(request, *args, **kwargs)
        self.request = request
        self.headers = self.default_response_headers  # deprecate?

        try:
            # 初始化(用户登录认证,权限验证,访问频率限制)
            self.initial(request, *args, **kwargs)

            # Get the appropriate handler method
            if request.method.lower() in self.http_method_names:
                # 通过python的反射机制反射到请求视图类的方法名称
                handler = getattr(self, request.method.lower(),
                                  self.http_method_not_allowed)
            else:
                handler = self.http_method_not_allowed
            
            # 最后就是执行请求视图类的方法
            response = handler(request, *args, **kwargs)

        except Exception as exc:
            response = self.handle_exception(exc)

        self.response = self.finalize_response(request, response, *args, **kwargs)
        return self.response
APIView.dispatch()

4、在方法中先封装了原生的request对象,我们可以点进去查看新的request在原来的request的改进之处:先是封装了原生的request对象,然后又加了用户登录验证的“类”,现在慢慢进入了主题。以下添加APIView类的部分代码,也就是新的request对象用到的代码。

Django restframework用户登录认证组件增加及源码分析 Python 第7张
class APIView(View):

    # The following policies may be set at either globally, or per-view.
    # 如果请求视图类中没有这个属性,我们就使用默认的用户登录验证类
    authentication_classes = api_settings.DEFAULT_AUTHENTICATION_CLASSES

    def initialize_request(self, request, *args, **kwargs):
        """
        Returns the initial request object.
        """
        parser_context = self.get_parser_context(request)
        
        # 封装成新的request对象
        return Request(
            # 原生的request
            request,
            parsers=self.get_parsers(),
            # 点击查看用户认证的列表是什么
            authenticators=self.get_authenticators(),
            negotiator=self.get_content_negotiator(),
            parser_context=parser_context
        )

    def get_authenticators(self):
        """
        Instantiates and returns the list of authenticators that this view can use.
        """
        # 返回的是一个用户认证的对象,是一个列表的形式
        # 而且这个self.authentication_classes的值是先从请求视图类中寻找,再而从父类寻找
        return [auth() for auth in self.authentication_classes]
APIView

5、这个类中的self也是请求视图类的对象,如果self(请求试图类的对象)没有authentication_classes变量就会使用全局的配置文件中寻找,就是settings.py文件需要添加一个字典REST_FRAMEWORK={"DEFAULT_AUTHENTICATION_CLASSES":["类的全路径"]}类似的。这里我们假设全局配置文件中用户登录验证类或者我们自定义的用户登录验证类并且添加进去了。执行完下面的代码,我们上面的APIView.dispatch()方法中的self.request已经变成了新的request对象,我们接着往下看。

Django restframework用户登录认证组件增加及源码分析 Python 第9张
    def initial(self, request, *args, **kwargs):
        """
        Runs anything that needs to occur prior to calling the method handler.
        """
        self.format_kwarg = self.get_format_suffix(**kwargs)

        # Perform content negotiation and store the accepted info on the request
        neg = self.perform_content_negotiation(request)
        request.accepted_renderer, request.accepted_media_type = neg

        # Determine the API version, if versioning is in use.
        version, scheme = self.determine_version(request, *args, **kwargs)
        request.version, request.versioning_scheme = version, scheme

        # Ensure that the incoming request is permitted
        # 用户验证的方法,这个request 是加工之后的request
        self.perform_authentication(request)
        # 用户权限验证
        self.check_permissions(request)
        # 用户访问频率限制
        self.check_throttles(request)
APIView.initial()

5、这就到了我们的用户登录验证的戏码了。我们可以查看代码中的self.perform_authentication(request),里面就是一行代码request.user(这里我不添加了),我们可以直接点进去这个user方法的实现,这里直接添上Request类的部分代码,也就是user相关的代码。

Django restframework用户登录认证组件增加及源码分析 Python 第11张
class Request(object):
    @property
    def user(self):
        """
        Returns the user associated with the current request, as authenticated
        by the authentication classes provided to the request.
        """
        if not hasattr(self, '_user'):
            with wrap_attributeerrors():
                # 查看用户登录的验证操作
                self._authenticate()
        return self._user

    def _authenticate(self):
        """
        Attempt to authenticate the request using each authentication instance
        in turn.
        """
        # 这个self.authenticators是加工后request的,值是用户登录验证的对象列表
        for authenticator in self.authenticators:
            try:
                # 这个authenticate方法我们就可以在自定义的类中编写,
                # 主要功能可以查看用户是否登录验证(可根据数据库中的数据)
                user_auth_tuple = authenticator.authenticate(self)
            except exceptions.APIException:
                # 抛出异常时执行方法
                self._not_authenticated()
                raise

            if user_auth_tuple is not None:
                self._authenticator = authenticator
                self.user, self.auth = user_auth_tuple
                return

        # 全局配置文件没有配置和请求试图类中都没有authentication_classes变量及值
        self._not_authenticated()

    def _not_authenticated(self):
        """
        Set authenticator, user & authtoken representing an unauthenticated request.

        Defaults are None, AnonymousUser & None.
        """
        self._authenticator = None

        # 如果全局配置文件的REST_FRAMEWORK中没有都是默认None
        if api_settings.UNAUTHENTICATED_USER:
            self.user = api_settings.UNAUTHENTICATED_USER()
        else:
            self.user = None

        if api_settings.UNAUTHENTICATED_TOKEN:
            self.auth = api_settings.UNAUTHENTICATED_TOKEN()
        else:
            self.auth = None
Request

6、在Request类中会执行到user_auth_tuple = authenticator.authenticate(self),这个authenticator就是我们全局配置的用户登录类或者是请求视图类的authentication_classes变量列表元的对象,执行里面的authenticate方法,我们可以直接点进去查看authenticate方法。一般我们自定义这个用户登录验证类的话我们一般需要继承BaseAuthentication类,这样我们直接重写authenticate方法,里面的需求就是验证时候登录携带了token信息或者session信息又或者前后端定义的标准信息(只要是能识别用户登录了的信息即可)。

 

扫码关注我们
微信号:SRE实战
拒绝背锅 运筹帷幄