JWT 认证

Posted a438842265

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了JWT 认证相关的知识,希望对你有一定的参考价值。

1. JWT工作原理

"""
1) jwt = base64(头部).base(载荷).hash256(base64(头部).base(载荷).密钥)
2) base64是可逆的算法、hash256是不可逆的算法
3) 密钥是固定的字符串,保存在服务器
"""

2. 安装

官网

http://jpadilla.github.io/django-rest-framework-jwt/

安装

pip install djangorestframework-jwt

3. 用法

在您的中 settings.py ,添加 JSONWebTokenAuthentication 到 Django REST 框架的 DEFAULT_AUTHENTICATION_CLASSES

REST_FRAMEWORK = {
    DEFAULT_PERMISSION_CLASSES: (
        rest_framework.permissions.IsAuthenticated,
    ),
    DEFAULT_AUTHENTICATION_CLASSES: (
        rest_framework_jwt.authentication.JSONWebTokenAuthentication,
        rest_framework.authentication.SessionAuthentication,
        rest_framework.authentication.BasicAuthentication,
    ),
}

# 设置token失效时间
import datetime 
JWT_AUTH = {
  # 过期时间
  ‘JWT_EXPIRATION_DELTA‘: datetime.timedelta(days=1),
  # 自定义认证结果:见下方序列化user和自定义response
  ‘JWT_RESPONSE_PAYLOAD_HANDLER‘: ‘user.utils.jwt_response_payload_handler‘,
}
 

序列化 user  自己创建

from rest_framework import serializers
from . import models
class UserModelSerializers(serializers.ModelSerializer):
    class Meta:
        model = models.User
        fields = [username]

自定义response

# 用处:你登陆成功之后 显示欢迎谁回来  在上面 要配置
from
.serializers import UserModelSerializers def jwt_response_payload_handler(token, user=None, request=None): return { status: 0, msg: ok, data: { token: token, user: UserModelSerializers(user).data } }

基于jwt的全局认证

import jwt
from rest_framework.exceptions import AuthenticationFailed
from rest_framework_jwt.authentication import jwt_decode_handler
from rest_framework_jwt.authentication import get_authorization_header
from rest_framework_jwt.authentication import BaseJSONWebTokenAuthentication

class JSONWebTokenAuthentication(BaseJSONWebTokenAuthentication):
    def authenticate(self, request):
        jwt_value = get_authorization_header(request)

        if not jwt_value:
            raise AuthenticationFailed(Authorization 字段是必须的)
        try:
            payload = jwt_decode_handler(jwt_value)
        except jwt.ExpiredSignature:
            raise AuthenticationFailed(签名过期)
        except jwt.InvalidTokenError:
            raise AuthenticationFailed(非法用户)
        user = self.authenticate_credentials(payload)

        return user, jwt_value

全局启用 settings

REST_FRAMEWORK = {
    # 认证模块
    DEFAULT_AUTHENTICATION_CLASSES: (
        user.authentications.JSONWebTokenAuthentication,
    ),
}

局部启用禁用:任何一个cbv类的首行

# 局部禁用
authentication_classes = []

# 局部启用
from user.authentications import JSONWebTokenAuthentication
authentication_classes = [JSONWebTokenAuthentication]

多方式登陆

import re
from .models import User
from django.contrib.auth.backends import ModelBackend
class JWTModelBackend(ModelBackend):
    def authenticate(self, request, username=None, password=None, **kwargs):
        try:
            if re.match(r^1[3-9]d{9}$, username):
                user = User.objects.get(mobile=username)
            else:
                user = User.objects.get(username=username)
        except User.DoesNotExist:
            return None
        if user.check_password(password) and self.user_can_authenticate(user):
            return user

配置多方式登陆 settings

AUTHENTICATION_BACKENDS = [user.utils.JWTModelBackend]

手动签发JWT:了解-可以拥有原生登陆基于Model类user对象签发JWT

from rest_framework_jwt.settings import api_settings

jwt_payload_handler = api_settings.JWT_PAYLOAD_HANDLER
jwt_encode_handler = api_settings.JWT_ENCODE_HANDLER

payload = jwt_payload_handler(user)
token = jwt_encode_handler(payload)

VUE

             # 页面  
         <div class="inp" v-if="login_type==0"> <input v-model = "username" type="text" placeholder="用户名 / 手机号码" class="user"> <input v-model = "password" type="password" name="" class="pwd" placeholder="密码"> <div id="geetest1"></div> <div class="rember"> <p> <input type="checkbox" class="no" v-model="remember"/> <span>记住密码</span> </p> <p>忘记密码</p> </div> <button class="login_btn" @click="loginHander">登录</button> <p class="go_login" >没有账号 <span>立即注册</span></p> </div>
<script>
export default {
  name: Login,
  data(){
    return {
        login_type: 0,
        username:"",
        password:"",
        remember:false,
    }
  },
  methods:{
    loginHander(){
        // 用户密码账号登录
        this.$axios.post(`${this.$settings.HOST}/user/login/`,{
            username:this.username,
            password:this.password,
        }).then(response=>{
            if(this.remember){
                // 记住登录状态
                sessionStorage.removeItem("user_token");
                sessionStorage.removeItem("user_id");
                sessionStorage.removeItem("user_name");
                localStorage.user_token = response.data.token;
                localStorage.user_id = response.data.id;
                localStorage.user_name = response.data.username;
            }else{
                // 不记住登录状态
                localStorage.removeItem("user_token");
                localStorage.removeItem("user_id");
                localStorage.removeItem("user_name");
                sessionStorage.user_token = response.data.token;
                sessionStorage.user_id = response.data.id;
                sessionStorage.user_name = response.data.username;
            }

            // 页面跳转
            let self = this;
            this.$alert("登录成功!","某某某网站",{
               callback(){
                    self.$router.push("/");
               }
            });

        }).catch(error=>{
            this.$message.error("对不起,登录失败!请确认密码或账号是否正确!");
        });
    },
   
};
</script>

 

以上是关于JWT 认证的主要内容,如果未能解决你的问题,请参考以下文章

webapi JWT 认证

JWT 认证成功,但是邮递员返回 404

重学SpringCloud系列八之微服务网关安全认证-JWT篇

对JWT认证流程的误解

调用 API 时使用 JWT 承载认证

Spring cloud微服务安全实战-6-2JWT认证之认证服务改造