Django：使用中间件将 JWT 更新并设置为 HttpOnly cookie。 Response() 返回 django.template.response.ContentNotRenderedE

Posted 2023-03-10

【中文标题】Django：使用中间件将 JWT 更新并设置为 HttpOnly cookie。 Response() 返回 django.template.response.ContentNotRenderedError

【英文标题】：Django: Renew and set JWTs as HttpOnly cookie using a middleware. Response() returning django.template.response.ContentNotRenderedError

【发布时间】：2021-05-20 17:14:56

【问题描述】：

我有一个自定义中间件，我在其中添加 SimpleJWR HTTP_AUTHORIZATION 到每个授权请求，因为我正在使用 HttpOnly cookie。另外在这里我添加了代码来检查access 令牌是否有效。如果不是，则使用requests 发送请求，该请求获取新的access 令牌并将其设置为HttpOnly cookie。到目前为止，我能够在新的access 令牌过期后获得它。但是，我发送请求的 url 返回了这个错误：

raise ContentNotRenderedError(
django.template.response.ContentNotRenderedError: The response content must be rendered before it can be accessed.

在第一次请求时它就起作用了。它返回响应并将令牌保存为HttpOnly cookie，但在令牌过期后，如果我再次发出请求，而不是（我想要发生的）将令牌保存为HttpOnly cookie 并再次返回相同的响应，它正在返回错误。

我认为问题出在response 语句中。我的中间件：

import jwt
import datetime
import requests
import json

from rest_framework.response import Response
from django.conf import settings

class AuthorizationHeaderMiddleware:
    def __init__(self, get_response=None):
        self.get_response = get_response

    def __call__(self, request):
        access_token = request.COOKIES.get('access')
        refesh_token = request.COOKIES.get('refresh')
        print(refesh_token)
        # check if the access token is valid
        # if not, send new access token to cookie
        if access_token:
            key = settings.SECRET_KEY
        try:
            decoded_access_token = jwt.decode(access_token, key, algorithms=["HS256"])
        except jwt.ExpiredSignatureError:
            # Signature has expired
            print("expired; sending for new token")
            url = 'http://127.0.0.1:8000/api/token/refresh/'
            data = "refresh": refesh_token
            resp = requests.post(
                url, 
                data=json.dumps(data),
                headers = 'content-type': 'application/json'
                )
            result = resp.json()
            new_access_token = result['access']
            response = Response()
            response.set_cookie('access', new_access_token, httponly=True)
            response.set_cookie('set', 'new')
            return response

            request.META['HTTP_AUTHORIZATION'] = f'Bearer access_token'
        return self.get_response(request)

这个错误是怎么来的，我该如何解决？

【参考方案1】：

试试这个：

def __call__(self, request):
    access_token = request.COOKIES.get('access')
    refesh_token = request.COOKIES.get('refresh')
    print(refesh_token)
    # check if the access token is valid
    # if not, send new access token to cookie
    if access_token is not None:
        key = settings.SECRET_KEY
    else:
        return Response("Error" : "No token found")
    try:
        decoded_access_token = jwt.decode(access_token, key, algorithms=["HS256"])
        request.META['HTTP_AUTHORIZATION'] = f'Bearer access_token'
        return self.get_response(request)
    except jwt.ExpiredSignatureError:
        # Signature has expired
        print("expired; sending for new token")
        url = 'http://127.0.0.1:8000/api/token/refresh/'
        data = "refresh": refesh_token
        resp = requests.post(
            url, 
            data=json.dumps(data),
            headers = 'content-type': 'application/json'
            )
        result = resp.json()
        new_access_token = result['access']
        response = Response()
        response.set_cookie('access', new_access_token, httponly=True)
        response.set_cookie('set', 'new')
        request.META['HTTP_AUTHORIZATION'] = f'Bearer new_access_token'
        
        return self.get_response(request)

【讨论】：

添加这些后我得到了这些错误：if response.get('X-Frame-Options') is not None: AttributeError: 'NoneType' object has no attribute 'get'

因为如果access_token当时没有在cookie中找到access_token返回None。我们的条件不满足。所以__call__ 方法没有返回任何响应。我编辑了我的答案。

另一种设置和获取 httponly cookie 的方法。检查这个：***.com/a/66248320/14131913) 并看到这个***.com/a/63622625/14131913 或github.com/HarryAustin/tweeter-DrfTest-httonlycookie/blob/main/…