Django框架详细介绍---认证系统
在web开发中通常设计网站的登录认证、注册等功能,Django恰好内置了功能完善的用户认证系统
1.auth模块
from django.contrib import auth
模块源码
import inspect
import re
import warnings from django.apps import apps as django_apps
from django.conf import settings
from django.core.exceptions import ImproperlyConfigured, PermissionDenied
from django.middleware.csrf import rotate_token
from django.utils.crypto import constant_time_compare
from django.utils.deprecation import RemovedInDjango21Warning
from django.utils.module_loading import import_string
from django.utils.translation import LANGUAGE_SESSION_KEY from .signals import user_logged_in, user_logged_out, user_login_failed SESSION_KEY = '_auth_user_id'
BACKEND_SESSION_KEY = '_auth_user_backend'
HASH_SESSION_KEY = '_auth_user_hash'
REDIRECT_FIELD_NAME = 'next' def load_backend(path):
return import_string(path)() def _get_backends(return_tuples=False):
backends = []
for backend_path in settings.AUTHENTICATION_BACKENDS:
backend = load_backend(backend_path)
backends.append((backend, backend_path) if return_tuples else backend)
if not backends:
raise ImproperlyConfigured(
'No authentication backends have been defined. Does '
'AUTHENTICATION_BACKENDS contain anything?'
)
return backends def get_backends():
return _get_backends(return_tuples=False) def _clean_credentials(credentials):
"""
Clean a dictionary of credentials of potentially sensitive info before
sending to less secure functions. Not comprehensive - intended for user_login_failed signal
"""
SENSITIVE_CREDENTIALS = re.compile('api|token|key|secret|password|signature', re.I)
CLEANSED_SUBSTITUTE = '********************'
for key in credentials:
if SENSITIVE_CREDENTIALS.search(key):
credentials[key] = CLEANSED_SUBSTITUTE
return credentials def _get_user_session_key(request):
# This value in the session is always serialized to a string, so we need
# to convert it back to Python whenever we access it.
return get_user_model()._meta.pk.to_python(request.session[SESSION_KEY]) def authenticate(request=None, **credentials):
"""
If the given credentials are valid, return a User object.
"""
for backend, backend_path in _get_backends(return_tuples=True):
try:
user = _authenticate_with_backend(backend, backend_path, request, credentials)
except PermissionDenied:
# This backend says to stop in our tracks - this user should not be allowed in at all.
break
if user is None:
continue
# Annotate the user object with the path of the backend.
user.backend = backend_path
return user # The credentials supplied are invalid to all backends, fire signal
user_login_failed.send(sender=__name__, credentials=_clean_credentials(credentials), request=request) def _authenticate_with_backend(backend, backend_path, request, credentials):
credentials = credentials.copy() # Prevent a mutation from propagating.
args = (request,)
# Does the backend accept a request argument?
try:
inspect.getcallargs(backend.authenticate, request, **credentials)
except TypeError:
args = ()
credentials.pop('request', None)
# Does the backend accept a request keyword argument?
try:
inspect.getcallargs(backend.authenticate, request=request, **credentials)
except TypeError:
# Does the backend accept credentials without request?
try:
inspect.getcallargs(backend.authenticate, **credentials)
except TypeError:
# This backend doesn't accept these credentials as arguments. Try the next one.
return None
else:
warnings.warn(
"Update %s.authenticate() to accept a positional "
"`request` argument." % backend_path,
RemovedInDjango21Warning
)
else:
credentials['request'] = request
warnings.warn(
"In %s.authenticate(), move the `request` keyword argument "
"to the first positional argument." % backend_path,
RemovedInDjango21Warning
)
return backend.authenticate(*args, **credentials) def login(request, user, backend=None):
"""
Persist a user id and a backend in the request. This way a user doesn't
have to reauthenticate on every request. Note that data set during
the anonymous session is retained when the user logs in.
"""
session_auth_hash = ''
if user is None:
user = request.user
if hasattr(user, 'get_session_auth_hash'):
session_auth_hash = user.get_session_auth_hash() if SESSION_KEY in request.session:
if _get_user_session_key(request) != user.pk or (
session_auth_hash and
not constant_time_compare(request.session.get(HASH_SESSION_KEY, ''), session_auth_hash)):
# To avoid reusing another user's session, create a new, empty
# session if the existing session corresponds to a different
# authenticated user.
request.session.flush()
else:
request.session.cycle_key() try:
backend = backend or user.backend
except AttributeError:
backends = _get_backends(return_tuples=True)
if len(backends) == 1:
_, backend = backends[0]
else:
raise ValueError(
'You have multiple authentication backends configured and '
'therefore must provide the `backend` argument or set the '
'`backend` attribute on the user.'
) request.session[SESSION_KEY] = user._meta.pk.value_to_string(user)
request.session[BACKEND_SESSION_KEY] = backend
request.session[HASH_SESSION_KEY] = session_auth_hash
if hasattr(request, 'user'):
request.user = user
rotate_token(request)
user_logged_in.send(sender=user.__class__, request=request, user=user) def logout(request):
"""
Remove the authenticated user's ID from the request and flush their session
data.
"""
# Dispatch the signal before the user is logged out so the receivers have a
# chance to find out *who* logged out.
user = getattr(request, 'user', None)
if hasattr(user, 'is_authenticated') and not user.is_authenticated:
user = None
user_logged_out.send(sender=user.__class__, request=request, user=user) # remember language choice saved to session
language = request.session.get(LANGUAGE_SESSION_KEY) request.session.flush() if language is not None:
request.session[LANGUAGE_SESSION_KEY] = language if hasattr(request, 'user'):
from django.contrib.auth.models import AnonymousUser
request.user = AnonymousUser() def get_user_model():
"""
Return the User model that is active in this project.
"""
try:
return django_apps.get_model(settings.AUTH_USER_MODEL, require_ready=False)
except ValueError:
raise ImproperlyConfigured("AUTH_USER_MODEL must be of the form 'app_label.model_name'")
except LookupError:
raise ImproperlyConfigured(
"AUTH_USER_MODEL refers to model '%s' that has not been installed" % settings.AUTH_USER_MODEL
) def get_user(request):
"""
Return the user model instance associated with the given request session.
If no user is retrieved, return an instance of `AnonymousUser`.
"""
from .models import AnonymousUser
user = None
try:
user_id = _get_user_session_key(request)
backend_path = request.session[BACKEND_SESSION_KEY]
except KeyError:
pass
else:
if backend_path in settings.AUTHENTICATION_BACKENDS:
backend = load_backend(backend_path)
user = backend.get_user(user_id)
# Verify the session
if hasattr(user, 'get_session_auth_hash'):
session_hash = request.session.get(HASH_SESSION_KEY)
session_hash_verified = session_hash and constant_time_compare(
session_hash,
user.get_session_auth_hash()
)
if not session_hash_verified:
request.session.flush()
user = None return user or AnonymousUser() def get_permission_codename(action, opts):
"""
Return the codename of the permission for the specified action.
"""
return '%s_%s' % (action, opts.model_name) def update_session_auth_hash(request, user):
"""
Updating a user's password logs out all sessions for the user. Take the current request and the updated user object from which the new
session hash will be derived and update the session hash appropriately to
prevent a password change from logging out the session from which the
password was changed.
"""
request.session.cycle_key()
if hasattr(user, 'get_session_auth_hash') and request.user == user:
request.session[HASH_SESSION_KEY] = user.get_session_auth_hash() default_app_config = 'django.contrib.auth.apps.AuthConfig'
auth源码
模块内常用的内置方法:
authenticate(request=None, **credentials),提供用户认证功能,验证用户名和密码是否正确,认证成功则返回该用户的对象
# 判断用户是否存在以及认证
user_obj = auth.authenticate(username=username, password=password)
login(request, user, backend=None),通过HttpRequest对象和user对象进行登录验证,同时在后端为该用户生成session
# 登录
auth.login(request, user_obj)
logout(request),查看logout源码可看出该方法内通过传入的request对象获取当前退出的用户将session清空
def logout(request):
# 退出登录
auth.logout(request)
return redirect("/bbs/login/")
is_authenticated(self),判断当前请求是否通过了验证
class AnonymousUser:
@property
def is_authenticated(self):
return False
login_required(),auth提供的装饰器工具,用来快捷的视图添加登录校验,如果用户没有登录则跳转到Django中的global_setting.py内默认的URL(LOGIN_URL='/accounts/login/'),并传递当前访问的URL绝对路径,登陆成功后重定向到该路径
如果需要自定义登录的URL,可在setting.py文件中指定LOGIN_URL
LOGIN_URL = '/login/' # 这里配置成你项目登录页面的路由
from django.contrib.auth.decorators import login_required @login_required
def index(request):
...
# 源码
def login_required(function=None, redirect_field_name=REDIRECT_FIELD_NAME, login_url=None):
"""
Decorator for views that checks that the user is logged in, redirecting
to the log-in page if necessary.
"""
actual_decorator = user_passes_test(
lambda u: u.is_authenticated,
login_url=login_url,
redirect_field_name=redirect_field_name
)
if function:
return actual_decorator(function)
return actual_decorator
***********************************************************************************************
from django.contrib.auth import REDIRECT_FIELD_NAME
REDIRECT_FIELD_NAME = 'next'
create_user(self, username, eamil=None, password=None, **extra_fields),auth内提供的创建用户的方法
# 源码
def create_user(self, username, email=None, password=None, **extra_fields):
extra_fields.setdefault('is_staff', False)
extra_fields.setdefault('is_superuser', False)
return self._create_user(username, email, password, **extra_fields)
create_superuser(self, username, eamil, password, **extra_fields),auth内提供的创建用户的方法,
def create_superuser(self, username, email, password, **extra_fields):
extra_fields.setdefault('is_staff', True)
extra_fields.setdefault('is_superuser', True) if extra_fields.get('is_staff') is not True:
raise ValueError('Superuser must have is_staff=True.')
if extra_fields.get('is_superuser') is not True:
raise ValueError('Superuser must have is_superuser=True.') return self._create_user(username, email, password, **extra_fields)
check_password(password),用于检查密码是否正确,正确返回True,错误返回False
ok = user.check_password('密码')
set_password(password),用于修改密码,接收新密码作为参数
user.set_password(password='')
user.save()
User对象的相关属性:
username 用户名(必填)
password 密码,用哈希算法保存到数据库
is_staff 用户是否拥有网站的管理权限
is_active 是否允许用户登录, 设置为 False,可以在删除用户的前提下禁止用户登录
2.扩展使用
在通过AbstractUser类创建用户类时,可添加自定义字段,同时必须注意的是继承该类必须在setting.py中声明使用,一旦指定了新的认证系统使用的表,必须重新在数据库中创建该表,不能使用原来的auth_user表
# 引用Django自带的User表,继承使用时需要设置
AUTH_USER_MODEL = "APP名.UserInfo"
示例:
自定义用户类
class UserInfo(AbstractUser):
"""
用户信息表
"""
nid = models.AutoField(primary_key=True)
phone = models.CharField(max_length=11,
null=True,
unique=True)
avatar = models.FileField(upload_to="avatars/") blog = models.OneToOneField(to="Blog",
to_field="nid",
null=True,
on_delete=models.CASCADE) def __str__(self):
return self.username class Meta:
verbose_name = "用户信息"
verbose_name_plural = verbose_name
自定义用户类
登录视图
def login(request):
form_obj = forms.LoginForm()
if request.method == "POST":
ret = {"code": 0}
# 获取用户输入的用户名、密码、随机验证码
username = request.POST.get("username")
password = request.POST.get("password")
v_code = request.POST.get("v_code", "")
# 判断用户输入的随机验证码是否正确
if v_code.upper() == request.session.get("v_code", ""):
# 判断用户是否存在以及认证
user_obj = auth.authenticate(username=username, password=password)
if user_obj:
# 登录
auth.login(request, user_obj)
# 存放认证成功后可跳转的地址
ret["data"] = "/index/"
else:
# 认证失败
ret["code"] = 1
ret["data"] = "用户名或密码错误"
else:
# 用户输入的随机验证码错误
ret["code"] = 1
ret["data"] = "验证码错误" return JsonResponse(ret) return render(request, "login.html", {"form_obj": form_obj})
登录视图
修改密码视图
def change_password(request):
user = request.user
ret = {"code": 0}
form_obj = forms.change_password() if request.method == "POST":
old_password = request.POST.get("old_password")
new_password = request.POST.get("new_password")
re_password = request.POST.get("re_password") # 检查旧密码是否正确
if user.check_password(old_password):
if not new_password:
ret["data"] = "密码不能为空"
ret["code"] = 1
elif new_password != re_password:
ret["data"] = "两次输入的密码不一致"
ret["code"] = 1
else:
user.set_password(new_password)
user.save()
ret["data"] = "/bbs/login/"
else:
ret["data"] = "原密码输入错误"
ret["code"] = 1
return JsonResponse(ret)
return render(request,
"change_password.html",
{"form_obj": form_obj},
)
修改密码视图
Django框架详细介绍---认证系统的更多相关文章
- Django框架详细介绍---视图系统
Django视图系统 1.什么是视图 在Django中,一个视图函数/类,称为视图.实质就是一个用户自定义的简单函数,用来接收WEB请求并xing响应请求,响应的内容可以是一个HTML文件.重定向.一 ...
- Django框架详细介绍---模板系统
Django模板系统 官方文档: https://docs.djangoproject.com/en/2.0/ref/templates/builtins/#std:templatetag-for 1 ...
- Django框架详细介绍---中间件(认证)
一.绪论 在cookie和session的应用中,通过在视图函数内添加装饰器判断用户是否登录,把没有登录的用户请求跳转到登录页面,通过给几个特定视图函数加装饰器实现了这个需求.但是以后添加的视图函数可 ...
- Django框架详细介绍---cookie、session、自定义分页
1.cookie 在HTTP协议介绍中提到,该协议是无状态的,也就是每次请求都是独立的,它的执行情况和结果与前面的请求和之后的请求都无直接关系,它不会受前面的请求响应情况直接影响,也不会直接影响后面的 ...
- django框架进阶-auth认证系统-长期维护
################## django的认证系统 ####################### 我们在开发一个网站的时候,无可避免的需要设计实现网站的用户系统.此时我们需要 ...
- Django框架详细介绍---模型---ORM
一.概述 ORM(Object Relational Mapping),全称:对象关系映射,简单的说就是通过创建类.实例化出对象的方法,使得类.对象.对象的属性能够和数据库中的表.记录.字段意义对应. ...
- Django框架详细介绍---request对象
几个重要的函数 1.HttpRequest.get_host() 根据从HTTP_X_FORWARDED_HOST(如果打开 USE_X_FORWARDED_HOST,默认为False和 HTTP_H ...
- Django框架详细介绍---Admin后台管理
1.Admin组件使用 Django内集成了web管理工具,Django在启动过程中会执行setting.py文件,初始化Django内置组件.注册APP.添加环境变量等 # Application ...
- Django框架详细介绍---请求流程
Django请求流程图 1.客户端发送请求 2.wsgiref是Django封装的套接字,它将客户端发送过来的请求(请求头.请求体封装成request) 1)解析请求数据 2)封装响应数据 3.中间件 ...
随机推荐
- JMeter性能测试中控制业务比例
性能测试混合场景中,我们需要组合多个业务操作到场景中来.比如有一个论坛的业务分布如下:发布新帖与回复帖子的比例为2:3,那么我们在JMeter测试计划中如何控制其比例呢? 可以通过以下两种方式解决:多 ...
- 原生JavaScript中动画与特效的实现原理
现如今,许多页面上均有一些动画效果.适当的动画效果可以在一定程度上提高页面的美观度,具有提示效果的动画可以增强页面的易用性. 实现页面动画的途径一般有两种. 一种是通过操作JavaScript间接操作 ...
- ElasticSearch + Canal 开发千万级的实时搜索系统
公司是做社交相关产品的,社交类产品对搜索功能需求要求就比较高,需要根据用户城市.用户ID昵称等进行搜索. 项目原先的搜索接口采用SQL查询的方式实现,数据库表采用了按城市分表的方式.但随着业务的发展, ...
- mobile_竖向滑屏
竖向滑屏 元素最终事件 = 元素初始位置 + 手指滑动距离 移动端,"手指按下","手指移动" 两个事件即可(且不需要嵌套),有需要时才使用 "手指离 ...
- Qt支持哪些硬件通信协议???
如题,广大使用Qt开发嵌入式的伙伴们知道Qt支持哪些硬件通信协议的开发???目前已知的串口和网络TCP/IP协议开发支持,其他的呢??? 欢迎留言交流!!!
- mac charles抓安卓(小米)http包
网上有很多的教程说明如何操作,都写的很好,比如 https://blog.csdn.net/luochoudan/article/details/72801573,我在这里补充一点,非常重要的一点:手 ...
- F#周报2019年第15期
新闻 Hedgehog新站点 Bolero 0.4发布,增加远程认证 FsToolkit.ErrorHandling与Cvdm.ErrorHandling合并了 F#里的3D图形编程与游戏开发 有趣的 ...
- mvc模式的理解
一开始总是觉得dao层和service层没有区别,甚至觉得service层根本就是多余的,service层就是把dao层的内容调用了一下,然后重写了一次,后来才理解到,dao层是数据链路层,是与数据库 ...
- laravel读取excel
$filePath = 'storage/exports/成员信息.xls'; Excel::load($filePath, function ($reader) {// $data = $reade ...
- Redis主从复制详解
1. 概述 主从复制:主节点负责写数据,从节点负责读数据,主节点定期把数据同步到从节点保证数据的一致性 2. 主从复制的相关操作 (1)配置文件:在从服务器的配置文件中加入 slaveof<ma ...