• Django框架详细介绍---认证系统


      在web开发中通常设计网站的登录认证、注册等功能,Django恰好内置了功能完善的用户认证系统

    1.auth模块

    from django.contrib import auth

      模块源码

    import inspect
    import re
    import warnings
    
    from django.apps import apps as django_apps
    from django.conf import settings
    from django.core.exceptions import ImproperlyConfigured, PermissionDenied
    from django.middleware.csrf import rotate_token
    from django.utils.crypto import constant_time_compare
    from django.utils.deprecation import RemovedInDjango21Warning
    from django.utils.module_loading import import_string
    from django.utils.translation import LANGUAGE_SESSION_KEY
    
    from .signals import user_logged_in, user_logged_out, user_login_failed
    
    SESSION_KEY = '_auth_user_id'
    BACKEND_SESSION_KEY = '_auth_user_backend'
    HASH_SESSION_KEY = '_auth_user_hash'
    REDIRECT_FIELD_NAME = 'next'
    
    
    def load_backend(path):
        return import_string(path)()
    
    
    def _get_backends(return_tuples=False):
        backends = []
        for backend_path in settings.AUTHENTICATION_BACKENDS:
            backend = load_backend(backend_path)
            backends.append((backend, backend_path) if return_tuples else backend)
        if not backends:
            raise ImproperlyConfigured(
                'No authentication backends have been defined. Does '
                'AUTHENTICATION_BACKENDS contain anything?'
            )
        return backends
    
    
    def get_backends():
        return _get_backends(return_tuples=False)
    
    
    def _clean_credentials(credentials):
        """
        Clean a dictionary of credentials of potentially sensitive info before
        sending to less secure functions.
    
        Not comprehensive - intended for user_login_failed signal
        """
        SENSITIVE_CREDENTIALS = re.compile('api|token|key|secret|password|signature', re.I)
        CLEANSED_SUBSTITUTE = '********************'
        for key in credentials:
            if SENSITIVE_CREDENTIALS.search(key):
                credentials[key] = CLEANSED_SUBSTITUTE
        return credentials
    
    
    def _get_user_session_key(request):
        # This value in the session is always serialized to a string, so we need
        # to convert it back to Python whenever we access it.
        return get_user_model()._meta.pk.to_python(request.session[SESSION_KEY])
    
    
    def authenticate(request=None, **credentials):
        """
        If the given credentials are valid, return a User object.
        """
        for backend, backend_path in _get_backends(return_tuples=True):
            try:
                user = _authenticate_with_backend(backend, backend_path, request, credentials)
            except PermissionDenied:
                # This backend says to stop in our tracks - this user should not be allowed in at all.
                break
            if user is None:
                continue
            # Annotate the user object with the path of the backend.
            user.backend = backend_path
            return user
    
        # The credentials supplied are invalid to all backends, fire signal
        user_login_failed.send(sender=__name__, credentials=_clean_credentials(credentials), request=request)
    
    
    def _authenticate_with_backend(backend, backend_path, request, credentials):
        credentials = credentials.copy()  # Prevent a mutation from propagating.
        args = (request,)
        # Does the backend accept a request argument?
        try:
            inspect.getcallargs(backend.authenticate, request, **credentials)
        except TypeError:
            args = ()
            credentials.pop('request', None)
            # Does the backend accept a request keyword argument?
            try:
                inspect.getcallargs(backend.authenticate, request=request, **credentials)
            except TypeError:
                # Does the backend accept credentials without request?
                try:
                    inspect.getcallargs(backend.authenticate, **credentials)
                except TypeError:
                    # This backend doesn't accept these credentials as arguments. Try the next one.
                    return None
                else:
                    warnings.warn(
                        "Update %s.authenticate() to accept a positional "
                        "`request` argument." % backend_path,
                        RemovedInDjango21Warning
                    )
            else:
                credentials['request'] = request
                warnings.warn(
                    "In %s.authenticate(), move the `request` keyword argument "
                    "to the first positional argument." % backend_path,
                    RemovedInDjango21Warning
                )
        return backend.authenticate(*args, **credentials)
    
    
    def login(request, user, backend=None):
        """
        Persist a user id and a backend in the request. This way a user doesn't
        have to reauthenticate on every request. Note that data set during
        the anonymous session is retained when the user logs in.
        """
        session_auth_hash = ''
        if user is None:
            user = request.user
        if hasattr(user, 'get_session_auth_hash'):
            session_auth_hash = user.get_session_auth_hash()
    
        if SESSION_KEY in request.session:
            if _get_user_session_key(request) != user.pk or (
                    session_auth_hash and
                    not constant_time_compare(request.session.get(HASH_SESSION_KEY, ''), session_auth_hash)):
                # To avoid reusing another user's session, create a new, empty
                # session if the existing session corresponds to a different
                # authenticated user.
                request.session.flush()
        else:
            request.session.cycle_key()
    
        try:
            backend = backend or user.backend
        except AttributeError:
            backends = _get_backends(return_tuples=True)
            if len(backends) == 1:
                _, backend = backends[0]
            else:
                raise ValueError(
                    'You have multiple authentication backends configured and '
                    'therefore must provide the `backend` argument or set the '
                    '`backend` attribute on the user.'
                )
    
        request.session[SESSION_KEY] = user._meta.pk.value_to_string(user)
        request.session[BACKEND_SESSION_KEY] = backend
        request.session[HASH_SESSION_KEY] = session_auth_hash
        if hasattr(request, 'user'):
            request.user = user
        rotate_token(request)
        user_logged_in.send(sender=user.__class__, request=request, user=user)
    
    
    def logout(request):
        """
        Remove the authenticated user's ID from the request and flush their session
        data.
        """
        # Dispatch the signal before the user is logged out so the receivers have a
        # chance to find out *who* logged out.
        user = getattr(request, 'user', None)
        if hasattr(user, 'is_authenticated') and not user.is_authenticated:
            user = None
        user_logged_out.send(sender=user.__class__, request=request, user=user)
    
        # remember language choice saved to session
        language = request.session.get(LANGUAGE_SESSION_KEY)
    
        request.session.flush()
    
        if language is not None:
            request.session[LANGUAGE_SESSION_KEY] = language
    
        if hasattr(request, 'user'):
            from django.contrib.auth.models import AnonymousUser
            request.user = AnonymousUser()
    
    
    def get_user_model():
        """
        Return the User model that is active in this project.
        """
        try:
            return django_apps.get_model(settings.AUTH_USER_MODEL, require_ready=False)
        except ValueError:
            raise ImproperlyConfigured("AUTH_USER_MODEL must be of the form 'app_label.model_name'")
        except LookupError:
            raise ImproperlyConfigured(
                "AUTH_USER_MODEL refers to model '%s' that has not been installed" % settings.AUTH_USER_MODEL
            )
    
    
    def get_user(request):
        """
        Return the user model instance associated with the given request session.
        If no user is retrieved, return an instance of `AnonymousUser`.
        """
        from .models import AnonymousUser
        user = None
        try:
            user_id = _get_user_session_key(request)
            backend_path = request.session[BACKEND_SESSION_KEY]
        except KeyError:
            pass
        else:
            if backend_path in settings.AUTHENTICATION_BACKENDS:
                backend = load_backend(backend_path)
                user = backend.get_user(user_id)
                # Verify the session
                if hasattr(user, 'get_session_auth_hash'):
                    session_hash = request.session.get(HASH_SESSION_KEY)
                    session_hash_verified = session_hash and constant_time_compare(
                        session_hash,
                        user.get_session_auth_hash()
                    )
                    if not session_hash_verified:
                        request.session.flush()
                        user = None
    
        return user or AnonymousUser()
    
    
    def get_permission_codename(action, opts):
        """
        Return the codename of the permission for the specified action.
        """
        return '%s_%s' % (action, opts.model_name)
    
    
    def update_session_auth_hash(request, user):
        """
        Updating a user's password logs out all sessions for the user.
    
        Take the current request and the updated user object from which the new
        session hash will be derived and update the session hash appropriately to
        prevent a password change from logging out the session from which the
        password was changed.
        """
        request.session.cycle_key()
        if hasattr(user, 'get_session_auth_hash') and request.user == user:
            request.session[HASH_SESSION_KEY] = user.get_session_auth_hash()
    
    
    default_app_config = 'django.contrib.auth.apps.AuthConfig'
    auth源码

      模块内常用的内置方法:

      authenticate(request=None, **credentials),提供用户认证功能,验证用户名和密码是否正确,认证成功则返回该用户的对象

    # 判断用户是否存在以及认证
    user_obj = auth.authenticate(username=username, password=password)

      login(request, user, backend=None),通过HttpRequest对象和user对象进行登录验证,同时在后端为该用户生成session

    
    
    # 登录
    auth.login(request, user_obj)

      logout(request),查看logout源码可看出该方法内通过传入的request对象获取当前退出的用户将session清空

    def logout(request):
        # 退出登录
        auth.logout(request)
        return redirect("/bbs/login/")

      is_authenticated(self),判断当前请求是否通过了验证

     class AnonymousUser:  
        @property
        def is_authenticated(self):
            return False

      login_required(),auth提供的装饰器工具,用来快捷的视图添加登录校验,如果用户没有登录则跳转到Django中的global_setting.py内默认的URL(LOGIN_URL='/accounts/login/'),并传递当前访问的URL绝对路径,登陆成功后重定向到该路径

      如果需要自定义登录的URL,可在setting.py文件中指定LOGIN_URL

    LOGIN_URL = '/login/'  # 这里配置成你项目登录页面的路由
    from django.contrib.auth.decorators import login_required
          
    @login_required
    def index(request):
        ...
    # 源码
    def login_required(function=None, redirect_field_name=REDIRECT_FIELD_NAME, login_url=None):
        """
        Decorator for views that checks that the user is logged in, redirecting
        to the log-in page if necessary.
        """
        actual_decorator = user_passes_test(
            lambda u: u.is_authenticated,
            login_url=login_url,
            redirect_field_name=redirect_field_name
        )
        if function:
            return actual_decorator(function)
        return actual_decorator
    ***********************************************************************************************
    from django.contrib.auth import REDIRECT_FIELD_NAME
    REDIRECT_FIELD_NAME = 'next'

      create_user(self, username, eamil=None, password=None, **extra_fields),auth内提供的创建用户的方法

    # 源码
     def create_user(self, username, email=None, password=None, **extra_fields):
        extra_fields.setdefault('is_staff', False)
        extra_fields.setdefault('is_superuser', False)
        return self._create_user(username, email, password, **extra_fields)

      create_superuser(self, username, eamil, password, **extra_fields),auth内提供的创建用户的方法,

    def create_superuser(self, username, email, password, **extra_fields):
        extra_fields.setdefault('is_staff', True)
        extra_fields.setdefault('is_superuser', True)
    
        if extra_fields.get('is_staff') is not True:
            raise ValueError('Superuser must have is_staff=True.')
        if extra_fields.get('is_superuser') is not True:
            raise ValueError('Superuser must have is_superuser=True.')
    
        return self._create_user(username, email, password, **extra_fields)

      check_password(password),用于检查密码是否正确,正确返回True,错误返回False

    ok = user.check_password('密码')

      set_password(password),用于修改密码,接收新密码作为参数

    user.set_password(password='')
    user.save()

      User对象的相关属性:

    username  用户名(必填)
    password  密码,用哈希算法保存到数据库 is_staff  用户是否拥有网站的管理权限 is_active  是否允许用户登录, 设置为 False,可以在删除用户的前提下禁止用户登录

    2.扩展使用

      在通过AbstractUser类创建用户类时,可添加自定义字段,同时必须注意的是继承该类必须在setting.py中声明使用,一旦指定了新的认证系统使用的表,必须重新在数据库中创建该表,不能使用原来的auth_user表

    # 引用Django自带的User表,继承使用时需要设置
    AUTH_USER_MODEL = "APP名.UserInfo"

    示例:

      自定义用户类

    class UserInfo(AbstractUser):
        """
        用户信息表
        """
        nid = models.AutoField(primary_key=True)
        phone = models.CharField(max_length=11,
                                 null=True,
                                 unique=True)
        avatar = models.FileField(upload_to="avatars/")
    
        blog = models.OneToOneField(to="Blog",
                                    to_field="nid",
                                    null=True,
                                    on_delete=models.CASCADE)
    
        def __str__(self):
            return self.username
    
        class Meta:
            verbose_name = "用户信息"
            verbose_name_plural = verbose_name
    自定义用户类

      登录视图

    def login(request):
        form_obj = forms.LoginForm()
        if request.method == "POST":
            ret = {"code": 0}
            # 获取用户输入的用户名、密码、随机验证码
            username = request.POST.get("username")
            password = request.POST.get("password")
            v_code = request.POST.get("v_code", "")
            # 判断用户输入的随机验证码是否正确
            if v_code.upper() == request.session.get("v_code", ""):
                # 判断用户是否存在以及认证
                user_obj = auth.authenticate(username=username, password=password)
                if user_obj:
                    # 登录
                    auth.login(request, user_obj)
                    # 存放认证成功后可跳转的地址
                    ret["data"] = "/index/"
                else:
                    # 认证失败
                    ret["code"] = 1
                    ret["data"] = "用户名或密码错误"
            else:
                # 用户输入的随机验证码错误
                ret["code"] = 1
                ret["data"] = "验证码错误"
    
            return JsonResponse(ret)
    
        return render(request, "login.html", {"form_obj": form_obj})
    登录视图

       修改密码视图

    def change_password(request):
        user = request.user
        ret = {"code": 0}
        form_obj = forms.change_password()
    
        if request.method == "POST":
            old_password = request.POST.get("old_password")
            new_password = request.POST.get("new_password")
            re_password = request.POST.get("re_password")
    
            # 检查旧密码是否正确
            if user.check_password(old_password):
                if not new_password:
                    ret["data"] = "密码不能为空"
                    ret["code"] = 1
                elif new_password != re_password:
                    ret["data"] = "两次输入的密码不一致"
                    ret["code"] = 1
                else:
                    user.set_password(new_password)
                    user.save()
                    ret["data"] = "/bbs/login/"
            else:
                ret["data"] = "原密码输入错误"
                ret["code"] = 1
            return JsonResponse(ret)
        return render(request,
                      "change_password.html",
                      {"form_obj": form_obj},
                      )
    修改密码视图
  • 相关阅读:
    【python】使用matplotlib绘制多个子图时出现标题、轴标签等文字重叠的解决
    【python】反转字典键值
    关于MacOs python 安装tensorflow1.8版本时出现的问题及解决
    【Python】爬取百度图片进行人脸识别
    【转载】利用python、tensorflow、opencv实现人脸识别
    ubuntu16.04源码方式安装配置nginx
    ubuntu16.04 14.04更换源
    stdClass类
    redis常用配置项
    redis主从模式
  • 原文地址:https://www.cnblogs.com/mdzzbojo/p/9343531.html
Copyright © 2020-2023  润新知