Django Rest Framework(2)
目录
一、认证
二、权限
三、限制访问频率
四、总结
一、认证(补充的一个点)
认证请求头
#!/usr/bin/env python # -*- coding:utf-8 -*- from rest_framework.views import APIView from rest_framework.response import Response from rest_framework.authentication import BaseAuthentication from rest_framework.permissions import BasePermission from rest_framework.request import Request from rest_framework import exceptions token_list = [ 'sfsfss123kuf3j123', 'asijnfowerkkf9812', ] class TestAuthentication(BaseAuthentication): def authenticate(self, request): """ 用户认证,如果验证成功后返回元组: (用户,用户Token) :param request: :return: None,表示跳过该验证; 如果跳过了所有认证,默认用户和Token和使用配置文件进行设置 self._authenticator = None if api_settings.UNAUTHENTICATED_USER: self.user = api_settings.UNAUTHENTICATED_USER() # 默认值为:匿名用户 else: self.user = None if api_settings.UNAUTHENTICATED_TOKEN: self.auth = api_settings.UNAUTHENTICATED_TOKEN()# 默认值为:None else: self.auth = None (user,token)表示验证通过并设置用户名和Token; AuthenticationFailed异常 """ val = request.query_params.get('token') if val not in token_list: raise exceptions.AuthenticationFailed("用户认证失败") return ('登录用户', '用户token') def authenticate_header(self, request): """ Return a string to be used as the value of the `WWW-Authenticate` header in a `401 Unauthenticated` response, or `None` if the authentication scheme should return `403 Permission Denied` responses. """ pass class TestPermission(BasePermission): message = "权限验证失败" def has_permission(self, request, view): """ 判断是否有权限访问当前请求 Return `True` if permission is granted, `False` otherwise. :param request: :param view: :return: True有权限;False无权限 """ if request.user == "管理员": return True # GenericAPIView中get_object时调用 def has_object_permission(self, request, view, obj): """ 视图继承GenericAPIView,并在其中使用get_object时获取对象时,触发单独对象权限验证 Return `True` if permission is granted, `False` otherwise. :param request: :param view: :param obj: :return: True有权限;False无权限 """ if request.user == "管理员": return True class TestView(APIView): # 认证的动作是由request.user触发 authentication_classes = [TestAuthentication, ] # 权限 # 循环执行所有的权限 permission_classes = [TestPermission, ] def get(self, request, *args, **kwargs): # self.dispatch print(request.user) print(request.auth) return Response('GET请求,响应内容') def post(self, request, *args, **kwargs): return Response('POST请求,响应内容') def put(self, request, *args, **kwargs): return Response('PUT请求,响应内容') views.py
# class MyAuthtication(BasicAuthentication): def authenticate(self, request): token = request.query_params.get('token') #注意是没有GET的,用query_params表示 if token == 'zxxzzxzc': return ('uuuuuu','afsdsgdf') #返回user,auth # raise AuthenticationFailed('认证错误') #只要抛出认证错误这样的异常就会去执行下面的函数 raise APIException('认证错误') def authenticate_header(self, request): #认证不成功的时候执行 return 'Basic reala="api"' class UserView(APIView): authentication_classes = [MyAuthtication,] def get(self,request,*args,**kwargs): print(request.user) print(request.auth) return Response('用户列表') 自定义认证功能
二、权限
1、需求:Host是匿名用户和用户都能访问 #匿名用户的request.user = none;User只有注册用户能访问
from app03 import views from django.conf.urls import url urlpatterns = [ # django rest framework url('^auth/', views.AuthView.as_view()), url(r'^hosts/', views.HostView.as_view()), url(r'^users/', views.UsersView.as_view()), url(r'^salary/', views.SalaryView.as_view()), ] urls.py
class SalaryView(APIView): '''用户能访问''' message ='无权访问' authentication_classes = [MyAuthentication,] #验证是不是用户 permission_classes = [MyPermission,AdminPermission,] #再看用户有没有权限,如果有权限在判断有没有管理员的权限 def get(self,request): return Response('薪资列表') def permission_denied(self, request, message=None): """ If request is not permitted, determine what kind of exception to raise. """ if request.authenticators and not request.successful_authenticator: '''如果没有通过认证,并且权限中return False了,就会报下面的这个异常了''' raise exceptions.NotAuthenticated(detail='无权访问') raise exceptions.PermissionDenied(detail=message) 认证和权限配合使用
from django.shortcuts import render from rest_framework.views import APIView #继承的view from rest_framework.response import Response #友好的返回 from rest_framework.authentication import BaseAuthentication #认证的类 from rest_framework.authentication import BasicAuthentication from rest_framework.permissions import BasePermission from app01 import models from rest_framework import exceptions from rest_framework.permissions import AllowAny #权限在这个类里面 from rest_framework.throttling import BaseThrottle,SimpleRateThrottle # Create your views here. # +++++++++++++++认证类和权限类======================== class MyAuthentication(BaseAuthentication): def authenticate(self, request): token = request.query_params.get('token') obj = models.UserInfo.objects.filter(token=token).first() if obj : #如果认证成功,返回用户名和auth return (obj.username,obj) return None #如果没有认证成功就不处理,进行下一步 def authenticate_header(self, request): pass class MyPermission(BasePermission): message = '无权访问' def has_permission(self,request,view): #has_permission里面的self是view视图对象 if request.user: return True #如果不是匿名用户就说明有权限 return False #否则无权限 class AdminPermission(BasePermission): message = '无权访问' def has_permission(self, request, view): # has_permission里面的self是view视图对象 if request.user=='haiyun': return True # 返回True表示有权限 return False #返回False表示无权限 # +++++++++++++++++++++++++++ class AuthView(APIView): authentication_classes = [] #认证页面不需要认证 def get(self,request): self.dispatch return '认证列表' class HostView(APIView): '''需求: Host是匿名用户和用户都能访问 #匿名用户的request.user = none User只有注册用户能访问 ''' authentication_classes = [MyAuthentication,] permission_classes = [] #都能访问就没必要设置权限了 def get(self,request): print(request.user) print(request.auth) print(111111) return Response('主机列表') class UsersView(APIView): '''用户能访问,request.user里面有值''' authentication_classes = [MyAuthentication,] permission_classes = [MyPermission,AdminPermission] def get(self,request): print(request.user,'111111111') return Response('用户列表') def permission_denied(self, request, message=None): """ If request is not permitted, determine what kind of exception to raise. """ if request.authenticators and not request.successful_authenticator: '''如果没有通过认证,并且权限中return False了,就会报下面的这个异常了''' raise exceptions.NotAuthenticated(detail='无权访问22222') raise exceptions.PermissionDenied(detail=message) class SalaryView(APIView): '''用户能访问''' message ='无权访问' authentication_classes = [MyAuthentication,] #验证是不是用户 permission_classes = [MyPermission,AdminPermission,] #再看用户有没有权限,如果有权限在判断有没有管理员的权限 def get(self,request): return Response('薪资列表') def permission_denied(self, request, message=None): """ If request is not permitted, determine what kind of exception to raise. """ if request.authenticators and not request.successful_authenticator: '''如果没有通过认证,并且权限中return False了,就会报下面的这个异常了''' raise exceptions.NotAuthenticated(detail='无权访问') raise exceptions.PermissionDenied(detail=message) Views
如果遇上这样的,还可以自定制,参考源码
def check_permissions(self, request): """ Check if the request should be permitted. Raises an appropriate exception if the request is not permitted. """ for permission in self.get_permissions(): #循环每一个permission对象,调用has_permission #如果False,则抛出异常 #True 说明有权访问 if not permission.has_permission(request, self): self.permission_denied( request, message=getattr(permission, 'message', None) )
def permission_denied(self, request, message=None): """ If request is not permitted, determine what kind of exception to raise. """ if request.authenticators and not request.successful_authenticator: '''如果没有通过认证,并且权限中return False了,就会报下面的这个异常了''' raise exceptions.NotAuthenticated() raise exceptions.PermissionDenied(detail=message)
那么我们可以重写permission_denied这个方法,如下:
class UsersView(APIView): '''用户能访问,request.user里面有值''' authentication_classes = [MyAuthentication,] permission_classes = [MyPermission,] def get(self,request): return Response('用户列表') def permission_denied(self, request, message=None): """ If request is not permitted, determine what kind of exception to raise. """ if request.authenticators and not request.successful_authenticator: '''如果没有通过认证,并且权限中return False了,就会报下面的这个异常了''' raise exceptions.NotAuthenticated(detail='无权访问') raise exceptions.PermissionDenied(detail=message) views.py
2. 全局使用
上述操作中均是对单独视图进行特殊配置,如果想要对全局进行配置,则需要再配置文件中写入即可。
REST_FRAMEWORK = { 'UNAUTHENTICATED_USER': None, 'UNAUTHENTICATED_TOKEN': None, #将匿名用户设置为None "DEFAULT_AUTHENTICATION_CLASSES": [ "app01.utils.MyAuthentication", ], 'DEFAULT_PERMISSION_CLASSES':[ "app03.utils.MyPermission",#设置路径, ] } settings.py
class AuthView(APIView): authentication_classes = [] #认证页面不需要认证 def get(self,request): self.dispatch return '认证列表' class HostView(APIView): '''需求: Host是匿名用户和用户都能访问 #匿名用户的request.user = none User只有注册用户能访问 ''' authentication_classes = [MyAuthentication,] permission_classes = [] #都能访问就没必要设置权限了 def get(self,request): print(request.user) print(request.auth) return Response('主机列表') class UsersView(APIView): '''用户能访问,request.user里面有值''' authentication_classes = [MyAuthentication,] permission_classes = [MyPermission,] def get(self,request): print(request.user,'111111111') return Response('用户列表') def permission_denied(self, request, message=None): """ If request is not permitted, determine what kind of exception to raise. """ if request.authenticators and not request.successful_authenticator: '''如果没有通过认证,并且权限中return False了,就会报下面的这个异常了''' raise exceptions.NotAuthenticated(detail='无权访问') raise exceptions.PermissionDenied(detail=message) class SalaryView(APIView): '''用户能访问''' message ='无权访问' authentication_classes = [MyAuthentication,] #验证是不是用户 permission_classes = [MyPermission,AdminPermission,] #再看用户有没有权限,如果有权限在判断有没有管理员的权限 def get(self,request): return Response('薪资列表') def permission_denied(self, request, message=None): """ If request is not permitted, determine what kind of exception to raise. """ if request.authenticators and not request.successful_authenticator: '''如果没有通过认证,并且权限中return False了,就会报下面的这个异常了''' raise exceptions.NotAuthenticated(detail='无权访问') raise exceptions.PermissionDenied(detail=message) Views.py
三、限流
1、为什么要限流呢?
答:
- - 第一点:爬虫,反爬
- - 第二点:控制 API 访问次数
- - 登录用户的用户名可以做标识
- 匿名用户可以参考 ip,但是 ip可以加代理。.
只要你想爬,早晚有一天可以爬。
2、限制访问频率源码分析
1 self.check_throttles(request)
def check_throttles(self, request): """ Check if request should be throttled. Raises an appropriate exception if the request is throttled. """ for throttle in self.get_throttles(): #循环每一个throttle对象,执行allow_request方法 # allow_request: #返回False,说明限制访问频率 #返回True,说明不限制,通行 if not throttle.allow_request(request, self): self.throttled(request, throttle.wait()) #throttle.wait()表示还要等多少秒就能访问了 check_throttles
1 def get_throttles(self): 2 """ 3 Instantiates and returns the list of throttles that this view uses. 4 """ 5 #返回对象 6 return [throttle() for throttle in self.throttle_classes]
1 throttle_classes = api_settings.DEFAULT_THROTTLE_CLASSES
class BaseThrottle(object): """ Rate throttling of requests. """ def allow_request(self, request, view): """ Return `True` if the request should be allowed, `False` otherwise. """ raise NotImplementedError('.allow_request() must be overridden') def get_ident(self, request): """ Identify the machine making the request by parsing HTTP_X_FORWARDED_FOR if present and number of proxies is > 0. If not use all of HTTP_X_FORWARDED_FOR if it is available, if not use REMOTE_ADDR. """ xff = request.META.get('HTTP_X_FORWARDED_FOR') remote_addr = request.META.get('REMOTE_ADDR') num_proxies = api_settings.NUM_PROXIES if num_proxies is not None: if num_proxies == 0 or xff is None: return remote_addr addrs = xff.split(',') client_addr = addrs[-min(num_proxies, len(addrs))] return client_addr.strip() return ''.join(xff.split()) if xff else remote_addr def wait(self): """ Optionally, return a recommended number of seconds to wait before the next request. """ return None BaseThrottle
1 zz
1 def throttled(self, request, wait): 2 """ 3 If request is throttled, determine what kind of exception to raise. 4 """ 5 raise exceptions.Throttled(wait)
class Throttled(APIException): status_code = status.HTTP_429_TOO_MANY_REQUESTS default_detail = _('Request was throttled.') extra_detail_singular = 'Expected available in {wait} second.' extra_detail_plural = 'Expected available in {wait} seconds.' default_code = 'throttled' def __init__(self, wait=None, detail=None, code=None): if detail is None: detail = force_text(self.default_detail) if wait is not None: wait = math.ceil(wait) detail = ' '.join(( detail, force_text(ungettext(self.extra_detail_singular.format(wait=wait), self.extra_detail_plural.format(wait=wait), wait)))) self.wait = wait super(Throttled, self).__init__(detail, code) raise exceptions.Throttled(wait)错误信息详情
下面来看看最简单的从源码中分析的示例,这只是举例说明了一下
1 from django.conf.urls import url 2 from app04 import views 3 urlpatterns = [ 4 url('limit/',views.LimitView.as_view()), 5 6 ]
from django.shortcuts import render from rest_framework.views import APIView from rest_framework.response import Response from rest_framework import exceptions # from rest_framewor import # Create your views here. class MyThrottle(object): def allow_request(self,request,view): #返回False,限制 #返回True,不限制 pass def wait(self): return 1000 class LimitView(APIView): authentication_classes = [] #不让认证用户 permission_classes = [] #不让验证权限 throttle_classes = [MyThrottle, ] def get(self,request): # self.dispatch return Response('控制访问频率示例') def throttled(self, request, wait): '''可定制方法设置中文错误''' # raise exceptions.Throttled(wait) class MyThrottle(exceptions.Throttled): default_detail = '请求被限制' extra_detail_singular = 'Expected available in {wait} second.' extra_detail_plural = 'Expected available in {wait} seconds.' default_code = '还需要再等{wait}秒' raise MyThrottle(wait) views.py
3、需求:对匿名用户进行限制,每个用户一分钟允许访问10次(只针对用户来说)
a、基于用户IP限制访问频率
流程分析:
- 先获取用户信息,如果是匿名用户,获取IP。如果不是匿名用户就可以获取用户名。
- 获取匿名用户IP,在request里面获取,比如IP= 1.1.1.1。
- 吧获取到的IP添加到到recode字典里面,需要在添加之前先限制一下。
- 如果时间间隔大于60秒,说明时间久远了,就把那个时间给剔除 了pop。在timelist列表里面现在留的是有效的访问时间段。
- 然后判断他的访问次数超过了10次没有,如果超过了时间就return False。
- 美中不足的是时间是固定的,我们改变他为动态的:列表里面最开始进来的时间和当前的时间进行比较,看需要等多久。
具体实现:
from django.shortcuts import render from rest_framework.views import APIView from rest_framework.response import Response from rest_framework import exceptions from rest_framework.throttling import BaseThrottle,SimpleRateThrottle #限制访问频率 import time # Create your views here. RECORD = {} class MyThrottle(BaseThrottle): def allow_request(self,request,view): '''对匿名用户进行限制,每个用户一分钟访问10次 ''' ctime = time.time() ip = '1.1.1.1' if ip not in RECORD: RECORD[ip] = [ctime] else: #[152042123,15204212,3152042,123152042123] time_list = RECORD[ip] #获取ip里面的值 while True: val = time_list[-1]#取出最后一个时间,也就是访问最早的时间 if (ctime-60)>val: #吧时间大于60秒的给剔除了 time_list.pop() #剔除了之后timelist里面就是有效的时间了,在进行判断他的访问次数是不是超过10次 else: break if len(time_list) >10: return False # 返回False,限制 time_list.insert(0, ctime) return True #返回True,不限制 def wait(self): ctime = time.time() first_in_time = RECORD['1.1.1.1'][-1] wt = 60-(ctime-first_in_time) return wt class LimitView(APIView): authentication_classes = [] #不让认证用户 permission_classes = [] #不让验证权限 throttle_classes = [MyThrottle, ] def get(self,request): # self.dispatch return Response('控制访问频率示例') def throttled(self, request, wait): '''可定制方法设置中文错误''' # raise exceptions.Throttled(wait) class MyThrottle(exceptions.Throttled): default_detail = '请求被限制' extra_detail_singular = 'Expected available in {wait} second.' extra_detail_plural = 'Expected available in {wait} seconds.' default_code = '还需要再等{wait}秒' raise MyThrottle(wait) views初级版本
# from django.shortcuts import render # from rest_framework.views import APIView # from rest_framework.response import Response # from rest_framework import exceptions # from rest_framework.throttling import BaseThrottle,SimpleRateThrottle #限制访问频率 # import time # # Create your views here. # RECORD = {} # class MyThrottle(BaseThrottle): # # def allow_request(self,request,view): # '''对匿名用户进行限制,每个用户一分钟访问10次 ''' # ctime = time.time() # ip = '1.1.1.1' # if ip not in RECORD: # RECORD[ip] = [ctime] # else: # #[152042123,15204212,3152042,123152042123] # time_list = RECORD[ip] #获取ip里面的值 # while True: # val = time_list[-1]#取出最后一个时间,也就是访问最早的时间 # if (ctime-60)>val: #吧时间大于60秒的给剔除了 # time_list.pop() # #剔除了之后timelist里面就是有效的时间了,在进行判断他的访问次数是不是超过10次 # else: # break # if len(time_list) >10: # return False # 返回False,限制 # time_list.insert(0, ctime) # return True #返回True,不限制 # # def wait(self): # ctime = time.time() # first_in_time = RECORD['1.1.1.1'][-1] # wt = 60-(ctime-first_in_time) # return wt # # # class LimitView(APIView): # authentication_classes = [] #不让认证用户 # permission_classes = [] #不让验证权限 # throttle_classes = [MyThrottle, ] # def get(self,request): # # self.dispatch # return Response('控制访问频率示例') # # def throttled(self, request, wait): # '''可定制方法设置中文错误''' # # raise exceptions.Throttled(wait) # class MyThrottle(exceptions.Throttled): # default_detail = '请求被限制' # extra_detail_singular = 'Expected available in {wait} second.' # extra_detail_plural = 'Expected available in {wait} seconds.' # default_code = '还需要再等{wait}秒' # raise MyThrottle(wait) from django.shortcuts import render from rest_framework.views import APIView from rest_framework.response import Response from rest_framework import exceptions from rest_framework.throttling import BaseThrottle,SimpleRateThrottle #限制访问频率 import time # Create your views here. RECORD = {} class MyThrottle(BaseThrottle): def allow_request(self,request,view): '''对匿名用户进行限制,每个用户一分钟访问10次 ''' ctime = time.time() self.ip =self.get_ident(request) if self.ip not in RECORD: RECORD[self.ip] = [ctime] else: #[152042123,15204212,3152042,123152042123] time_list = RECORD[self.ip] #获取ip里面的值 while True: val = time_list[-1]#取出最后一个时间,也就是访问最早的时间 if (ctime-60)>val: #吧时间大于60秒的给剔除了 time_list.pop() #剔除了之后timelist里面就是有效的时间了,在进行判断他的访问次数是不是超过10次 else: break if len(time_list) >10: return False # 返回False,限制 time_list.insert(0, ctime) return True #返回True,不限制 def wait(self): ctime = time.time() first_in_time = RECORD[self.ip][-1] wt = 60-(ctime-first_in_time) return wt class LimitView(APIView): authentication_classes = [] #不让认证用户 permission_classes = [] #不让验证权限 throttle_classes = [MyThrottle, ] def get(self,request): # self.dispatch return Response('控制访问频率示例') def throttled(self, request, wait): '''可定制方法设置中文错误''' # raise exceptions.Throttled(wait) class MyThrottle(exceptions.Throttled): default_detail = '请求被限制' extra_detail_singular = 'Expected available in {wait} second.' extra_detail_plural = 'Expected available in {wait} seconds.' default_code = '还需要再等{wait}秒' raise MyThrottle(wait) 稍微做了改动
b、用resetframework内部的限制访问频率(利于Django缓存)
源码分析:
from rest_framework.throttling import BaseThrottle,SimpleRateThrottle #限制访问频率
class BaseThrottle(object): """ Rate throttling of requests. """ def allow_request(self, request, view): """ Return `True` if the request should be allowed, `False` otherwise. """ raise NotImplementedError('.allow_request() must be overridden') def get_ident(self, request): #唯一标识 """ Identify the machine making the request by parsing HTTP_X_FORWARDED_FOR if present and number of proxies is > 0. If not use all of HTTP_X_FORWARDED_FOR if it is available, if not use REMOTE_ADDR. """ xff = request.META.get('HTTP_X_FORWARDED_FOR') remote_addr = request.META.get('REMOTE_ADDR') #获取IP等 num_proxies = api_settings.NUM_PROXIES if num_proxies is not None: if num_proxies == 0 or xff is None: return remote_addr addrs = xff.split(',') client_addr = addrs[-min(num_proxies, len(addrs))] return client_addr.strip() return ''.join(xff.split()) if xff else remote_addr def wait(self): """ Optionally, return a recommended number of seconds to wait before the next request. """ return None BaseThrottle相当于一个抽象类
class SimpleRateThrottle(BaseThrottle): """ 一个简单的缓存实现,只需要` get_cache_key() `。被覆盖。 速率(请求/秒)是由视图上的“速率”属性设置的。类。该属性是一个字符串的形式number_of_requests /期。 周期应该是:(的),“秒”,“M”,“min”,“h”,“小时”,“D”,“一天”。 以前用于节流的请求信息存储在高速缓存中。 A simple cache implementation, that only requires `.get_cache_key()` to be overridden. The rate (requests / seconds) is set by a `rate` attribute on the View class. The attribute is a string of the form 'number_of_requests/period'. Period should be one of: ('s', 'sec', 'm', 'min', 'h', 'hour', 'd', 'day') Previous request information used for throttling is stored in the cache. """ cache = default_cache timer = time.time cache_format = 'throttle_%(scope)s_%(ident)s' scope = None THROTTLE_RATES = api_settings.DEFAULT_THROTTLE_RATES def __init__(self): if not getattr(self, 'rate', None): self.rate = self.get_rate() self.num_requests, self.duration = self.parse_rate(self.rate) def get_cache_key(self, request, view):#这个相当于是一个半成品,我们可以来补充它 """ Should return a unique cache-key which can be used for throttling. Must be overridden. May return `None` if the request should not be throttled. """ raise NotImplementedError('.get_cache_key() must be overridden') def get_rate(self): """ Determine the string representation of the allowed request rate. """ if not getattr(self, 'scope', None): msg = ("You must set either `.scope` or `.rate` for '%s' throttle" % self.__class__.__name__) raise ImproperlyConfigured(msg) try: return self.THROTTLE_RATES[self.scope] except KeyError: msg = "No default throttle rate set for '%s' scope" % self.scope raise ImproperlyConfigured(msg) def parse_rate(self, rate): """ Given the request rate string, return a two tuple of: <allowed number of requests>, <period of time in seconds> """ if rate is None: return (None, None) num, period = rate.split('/') num_requests = int(num) duration = {'s': 1, 'm': 60, 'h': 3600, 'd': 86400}[period[0]] return (num_requests, duration) #1、一进来会先执行他, def allow_request(self, request, view): """ Implement the check to see if the request should be throttled. On success calls `throttle_success`. On failure calls `throttle_failure`. """ if self.rate is None: return True self.key = self.get_cache_key(request, view) #2、执行get_cache_key,这里的self.key就相当于我们举例ip if self.key is None: return True self.history = self.cache.get(self.key, []) #3、得到的key,默认是一个列表,赋值给了self.history, # 这时候self.history就是每一个ip对应的访问记录 self.now = self.timer() # Drop any requests from the history which have now passed the # throttle duration while self.history and self.history[-1] <= self.now - self.duration: self.history.pop() if len(self.history) >= self.num_requests: return self.throttle_failure() return self.throttle_success() def throttle_success(self): """ Inserts the current request's timestamp along with the key into the cache. """ self.history.insert(0, self.now) self.cache.set(self.key, self.history, self.duration) return True def throttle_failure(self): """ Called when a request to the API has failed due to throttling. """ return False def wait(self): """ Returns the recommended next request time in seconds. """ if self.history: remaining_duration = self.duration - (self.now - self.history[-1]) else: remaining_duration = self.duration available_requests = self.num_requests - len(self.history) + 1 if available_requests <= 0: return None return remaining_duration / float(available_requests) SimpleRateThrottle
请求一进来会先执行SimpleRateThrottle这个类的构造方法
1 def __init__(self): 2 if not getattr(self, 'rate', None): 3 self.rate = self.get_rate() #点进去看到需要些一个scope ,2/m 4 self.num_requests, self.duration = self.parse_rate(self.rate)
def get_rate(self): """ Determine the string representation of the allowed request rate. """ if not getattr(self, 'scope', None): #检测必须有scope,没有就报错了 msg = ("You must set either `.scope` or `.rate` for '%s' throttle" % self.__class__.__name__) raise ImproperlyConfigured(msg) try: return self.THROTTLE_RATES[self.scope] except KeyError: msg = "No default throttle rate set for '%s' scope" % self.scope raise ImproperlyConfigured(msg) get_rate
def parse_rate(self, rate): """ Given the request rate string, return a two tuple of: <allowed number of requests>, <period of time in seconds> """ if rate is None: return (None, None) num, period = rate.split('/') num_requests = int(num) duration = {'s': 1, 'm': 60, 'h': 3600, 'd': 86400}[period[0]] return (num_requests, duration) parse_rate
#2、接下来会先执行他, def allow_request(self, request, view): """ Implement the check to see if the request should be throttled. On success calls `throttle_success`. On failure calls `throttle_failure`. """ if self.rate is None: return True self.key = self.get_cache_key(request, view) #2、执行get_cache_key,这里的self.key就相当于我们举例ip if self.key is None: return True #不限制 # [114521212,11452121211,45212121145,21212114,521212] self.history = self.cache.get(self.key, []) #3、得到的key,默认是一个列表,赋值给了self.history, # 这时候self.history就是每一个ip对应的访问记录 self.now = self.timer() # Drop any requests from the history which have now passed the # throttle duration while self.history and self.history[-1] <= self.now - self.duration: self.history.pop() if len(self.history) >= self.num_requests: return self.throttle_failure() return self.throttle_success() allow_request
def wait(self): """ Returns the recommended next request time in seconds. """ if self.history: remaining_duration = self.duration - (self.now - self.history[-1]) else: remaining_duration = self.duration available_requests = self.num_requests - len(self.history) + 1 if available_requests <= 0: return None return remaining_duration / float(available_requests) wait
代码实现:
###########用resetframework内部的限制访问频率############## class MySimpleRateThrottle(SimpleRateThrottle): scope = 'xxx' def get_cache_key(self, request, view): return self.get_ident(request) #返回唯一标识IP class LimitView(APIView): authentication_classes = [] #不让认证用户 permission_classes = [] #不让验证权限 throttle_classes = [MySimpleRateThrottle, ] def get(self,request): # self.dispatch return Response('控制访问频率示例') def throttled(self, request, wait): '''可定制方法设置中文错误''' # raise exceptions.Throttled(wait) class MyThrottle(exceptions.Throttled): default_detail = '请求被限制' extra_detail_singular = 'Expected available in {wait} second.' extra_detail_plural = 'Expected available in {wait} seconds.' default_code = '还需要再等{wait}秒' raise MyThrottle(wait) views.py
记得在settings里面配置
REST_FRAMEWORK = { 'UNAUTHENTICATED_USER': None, 'UNAUTHENTICATED_TOKEN': None, #将匿名用户设置为None "DEFAULT_AUTHENTICATION_CLASSES": [ "app01.utils.MyAuthentication", ], 'DEFAULT_PERMISSION_CLASSES':[ # "app03.utils.MyPermission",#设置路径, ], 'DEFAULT_THROTTLE_RATES':{ 'xxx':'2/minute' #2分钟 } } #缓存:放在文件 CACHES = { 'default': { 'BACKEND': 'django.core.cache.backends.filebased.FileBasedCache', 'LOCATION': 'cache', #文件路径 } } settings.py
4、对匿名用户进行限制,每个用户1分钟允许访问5次,对于登录的普通用户1分钟访问10次,VIP用户一分钟访问20次
- 比如首页可以匿名访问
- #先认证,只有认证了才知道是不是匿名的,
- #权限登录成功之后才能访问, ,index页面就不需要权限了
- If request.user #判断登录了没有
from django.contrib import admin from django.conf.urls import url, include from app05 import views urlpatterns = [ url('index/',views.IndexView.as_view()), url('manage/',views.ManageView.as_view()), ] urls.py
from django.shortcuts import render from rest_framework.views import APIView from rest_framework.response import Response from rest_framework.authentication import BaseAuthentication #认证需要 from rest_framework.throttling import BaseThrottle,SimpleRateThrottle #限流处理 from rest_framework.permissions import BasePermission from rest_framework import exceptions from app01 import models # Create your views here. ###############3##认证##################### class MyAuthentcate(BaseAuthentication): '''检查用户是否存在,如果存在就返回user和auth,如果没有就返回''' def authenticate(self, request): token = request.query_params.get('token') obj = models.UserInfo.objects.filter(token=token).first() if obj: return (obj.username,obj.token) return None #表示我不处理 ##################权限##################### class MyPermission(BasePermission): message='无权访问' def has_permission(self, request, view): if request.user: return True #true表示有权限 return False #false表示无权限 class AdminPermission(BasePermission): message = '无权访问' def has_permission(self, request, view): if request.user=='haiyan': return True # true表示有权限 return False # false表示无权限 ############3#####限流##################3## class AnonThrottle(SimpleRateThrottle): scope = 'wdp_anon' #相当于设置了最大的访问次数和时间 def get_cache_key(self, request, view): if request.user: return None #返回None表示我不限制,登录用户我不管 #匿名用户 return self.get_ident(request) #返回一个唯一标识IP class UserThrottle(SimpleRateThrottle): scope = 'wdp_user' def get_cache_key(self, request, view): #登录用户 if request.user: return request.user return None #返回NOne表示匿名用户我不管 ##################视图##################### #首页支持匿名访问, #无需要登录就可以访问 class IndexView(APIView): authentication_classes = [MyAuthentcate,] #认证判断他是不是匿名用户 permission_classes = [] #一般主页就不需要权限验证了 throttle_classes = [AnonThrottle,UserThrottle,] #对匿名用户和普通用户的访问限制 def get(self,request): # self.dispatch return Response('访问首页') def throttled(self, request, wait): '''可定制方法设置中文错误''' # raise exceptions.Throttled(wait) class MyThrottle(exceptions.Throttled): default_detail = '请求被限制' extra_detail_singular = 'Expected available in {wait} second.' extra_detail_plural = 'Expected available in {wait} seconds.' default_code = '还需要再等{wait}秒' raise MyThrottle(wait) #需登录就可以访问 class ManageView(APIView): authentication_classes = [MyAuthentcate, ] # 认证判断他是不是匿名用户 permission_classes = [MyPermission,] # 一般主页就不需要权限验证了 throttle_classes = [AnonThrottle, UserThrottle, ] # 对匿名用户和普通用户的访问限制 def get(self, request): # self.dispatch return Response('管理人员访问页面') def throttled(self, request, wait): '''可定制方法设置中文错误''' # raise exceptions.Throttled(wait) class MyThrottle(exceptions.Throttled): default_detail = '请求被限制' extra_detail_singular = 'Expected available in {wait} second.' extra_detail_plural = 'Expected available in {wait} seconds.' default_code = '还需要再等{wait}秒' raise MyThrottle(wait) views.py
四、总结
1、认证:就是检查用户是否存在;如果存在返回(request.user,request.auth);不存在request.user/request.auth=None
2、权限:进行职责的划分
3、限制访问频率
认证 - 类:authenticate/authenticate_header ##验证不成功的时候执行的 - 返回值: - return None, - return (user,auth), - raise 异常 - 配置: - 视图: class IndexView(APIView): authentication_classes = [MyAuthentication,] - 全局: REST_FRAMEWORK = { 'UNAUTHENTICATED_USER': None, 'UNAUTHENTICATED_TOKEN': None, "DEFAULT_AUTHENTICATION_CLASSES": [ # "app02.utils.MyAuthentication", ], } 权限 - 类:has_permission/has_object_permission - 返回值: - True、#有权限 - False、#无权限 - exceptions.PermissionDenied(detail="错误信息") #异常自己随意,想抛就抛,错误信息自己指定 - 配置: - 视图: class IndexView(APIView): permission_classes = [MyPermission,] - 全局: REST_FRAMEWORK = { "DEFAULT_PERMISSION_CLASSES": [ # "app02.utils.MyAuthentication", ], } 限流 - 类:allow_request/wait PS: scope = "wdp_user" - 返回值:
return True、#不限制
return False #限制 - 配置: - 视图: class IndexView(APIView): throttle_classes=[AnonThrottle,UserThrottle,] def get(self,request,*args,**kwargs): self.dispatch return Response('访问首页') - 全局 REST_FRAMEWORK = { "DEFAULT_THROTTLE_CLASSES":[ ], 'DEFAULT_THROTTLE_RATES':{ 'wdp_anon':'5/minute', 'wdp_user':'10/minute', } }