我已经实现了我想要登录用户的自定义中间件。但我在 request.user 中得到 AnonymousUser
对于身份验证方法,我已经使用
django-rest-framework-simplejwt
库实现了 JWT 身份验证。
设置.py
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework_simplejwt.authentication.JWTAuthentication',
)
}
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'core.middleware.ReverseProxyMiddleware',
]
自定义中间件.py
class ReverseProxyMiddleware(MiddlewareMixin):
def __init__(self, get_response):
self.get_response = get_response
def process_request(self, request):
print(request.user.is_authenticated)
for each_path in settings.BY_PASS_URLS:
if each_path in request.path:
response = self.get_response(request)
return response
if self.check_permission(request):
response = self.get_response(request)
return response
else:
return HttpResponseForbidden("Permission denied")
def check_permission(self, request):
perm = APICheckPermission()
return perm.has_permission(request)
日志
2023-12-09 17:43:34 False AnonymousUser
2023-12-09 17:43:34 Forbidden: /some_url
2023-12-09 17:43:34 [09/Dec/2023 17:43:34] "GET /some_url HTTP/1.1" 403 17
回应
Permission denied
身份验证是在路由之后处理的,因此中间件已被应用。事实上,AuthenticationMiddleware
确实不
处理这个问题。它由 Django 的
authentication_classes
[drf-doc]. 处理。 控制权因此被传递给视图。然后
dispatch()
方法将 初始化请求[GitHub]:
def dispatch(self, request, *args, **kwargs):
# …
request = self.initialize_request(request, *args, **kwargs)
self.request = request
# …
运行身份验证逻辑这将
[GitHub]:
def initialize_request(self, request, *args, **kwargs):
"""
Returns the initial request object.
"""
parser_context = self.get_parser_context(request)
return Request(
request,
parsers=self.get_parsers(),
authenticators=self.get_authenticators(),
negotiator=self.get_content_negotiator(),
parser_context=parser_context
)
上设置这将运行简单 JWT 身份验证或您定义的任何其他身份验证,从而通过在.user
request
来修补请求。从某种意义上说,它重复了
AuthenticationMiddleware
的工作,但具有更可定制的后端。
但很可能您不需要需要中间件。您在这里所做的是
检查权限 [drf-doc]。这是 GenericAPIView
的下一步。
因此您可以创建自己的权限类:
from rest_framework.permissions import BasePermission
class MyPermission(BasePermission):
def has_permission(self, request, view):
# …
return True
def has_object_permission(self, request, view, obj):
# …
return True
然后将其插入您的
GenericAPIView
:
# app_name/permissions.py
from rest_framework.generics import GenericAPIView
class MyGenericAPIView(GenericAPIView):
# …
permission_classes = [MyPermission]
# …
您可以默认将权限添加到任何未定义自定义权限的GenericAPIView
:
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': [
'app_name.permissions.MyPermission',
]
}