我有django应用程序,其中有一个html页面,我已经通过api令牌访问来显示slack工作区的所有用户,并编写了JavaScript,以便在单击时将消息发布给相应的用户,这里的问题我一直在在不安全的javascript函数中使用令牌,并且我无法将代码推送到github,所以任何人都可以帮助我,只需在Django中编写api调用即可在点击html元素时发布消息我写的HTML代码:
<div class="container">
<h3 class=" text-center">Slack Users List</h3>
<div class="messaging">
<div class="inbox_msg">
<div class="inbox_people">\
<div class="headind_srch">
<div class="recent_heading">
<h4>Recent</h4>
</div>
<div class="srch_bar">
<div class="stylish-input-group">
<h6> Please select user to send message</h6>
<span class="input-group-addon"></span> </div>
</div>
</div>
<div class="inbox_chat">
<div class="chat_list active_chat">
<div class="chat_people">
{% for i,j in liste %}
<div class="chat_ib">
<h5><a href="#" class="person_name" id={{i}}>{{j}}<span class="chat_date"></span></a></h5>
<p>{{i}}</p>
<p></p>
<hr>
</div>
{% endfor %}
</div>
</div>
</div>
</div>
<div class="mesgs">
<a href="/modsy/logout"><button type="button" style="float: right;" class="btn2">Log Out</button></a>
<div class="msg_history mt-5">
<p id="insertName"></p>
<div class="type_msg">
<div class="input_msg_write">
<input type="text" id="write_msg" placeholder="Type a message" />
<input type="hidden" id="myVar" name="variable" value="{{ secret }}">
<button id="msg_send_btn" type="button"><i class="fa fa-paper-plane-o" aria-hidden="true"></i></button>
</div>
</div>
</div>
</div>
</div>
</div>
用于将消息发布到各个用户onclick的javascript代码
var form = document.getElementById('msg_send_btn');
form.onclick = function(event) {
event.preventDefault();
var id = document.getElementById("insertName").innerText;
var input = document.getElementById("write_msg").value
var a = document.getElementById("myVar").value
b = a.slice(2,-2);
console.log(input)
console.log(id)
console.log(b)
var mData = new FormData();
mData.append('token',"{{secret}}");
mData.append('channel', id);
mData.append('text',input);
mData.append('as_user', 'true');
var xhr = new XMLHttpRequest();
xhr.open('POST','https://slack.com/api/chat.postMessage', true);
// Set up a handler for when the request finishes.
xhr.onload = function () {
if (xhr.status === 200) {
console.log("posted");
} else {alert('An error occurred!');
}
};
xhr.send(mData);
}
django视图:
def chat(request):
url = 'https://slack.com/api/users.list'
headers = {'Authorization' : 'Bearer {}'.format(SECRET)}
r = requests.get(url, headers=headers)
print(headers)
response = json.loads(r.text)
all_ids = [member['id'] for member in response['members'] if not member['deleted']]
all_names = [member['name'] for member in response['members'] if not member['deleted']]
print(all_ids)
print(all_names)
my_list=zip(all_ids,all_names)
print(my_list)
username = request.user.username
if username in all_names:
return render(request,'chat.html',{'liste':my_list,'secret':SECRET})
else:
raise Http404("User not authenticated")
[我的探针在这里一切正常,但是令牌不安全,我无法将代码发布到git hub,所以有什么方法可以通过单击html元素在django视图中通过ajax编写api调用,以便我可以使用python .env文件替换令牌。请帮助我吗?
您正确地希望避免在Js文件中使用API
凭据。 JS仅用于F / E,并请求调用后端。不建议将其用于API调用。如您所提到的,您只需要向Ajax
中的一个函数发出一个views.py
请求,就可以对松弛进行所需的API调用。
使用Javascript的示例Ajax
调用,请参见here以获取良好的演练
$("#friend-form").submit(function (e) {
$.ajax({
type: 'POST',
url: "{% url 'post_friend' %}",
data: serializedData,
success: function (response) {
// on successfull creating object
},
error: function (response) {
// alert the error if any error occured
}
})
})
Python的Slack SDK可在here中找到,并附带大量示例。您只需要在views.py
中的函数中嵌入所需的功能。
关于访问令牌,如前所述,只需使用os.getenv()
调用即可获取令牌。例如,>
.env file
api-token = "abcdef_123456"
Python
文件
import os
token = os.environ.get("api-token")