简体繁体 English

Web服务请求身份验证django token-api

[英]web service requests authentication django token-api

原文 2014-05-05 14:37:27 2 1 python/ django/ web-services/ access-token

I want to implement a web service for an iOS application in django. 我想在django中为iOS应用程序实现Web服务。 I need some kind of authentication, and I googled and heard good things about django token-api. 我需要某种身份验证，我用谷歌搜索并听到了有关django token-api的好消息。

The only thing I don't understand, is how I make sure one authenticated user can not perform actions for another. 我唯一不了解的是，如何确保一个经过身份验证的用户无法对另一个用户执行操作。

For example, If i have a view that has the @token-required, that only promises that a valid token has been sent, however someone can just change the PK in the request itself and make changes for another user. 例如，如果我的视图具有@ token-required，则仅承诺已发送有效令牌，但是有人可以只更改请求本身中的PK并为另一个用户进行更改。

How do I make sure the user who has the token, can only perform actions for himself? 如何确保拥有令牌的用户只能自己执行操作？

1 个解决方案

On a very broad level, you need to distinguish between authentication and authorization . 从广义上讲，您需要区分身份验证和授权。 You can read this page as an example, or google it for more, but the basic distinction is that authentication determines that a user is who he says he is, while authorization determines what a certain user is able to see or do. 您可以阅读此页面作为示例，也可以在Google上搜索更多内容，但基本区别在于， 身份验证确定用户就是他所说的身份，而授权确定特定用户可以看到或执行的操作。

As you noted above, you can use the django-token-api to help with the authentication issue. 如上所述，您可以使用django-token-api帮助解决身份验证问题。 But once you've determined that, you need to move to authorization . 但是一旦确定了这一点，就需要转为授权。 This is more an issue of permissions that you can see on a per-user (or per-group) basis for individual objects, views, etc. 这更是一个问题，您可以在每个用户（或每个组）的基础上看到单个对象，视图等的权限。

As Ambroise noted in the comments, using an API framework can make this easier. 正如Ambroise在评论中指出的那样，使用API框架可以使此过程变得更加容易。 Here is the django-rest-framework documentation for setting permissions once you have authenticated the user. 这是django-rest-framework文档，用于在验证用户身份后设置权限。