Django令牌:下载具有令牌身份验证的服务器文件
[英]Django token : download server files with token authentification
问题描述
I'm looking for set token authentification in order to download server files with secure way and add after an expiration time. 
我正在寻找设置token authentification ,以便以安全的方式下载服务器文件并在到期后添加。
Requirements : 要求 :
- Django 1.11 Django 1.11
- Ubuntu 18.04 Ubuntu 18.04
- Database PostgreSQL 数据库PostgreSQL
Process : 工艺流程:
User fills a form with some informations CustomerForm(email, firstname, lastname and country) and he has to choose one or several document(s) with checkboxes. 用户使用一些信息CustomerForm(email, firstname, lastname and country)填写表单,并且他必须选择一个或多个带有复选框的文档。
When form is submitted, I create an object with user informations + document choosen + token generated from email + document_id + datetime in sha1 format. 当提交表单时,创建包含用户信息 文件 + + choosen对象令牌从生成的email + document_id + datetime在sha1格式。
User gets an email with download link according to previous document(s) (1 email per document). 用户会根据之前的文档获得一封带有下载链接的电子邮件(每个文档1封电子邮件)。
Expected : 预期:
In this part I will explain what I would like to do, but I don't know how it's possible and this part is still fuzzy in my head. 在这一部分中,我将解释我想做的事情,但是我不知道这是怎么可能的,并且这部分在我脑海中仍然很模糊。 It's the first time I'm trying to do that. 这是我第一次尝试这样做。
User receives an email with url link based on token generated previously. 用户收到基于先前生成的令牌的带有url链接的电子邮件。 When he clicks into the link, there is an authentification process which let to confirm user and open a window in order to download document file. 当他单击链接时,会有一个身份验证过程,可用来确认用户并打开一个窗口以下载文档文件。
But, after few time (maybe 10 minutes) the token is expired and user have to submit the form a new time in order to get document file link. 但是,过了一些时间(可能是10分钟),令牌已过期,用户必须重新提交表单才能获取文档文件链接。
As I said, it's a bit vague. 如我所说,这有点含糊。 I have to implement something like that, but I don't know how I could do that. 我必须实现类似的方法,但是我不知道该怎么做。
My files : 我的文件 :
I have a class in my view which let to fill the form, generate token and send the email. 我认为我有一个可以填写表格,生成令牌并发送电子邮件的类。
Then, I have this new class which let to compare token with database and compare expiration_time with now() too. 然后,我有了这个新类,该类可以将token与数据库进行比较,还可以将expiration_time与now()进行比较。
The issue is : if I open the link several time, now() is not actualized and my token is always valid and not expirate. 问题是:如果我多次打开链接, now()将无法实现,并且我的令牌始终有效且不会过期。
class TokenDownloadView(TemplateView):
template_name = 'app/token.html'
def get_context_data(self, **kwargs):
context = super().get_context_data(**kwargs)
context['token'] = self.kwargs['token']
token = context['token']
print(token)
download = Download.objects.get(token__iexact=token)
if download and download.expiration_date > now:
print("token valide jusqu'à : " + str(download.expiration_date))
print("il est actuellement : " + str(now))
print(' ==> Token existe et valide <==')
if download and download.expiration_date < now:
print("token valide jusqu'à : " + str(download.expiration_date))
print("il est actuellement : " + str(now))
print('==> Token existe mais a expiré <==')
return context
And this is what I obtain in my terminal in order to display what I said : 这是我在终端中获得的,以显示我说的内容:
d0ce9328a53032d4484cccff4c0bdd92ad701567
token valide jusqu'à : 2018-09-12 07:46:30.082915+00:00
il est actuellement : 2018-09-12 07:45:30.082915+00:00
==> Token existe et valide <==
[12/Sep/2018 09:45:42] "GET /crud/download/token/d0ce9328a53032d4484cccff4c0bdd92ad701567/ HTTP/1.1" 200 7447
[12/Sep/2018 09:45:42] "GET /static/css/common-8073709e.css HTTP/1.1" 404 1682
d0ce9328a53032d4484cccff4c0bdd92ad701567
token valide jusqu'à : 2018-09-12 07:46:30.082915+00:00
il est actuellement : 2018-09-12 07:45:30.082915+00:00
==> Token existe et valide <==
[12/Sep/2018 09:46:10] "GET /crud/download/token/d0ce9328a53032d4484cccff4c0bdd92ad701567/ HTTP/1.1" 200 7447
[12/Sep/2018 09:46:10] "GET /static/css/common-8073709e.css HTTP/1.1" 404 1682
d0ce9328a53032d4484cccff4c0bdd92ad701567
token valide jusqu'à : 2018-09-12 07:46:30.082915+00:00
il est actuellement : 2018-09-12 07:45:30.082915+00:00
==> Token existe et valide <==
[12/Sep/2018 09:46:30] "GET /crud/download/token/d0ce9328a53032d4484cccff4c0bdd92ad701567/ HTTP/1.1" 200 7447
[12/Sep/2018 09:46:30] "GET /static/css/common-8073709e.css HTTP/1.1" 404 1682
d0ce9328a53032d4484cccff4c0bdd92ad701567
token valide jusqu'à : 2018-09-12 07:46:30.082915+00:00
il est actuellement : 2018-09-12 07:45:30.082915+00:00
==> Token existe et valide <==
[12/Sep/2018 09:46:41] "GET /crud/download/token/d0ce9328a53032d4484cccff4c0bdd92ad701567/ HTTP/1.1" 200 7447
[12/Sep/2018 09:46:41] "GET /static/css/common-8073709e.css HTTP/1.1" 404 1682
Do you have any idea ? 你有什么主意吗 ?
I suspect cookies and it should be the case, but I don't know how I could remove cookie according to token ? 我怀疑会出现Cookie,但情况确实如此,但是我不知道如何根据令牌删除Cookie?
1 个解决方案
解决方案1
1 2018-09-11 15:22:22
If you create a url like the following, your logic in the def get(...) on AppHomeView could parse the token and check for timeout before allowing the download. 如果创建如下所示的URL,则AppHomeView的def get(...)中的AppHomeView可以解析令牌并检查超时,然后再允许下载。 Also you'll probably want to use LoginRequiredMixin on AppHomeView . 另外,您可能想在AppHomeView上使用LoginRequiredMixin 。
Django 2.0 Django 2.0
path('download/<slug:token>/', views.AppHomeView.as_view(), name="download_document")
Django 1.11 Django 1.11
url(r'^download/(?P<slug>[\\w-]+)/$', views.AppHomeView.as_view(), name='download_document')
If you don't want to put the def get(...) on the AppHomeView , then you could just have two separate views and, following Django standard naming, call them AppCreateView(CreateView) and AppDownloadView(View) and implement the def get(...) that parses the token on the AppDownloadView(View) . 如果您不想将def get(...)放在AppHomeView ,则可以只拥有两个单独的视图,并按照Django标准命名,将它们分别命名为AppCreateView(CreateView)和AppDownloadView(View)并实现def get(...)解析AppDownloadView(View)上的令牌的def get(...) AppDownloadView(View) 。 The corresponding url would be: 相应的网址为:
Django 2.0 Django 2.0
path('download/<slug:token>/', views.AppDownloadView.as_view(), name="download_document")
Django 1.11 Django 1.11
url(r'^download/(?P<slug>[\\w-]+)/$', views.AppDownloadView.as_view(), name='download_document')
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.