[英]Django Rest Framework avoid authentication JWT
I am using rest_framework_simplejwt
to authenticate my users but, in some views i need to ignore it, because these are public views.我正在使用rest_framework_simplejwt
来验证我的用户,但在某些视图中我需要忽略它,因为这些是公共视图。 i want to check the token into view flow.我想将令牌检查到视图流中。 The expected behaviour is:预期的行为是:
In public view在公众视野中
Actually rest_framework_simplejwt
checks token and raise 401
if token is invalid or expired...实际上, rest_framework_simplejwt
检查令牌并在令牌无效或过期时引发401
...
I tried disabling authentication_classes
within APIView like this:我尝试在 APIView 中禁用authentication_classes
,如下所示:
class SpecificProductApi(APIView):
def get_authenticators(self):
if self.request.method == 'GET':
self.authentication_classes = []
return super(SpecificProductApi, self).get_authenticators()
but if i disable it before enter GET APIView
method, i can't do if reques.user.is_authenticated:
because I disabled the token :(但是如果我在输入GET APIView
方法之前禁用它, if reques.user.is_authenticated:
我不能这样做if reques.user.is_authenticated:
因为我禁用了令牌:(
Exists a way to enable entering to api http method and check users manually into view?是否存在启用进入 api http 方法并手动检查用户查看的方法? thanks谢谢
I get it done by adding authentication_classes = []
我通过添加authentication_classes = []
来完成它
from rest_framework import permissions
class SpecificProductApi(APIView):
permission_classes = [permissions.AllowAny]
authentication_classes = []
You could simply use authentication_classes = []
in the view, but this always bypasses the JWT authentication, even when a valid Authorization-header with the token is present.您可以简单地在视图中使用authentication_classes = []
,但这始终会绕过 JWT 身份验证,即使存在带有令牌的有效 Authorization-header 也是如此。 You'd better extend the JWTAuthentication-class as follows (similar to the comment of Jhon Edwin Sanz Gonzalez):您最好按如下方式扩展 JWTAuthentication 类(类似于 Jhon Edwin Sanz Gonzalez 的评论):
from rest_framework_simplejwt.authentication import JWTAuthentication
from rest_framework_simplejwt.exceptions import InvalidToken
class JWTAuthenticationSafe(JWTAuthentication):
def authenticate(self, request):
try:
return super().authenticate(request=request)
except InvalidToken:
return None
Then use authentication_classes = [JWTAuthenticationSafe]
in your view.然后在您的视图中使用authentication_classes = [JWTAuthenticationSafe]
。
Have a very similar problem.有一个非常相似的问题。 To create public endpoints you are forced to override the authenticators, or else you will return 401/403 on expired/missing token.要创建公共端点,您必须覆盖验证器,否则您将在过期/丢失令牌上返回 401/403。
However, a public endpoint does not mean that it should not have authentication.但是,公共端点并不意味着它不应该进行身份验证。 Rather it should have one response for no-auth / expired-auth and another for valid auth.相反,它应该对 no-auth / expired-auth 有一个响应,而对有效 auth 有另一个响应。
I don't know if this is the "correct" way, but this is what I came up with facing the same problem.我不知道这是否是“正确”的方式,但这是我遇到同样问题时提出的。
Override the authenticators as you have done, and add an additional method to validate the authenticators in your view.像您所做的那样覆盖验证器,并添加一个额外的方法来验证您视图中的验证器。
For example:例如:
class SomeApiView(APIView):
def get_authenticators(self):
# Override standard view authenticators.
# Public endpoint, no auth is enforced.
return []
def get_auth(self):
# Return a generator of all authenticators.
return (auth() for auth in self.authentication_classes)
def get_auth_detail(self, request):
# Evaluate each authenticator and return the first valid authentication.
for auth in self.get_auth():
# You probably need try / except here to catch authenticators
# that are invalid (403/401) in the case of multiple authentication
# classes--such as token auth, session auth, etc...
auth_detail = auth.authenticate(request)
if auth_detail:
return auth_detail
return None, None
def post(self, request):
# Returns a tuple of (User, JWT), can be (None, None)
user, jwt = self.get_auth_detail(request)
# Do your magic based on user value.
if user:
# User is authenticated.
else:
# User is anon / not-authenticated.
You just need to specify permission class for the relevant view您只需要为相关视图指定权限类
from rest_framework.permissions import AllowAny
class SpecificProductApi(APIView):
permission_classes = (AllowAny, )
This permission allows any person to hit this specific view through a URL.此权限允许任何人通过 URL 访问此特定视图。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.