在 Django (DRF) 中使用外部 API 进行基于令牌的身份验证

Question

Context

My API accepts a jwt-token that I can pass to an external endpoint which will return 401 if invalid/expired or user information if still valid. Based on this I will either return 401 or filtered data belonging to the user. Also, POST request's need to involve writing who this resource belongs to for the GET to work. I tried to do this by overriding the get_queryset and perform_create methods.

My viewset looks something like this:

class ReportViewSet(AuthorizedUserBasedFilteredViewset):
    queryset = Report.objects.all()
    serializer_class = ReportSerializer

    def perform_create(self, serializer):
        try:
            username = self.get_authorized_user()['user']['username']
        except Exception as e:
            return Response({'error': 'Token does not exist'}, status=HTTP_401_UNAUTHORIZED)
        serializer.save(creatd_by=username)

    def get_queryset(self):
        try:
            username = self.get_authorized_user()['user']['username']
        except Exception as e:
            return Response({'error': 'Token does not exist'}, status=HTTP_401_UNAUTHORIZED)
        return Report.objects.filter(created_by=username)

This doesn't work because get_queryset expects a queryset as response.

Questions

1. How do I bubble up the authorize exception in get_queryset? Is there some other method I should be overriding to the authentication entirely? I still need to pass the username recieved to get_queryset for the authentication to be successful
2. Is there a better way to do this? I feel that the call to the external authentication API and setting the user to be accessible by the get_queryset and perform_create methods would ideally go somewhere else in the code. I looked at the RemoteUserAuthenticationBackend but that still involved creation of a User object but for this use case the user model is entirely external

Answer 1

Instead of

return Response({'error': 'Token does not exist'}, status=HTTP_401_UNAUTHORIZED)

use this

raise NotAuthenticated(detail='Token does not exist')

Hope above line has addressed your 1st question.

For 2nd question. You can extend TokenAuthentication and then implement def authenticate_credentials(self, key): method. It is not a good idea to call external API to fetch user each time . Rather you should get JTW token one time from external source then pass JWT token in header like Authorization : Bearer cn389ncoiwuencr for each API call. Then you should decode JWT token in current system.

from rest_framework.authentication import TokenAuthentication
from django.contrib.auth import get_user_model
class CustomTokenAuthentication(TokenAuthentication):
    keyword = 'Bearer' # token type
    def authenticate_credentials(self, key):
        #decode JWT.
        username = get_username()
        User = get_user_model()
        user = User(username=username)
        return user, key

Finally, add this class at settings.py file.

REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': [
        'rest_framework.permissions.IsAuthenticated',
    ],
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'path.of.CustomTokenAuthentication',
    )
}

That will apply to all of your views. or you can apply view specific auth class.

class Sample(ViewSet):
    authentication_classes = (CustomTokenAuthentication,)

From now you can access user by request.user at views or viewset. That's it.