Python之Django rest_Framework框架认证源码分析

#!/usr/bin/env python
# -*- coding:utf-8 -*-
from rest_framework.views import APIView
from rest_framework.response import Response

class TestView(APIView):

    def get(self, request, *args, **kwargs):
        # self.dispatch
        print(request.user)
        print(request.auth)
        return Response('GET请求,响应内容')

    def post(self, request, *args, **kwargs):
        return Response('POST请求,响应内容')

    def put(self, request, *args, **kwargs):
        return Response('PUT请求,响应内容')

Django rest_Framework的基本流程:请求刚进来,会执行dispatch方法,大概的流程如下:第一步封装request,第二步:版本

第三步:认证->request.user,第三步:权限->self.check_permissions(request),第四步:节流self.check_throttles(request)

以前就是Django rest_Framework的基本流程。

认证的源码如下(只有认证源码流程):

 

在上面刚开始请求进来,先不执行自己写的方法,如:(get、post、put),它会先执行dispatch方法,如果没有,就回去它的父类去找。

执行它父类的dispach

Django rest framework流程:

  原来用CBV的时候它继承from django.views import View中的views方法,在写get,post方法 如:class HostView(view)

  如果有Django rest Framework它就不用继承from django.views import View中的views方法,而是:

  先导入:from rest_framework.views import APIView它就会继承APIView,不在继承django的views如:class     AuthView(APIView):


from rest_framework.views import APIView          先导入APIView 
from django.shortcuts import render,HttpResponse
class AuthView(APIView):                          继承APIView
    authentication_classes=[]
    def get(self,request):return Response('....’)

而在class AuthView(APIView)中它继承的APIView,而APIView它有继承了view,view它在rest_framework view 中如下图:

点击view它就会到django的view中,而这个view是以前CBV 中的那个view,如下图:

 

 

继承的这个类比原来django的这个类跟多了点功能,而它的本质还是和原来的一样先执行dispatch,自己有就执行自己的,没有就执行父类的,父类如果没有它就执行原来的dispatch 。

虽然以前它的本质一样但是现在却发生变化,现在它的request是rest_framework中的request,而原来的request是django中的request,如:

class HostView(APIView):

    def get(self,request,*args,**kwargs):
        # 原来request对象,django.core.handlers.wsgi.WSGIRequest
        # 现在的request对象,rest_framework.request.Request\
        self.dispatch           请求进来先执行dispatch
        print(request.user)
        print(request.auth)
        return Response('主机列表')

1、请求进来先执行dispatch,而dispatch它在APIView中,dispatch在它里面有,先执行它自己,如果把它先删除它就会先执行默认的那个就是django提供,如下图:

 

请求进来它源码就是从现在开始如下:

源码的第一步:

 

    def dispatch(self, request, *args, **kwargs):    请求进来先执行dispatch
        """
        `.dispatch()` is pretty much the same as Django's regular dispatch,
        but with extra hooks for startup, finalize, and exception handling.
        """
        self.args = args                            dispatch先把参数获取到    
        self.kwargs = kwargs     
#1、对request进行加工
'''
源码进来的第一步 1、request对象中(它比原来的类中封装了好多):
         request,
parsers=self.get_parsers(),
authenticators=self.get_authenticators(), 这里面放的是两个列的对象
negotiator=self.get_content_negotiator(),
parser_context=parser_context
        '''
        request = self.initialize_request(request, *args, **kwargs)      在这执行了这个方法,它返回了request
        self.request = request
        self.headers = self.default_response_headers  # deprecate?

        try:
第二步:2 self.initial(request,
*args, **kwargs) # Get the appropriate handler method if request.method.lower() in self.http_method_names:
#在这执行反射 handler
= getattr(self, request.method.lower(), self.http_method_not_allowed) else:
#反射后拿到结果 handler
= self.http_method_not_allowed 第三步:3.执行get/post/delete/put等函数 response = handler(request, *args, **kwargs) 返回结果 except Exception as exc: response = self.handle_exception(exc) 第四步:4、对返回结果再次加工 self.response = self.finalize_response(request, response, *args, **kwargs) return self.response

 

在执行 request = self.initialize_request(request, *args, **kwargs)时,先去自己写的找,没有再去父类找,上面是自己没有就去父类找,如下图:

上面没有就去拿它的静态字段,如下图:

在这上面执行时request被加工,如下图:

 

源码执行的第二步:

    def initial(self, request, *args, **kwargs):
        """
        Runs anything that needs to occur prior to calling the method handler.
        """
        self.format_kwarg = self.get_format_suffix(**kwargs)

        # Perform content negotiation and store the accepted info on the request
        neg = self.perform_content_negotiation(request)
        request.accepted_renderer, request.accepted_media_type = neg

        # Determine the API version, if versioning is in use.
2.1处理版本信息 version, scheme = self.determine_version(request, *args, **kwargs) request.version, request.versioning_scheme = version, scheme # Ensure that the incoming request is permitted
2.2认证授权 self.perform_authentication(request)
2.3权限验证 self.check_permissions(request)
2.4请求用户限制访问频率 self.check_throttles(request)

执行源码第二步中的2.2认证授权:

 def initial(self, request, *args, **kwargs):
        """
        Runs anything that needs to occur prior to calling the method handler.
        """
        self.format_kwarg = self.get_format_suffix(**kwargs)

        # Perform content negotiation and store the accepted info on the request
        neg = self.perform_content_negotiation(request)
        request.accepted_renderer, request.accepted_media_type = neg

        # Determine the API version, if versioning is in use.
        version, scheme = self.determine_version(request, *args, **kwargs)
        request.version, request.versioning_scheme = version, scheme

        # Ensure that the incoming request is permitted
        self.perform_authentication(request)   执行这一步,点击就去如下图:
        self.check_permissions(request)  
        self.check_throttles(request)
还是先找自己的,没有才执行以下的:  
def perform_authentication(self, request): """ Perform authentication on the incoming request. Note that if you override this and simply 'pass', then authentication will instead be performed lazily, the first time either `request.user` or `request.auth` is accessed. """ request.user 在这里request是传过来的request,不是原来的request

尽接着下一步它就会找user,如下图:

找到user

def user(self): """ Returns the user associated with the current request, as authenticated by the authentication classes provided to the request. """ if not hasattr(self, '_user'): 如果没有user self._authenticate() 就会这行self._authenticate()这个方法,在找到这个方法
return self._user
    def _authenticate(self):
        """
        Attempt to authenticate the request using each authentication instance
        in turn.
        """
循环对象列表 for authenticator in self.authenticators: 在这里authenticators是那个对象列表,它循环这个对象列表 try:
执行每一个对象authenticate方法 user_auth_tuple
= authenticator.authenticate(self) 在这里它返回了两个值 except exceptions.APIException: 没有验证成功就会报错 self._not_authenticated() raise if user_auth_tuple is not None: self._authenticator = authenticator self.user, self.auth = user_auth_tuple 这里self.auth,self.user,就会有值,验证成功就会通过 return self._not_authenticated()

 

 

 

posted @ 2018-02-05 21:56  孟庆健  阅读(...)  评论(... 编辑 收藏