用戶登錄驗證原始碼剖析,注意:一定要跟著博主的解說再看代碼的中文注釋及其下面的一行代碼!!!
1、準備一個路由和視圖類,全域路由配置暫時忽略,當流程執行到下面的url:groupsSelectAll——> GroupsView的視圖類下的as_view()方法
from django.conf.urls import url from . import views app_name = '[words]' urlpatterns = [ url(r'groupsSelectAll/', views.GroupsView.as_view(), name="groupsSelectAll"), # 詞組資訊查詢所有 ]
class GroupsView(APIView): def get(self, request): conditions = { "id": request.query_params.get("wid"), "name": request.query_params.get("name"), "start_time": request.query_params.get("start_time"), "end_time": request.query_params.get("end_time"), } res = DataManager.select_by_conditions("words_groups", None, **conditions) return Response(data=https://www.cnblogs.com/aitiknowledge/p/{"code": 200, "result": res})
2、但是GroupsView類下沒有as_view方法,這時就要去它的父類APIView查看(點進去看as_view方法),這里博主只復制方法源代碼,大家只需要看中文注釋及其下的代碼陳述句,在這個方法中值得一提的是super關鍵字,如果請求視圖類(就是GroupsView類,如果繼承了多個父類)還有另一個父類,它先會查看這個父類是否有as_view方法,在這里它是會執行APIView的父類View中的as_view方法,然后我們再次查看父類View的as_view方法,第一個as_view方法是APIView類的,第二個as_view方法是View類的,
@classmethod def as_view(cls, **initkwargs): """ Store the original class on the view function. This allows us to discover information about the view when we do URL reverse lookups. Used for breadcrumb generation. """ if isinstance(getattr(cls, 'queryset', None), models.query.QuerySet): def force_evaluation(): raise RuntimeError( 'Do not evaluate the `.queryset` attribute directly, ' 'as the result will be cached and reused between requests. ' 'Use `.all()` or call `.get_queryset()` instead.' ) cls.queryset._fetch_all = force_evaluation # 執行父類的as_view方法 view = super(APIView, cls).as_view(**initkwargs) view.cls = cls view.initkwargs = initkwargs # Note: session based authentication is explicitly CSRF validated, # all other authentication is CSRF exempt. return csrf_exempt(view)APIView.as_view()
@classonlymethod def as_view(cls, **initkwargs): """Main entry point for a request-response process.""" for key in initkwargs: if key in cls.http_method_names: raise TypeError("You tried to pass in the %s method name as a " "keyword argument to %s(). Don't do that." % (key, cls.__name__)) if not hasattr(cls, key): raise TypeError("%s() received an invalid keyword %r. as_view " "only accepts arguments that are already " "attributes of the class." % (cls.__name__, key)) # 執行view方法 def view(request, *args, **kwargs): # 這里的cls就是我們的請求視圖類,顯而易見,這個self是請求試圖類的物件 self = cls(**initkwargs) if hasattr(self, 'get') and not hasattr(self, 'head'): self.head = self.get self.request = request self.args = args self.kwargs = kwargs # 然后這里就是執行dispatch方法 return self.dispatch(request, *args, **kwargs) view.view_class = cls view.view_initkwargs = initkwargs # take name and docstring from class update_wrapper(view, cls, updated=()) # and possible attributes set by decorators # like csrf_exempt from dispatch update_wrapper(view, cls.dispatch, assigned=()) return viewView.as_view()
3、我們在第二個as_view方法中可以知道self是我們的請求視圖類的物件,通過這個self呼叫dispatch方法,請求視圖類中沒有dispatch方法,是不是又去APIView類中執行dispatch方法,
def dispatch(self, request, *args, **kwargs): """ `.dispatch()` is pretty much the same as Django's regular dispatch, but with extra hooks for startup, finalize, and exception handling. """ self.args = args self.kwargs = kwargs # 這里是對原生的request加工處理,回傳一個新的request物件 request = self.initialize_request(request, *args, **kwargs) self.request = request self.headers = self.default_response_headers # deprecate? try: # 初始化(用戶登錄認證,權限驗證,訪問頻率限制) self.initial(request, *args, **kwargs) # Get the appropriate handler method if request.method.lower() in self.http_method_names: # 通過python的反射機制反射到請求視圖類的方法名稱 handler = getattr(self, request.method.lower(), self.http_method_not_allowed) else: handler = self.http_method_not_allowed # 最后就是執行請求視圖類的方法 response = handler(request, *args, **kwargs) except Exception as exc: response = self.handle_exception(exc) self.response = self.finalize_response(request, response, *args, **kwargs) return self.responseAPIView.dispatch()
4、在方法中先封裝了原生的request物件,我們可以點進去查看新的request在原來的request的改進之處:先是封裝了原生的request物件,然后又加了用戶登錄驗證的“類”,現在慢慢進入了主題,以下添加APIView類的部分代碼,也就是新的request物件用到的代碼,
class APIView(View): # The following policies may be set at either globally, or per-view. # 如果請求視圖類中沒有這個屬性,我們就使用默認的用戶登錄驗證類 authentication_classes = api_settings.DEFAULT_AUTHENTICATION_CLASSES def initialize_request(self, request, *args, **kwargs): """ Returns the initial request object. """ parser_context = self.get_parser_context(request) # 封裝成新的request物件 return Request( # 原生的request request, parsers=self.get_parsers(), # 點擊查看用戶認證的串列是什么 authenticators=self.get_authenticators(), negotiator=self.get_content_negotiator(), parser_context=parser_context ) def get_authenticators(self): """ Instantiates and returns the list of authenticators that this view can use. """ # 回傳的是一個用戶認證的物件,是一個串列的形式 # 而且這個self.authentication_classes的值是先從請求視圖類中尋找,再而從父類尋找 return [auth() for auth in self.authentication_classes]APIView
5、這個類中的self也是請求視圖類的物件,如果self(請求試圖類的物件)沒有authentication_classes變數就會使用全域的組態檔中尋找,就是settings.py檔案需要添加一個字典REST_FRAMEWORK={"DEFAULT_AUTHENTICATION_CLASSES":["類的全路徑"]}類似的,這里我們假設全域組態檔中已有用戶登錄驗證類或者我們自定義的用戶登錄驗證類并且添加進去了,執行完下面的代碼,我們上面的APIView.dispatch()方法中的self.request已經變成了新的request物件,我們接著往下看,
def initial(self, request, *args, **kwargs): """ Runs anything that needs to occur prior to calling the method handler. """ self.format_kwarg = self.get_format_suffix(**kwargs) # Perform content negotiation and store the accepted info on the request neg = self.perform_content_negotiation(request) request.accepted_renderer, request.accepted_media_type = neg # Determine the API version, if versioning is in use. version, scheme = self.determine_version(request, *args, **kwargs) request.version, request.versioning_scheme = version, scheme # Ensure that the incoming request is permitted # 用戶驗證的方法,這個request 是加工之后的request self.perform_authentication(request) # 用戶權限驗證 self.check_permissions(request) # 用戶訪問頻率限制 self.check_throttles(request)APIView.initial()
5、這就到了我們的用戶登錄驗證的戲碼了,我們可以查看代碼中的self.perform_authentication(request),里面就是一行代碼request.user(這里我不添加了),我們可以直接點進去這個user方法的實作,這里直接添上Request類的部分代碼,也就是user相關的代碼,這里直接點user是因為在user方法上添加了@property注解
class Request(object): @property def user(self): """ Returns the user associated with the current request, as authenticated by the authentication classes provided to the request. """ if not hasattr(self, '_user'): with wrap_attributeerrors(): # 查看用戶登錄的驗證操作 self._authenticate() return self._user def _authenticate(self): """ Attempt to authenticate the request using each authentication instance in turn. """ # 這個self.authenticators是加工后request的,值是用戶登錄驗證的物件串列 for authenticator in self.authenticators: try: # 這個authenticate方法我們就可以在自定義的類中撰寫, # 主要功能可以查看用戶是否登錄驗證(可根據資料庫中的資料) user_auth_tuple = authenticator.authenticate(self) except exceptions.APIException: # 拋出例外時執行方法 self._not_authenticated() raise if user_auth_tuple is not None: self._authenticator = authenticator self.user, self.auth = user_auth_tuple return # 全域組態檔沒有配置和請求試圖類中都沒有authentication_classes變數及值 self._not_authenticated() def _not_authenticated(self): """ Set authenticator, user & authtoken representing an unauthenticated request. Defaults are None, AnonymousUser & None. """ self._authenticator = None # 如果全域組態檔的REST_FRAMEWORK中沒有都是默認None if api_settings.UNAUTHENTICATED_USER: self.user = api_settings.UNAUTHENTICATED_USER() else: self.user = None if api_settings.UNAUTHENTICATED_TOKEN: self.auth = api_settings.UNAUTHENTICATED_TOKEN() else: self.auth = NoneRequest
6、在Request類中會執行到user_auth_tuple = authenticator.authenticate(self),這個authenticator就是我們全域配置的用戶登錄類或者是請求視圖類的authentication_classes變數串列元素的物件,執行里面的authenticate方法,我們可以直接點進去查看authenticate方法,一般我們自定義這個用戶登錄驗證類的話我們一般需要繼承BaseAuthentication類,這樣我們直接重寫authenticate方法,里面的需求就是驗證時候登錄攜帶了token資訊或者session資訊又或者前后端定義的標準資訊(只要是能識別用戶登錄了的資訊即可),像這樣我們可以自定義一個微信驗證登錄、QQ驗證登錄、支付寶驗證登錄的類(這只是我的設想)
轉載請註明出處,本文鏈接:https://www.uj5u.com/houduan/140878.html
標籤:Python