RESTful API 的令牌身份验证: 是否应该定期更改令牌?

我正在用 Django 和 Django-rest-Framework构建一个 RESTful API。

作为身份验证机制,我们选择了“令牌身份验证”,并且我已经根据 Django-REST-Framework 的文档实现了它,问题是,应用程序是否应该定期更新/更改令牌,如果是,如何更新?是手机应用程序需要更新令牌,还是网络应用程序自动更新令牌?

最佳实践是什么?

这里有谁对 Django REST 框架有经验并且可以提出一个技术解决方案?

(最后一个问题优先级较低)

66404 次浏览
小开

如果您注意到某个标记类似于会话 cookie,那么您可以在 Django: https://docs.djangoproject.com/en/1.4/ref/settings/#session-cookie-age中坚持使用会话 cookie 的默认生存期。

我不知道 Django Rest Framework 是否会自动处理这个问题,但是你可以编写一个简短的脚本,过滤掉过时的脚本,并将它们标记为过期的脚本。

小开
最佳答案

让移动客户机定期更新其身份验证令牌是一种很好的做法。这当然取决于服务器的执行。

默认的 TokenAuthentication 类不支持这一点,但是您可以扩展它来实现这一功能。

例如: 

from rest_framework.authentication import TokenAuthentication, get_authorization_header
from rest_framework.exceptions import AuthenticationFailed


class ExpiringTokenAuthentication(TokenAuthentication):
def authenticate_credentials(self, key):
try:
token = self.model.objects.get(key=key)
except self.model.DoesNotExist:
raise exceptions.AuthenticationFailed('Invalid token')


if not token.user.is_active:
raise exceptions.AuthenticationFailed('User inactive or deleted')


# This is required for the time comparison
utc_now = datetime.utcnow()
utc_now = utc_now.replace(tzinfo=pytz.utc)


if token.created < utc_now - timedelta(hours=24):
raise exceptions.AuthenticationFailed('Token has expired')


return token.user, token

还需要覆盖默认的 rest 框架登录视图,以便在完成登录时刷新令牌:

class ObtainExpiringAuthToken(ObtainAuthToken):
def post(self, request):
serializer = self.serializer_class(data=request.data)
if serializer.is_valid():
token, created =  Token.objects.get_or_create(user=serializer.validated_data['user'])


if not created:
# update the created time of the token to keep it valid
token.created = datetime.datetime.utcnow()
token.save()


return Response({'token': token.key})
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)


obtain_expiring_auth_token = ObtainExpiringAuthToken.as_view()

别忘了修改网址:

urlpatterns += patterns(
'',
url(r'^users/login/?$', '<path_to_file>.obtain_expiring_auth_token'),
)
小开

我已经试过@odedfos 但是 我犯了误导性错误。这里是相同的答案,固定和适当的导入。

views.py

from django.utils import timezone
from rest_framework import status
from rest_framework.response import Response
from rest_framework.authtoken.models import Token
from rest_framework.authtoken.views import ObtainAuthToken


class ObtainExpiringAuthToken(ObtainAuthToken):
def post(self, request):
serializer = self.serializer_class(data=request.DATA)
if serializer.is_valid():
token, created =  Token.objects.get_or_create(user=serializer.object['user'])


if not created:
# update the created time of the token to keep it valid
token.created = datetime.datetime.utcnow().replace(tzinfo=utc)
token.save()


return Response({'token': token.key})
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

authentication.py

from datetime import timedelta
from django.conf import settings
from django.utils import timezone
from rest_framework.authentication import TokenAuthentication
from rest_framework import exceptions


EXPIRE_HOURS = getattr(settings, 'REST_FRAMEWORK_TOKEN_EXPIRE_HOURS', 24)


class ExpiringTokenAuthentication(TokenAuthentication):
def authenticate_credentials(self, key):
try:
token = self.model.objects.get(key=key)
except self.model.DoesNotExist:
raise exceptions.AuthenticationFailed('Invalid token')


if not token.user.is_active:
raise exceptions.AuthenticationFailed('User inactive or deleted')


if token.created < timezone.now() - timedelta(hours=EXPIRE_HOURS):
raise exceptions.AuthenticationFailed('Token has expired')


return (token.user, token)
小开

如果有人对这个解决方案感兴趣,但是想要一个在一定时间内有效的令牌,那么得到 被一个新的令牌所取代,这里是完整的解决方案(Django 1.6) :

Yourmodule/views.py:

import datetime
from django.utils.timezone import utc
from rest_framework.authtoken.views import ObtainAuthToken
from rest_framework.authtoken.models import Token
from django.http import HttpResponse
import json


class ObtainExpiringAuthToken(ObtainAuthToken):
def post(self, request):
serializer = self.serializer_class(data=request.DATA)
if serializer.is_valid():
token, created =  Token.objects.get_or_create(user=serializer.object['user'])


utc_now = datetime.datetime.utcnow()
if not created and token.created < utc_now - datetime.timedelta(hours=24):
token.delete()
token = Token.objects.create(user=serializer.object['user'])
token.created = datetime.datetime.utcnow()
token.save()


#return Response({'token': token.key})
response_data = {'token': token.key}
return HttpResponse(json.dumps(response_data), content_type="application/json")


return HttpResponse(serializer.errors, status=status.HTTP_400_BAD_REQUEST)


obtain_expiring_auth_token = ObtainExpiringAuthToken.as_view()

Yourmodule/urls.py:

from django.conf.urls import patterns, include, url
from weights import views


urlpatterns = patterns('',
url(r'^token/', 'yourmodule.views.obtain_expiring_auth_token')
)

你的项目 urls.py (在 urlpattern 数组中) :

url(r'^', include('yourmodule.urls')),

你的模组/ authentication.py :

import datetime
from django.utils.timezone import utc
from rest_framework.authentication import TokenAuthentication
from rest_framework import exceptions


class ExpiringTokenAuthentication(TokenAuthentication):
def authenticate_credentials(self, key):


try:
token = self.model.objects.get(key=key)
except self.model.DoesNotExist:
raise exceptions.AuthenticationFailed('Invalid token')


if not token.user.is_active:
raise exceptions.AuthenticationFailed('User inactive or deleted')


utc_now = datetime.datetime.utcnow()


if token.created < utc_now - datetime.timedelta(hours=24):
raise exceptions.AuthenticationFailed('Token has expired')


return (token.user, token)

在 REST _ FRAMEWORK 设置中,添加 ExiringTokenAuthentication 作为 Authentication 类,而不是 TokenAuthentication:

REST_FRAMEWORK = {


'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.SessionAuthentication',
#'rest_framework.authentication.TokenAuthentication',
'yourmodule.authentication.ExpiringTokenAuthentication',
),
}
小开

你可以利用 http://getblimp.github.io/django-rest-framework-jwt

此库能够生成具有过期日期的标记

要理解 DRF 默认令牌和 DRF 提供的令牌之间的区别,请看以下内容:

如何使 Django REST JWT 认证规模与多个 Web 服务器?

小开

我想用 DRY 给姜戈2.0一个答案。有人已经为我们建立了这个,谷歌 Django OAuth 工具包。可与匹普,pip install django-oauth-toolkit。关于使用路由器添加标记 ViewSet 的说明: https://django-oauth-toolkit.readthedocs.io/en/latest/rest-framework/getting_started.html。它类似于官方教程。

所以基本上 OAuth1.0更像是昨天的安全机制,也就是 TokenAuthentication。为了获得花哨的到期令牌,OAuth2.0现在非常流行。您将获得一个 AccessToken、 RefreshToken 和作用域变量来微调权限。你最终会得到这样的证件:

{
"access_token": "<your_access_token>",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "<your_refresh_token>",
"scope": "read"
}
小开

我只是想加上我的,因为这对我有帮助。我通常使用 JWT 方法,但有时这种方法更好。我用适当的导入更新了 django 2.1的公认答案。.

Authentication.py

from datetime import timedelta
from django.conf import settings
from django.core.exceptions import ObjectDoesNotExist
from django.utils import timezone
from rest_framework.authentication import TokenAuthentication
from rest_framework import exceptions


EXPIRE_HOURS = getattr(settings, 'REST_FRAMEWORK_TOKEN_EXPIRE_HOURS', 24)




class ExpiringTokenAuthentication(TokenAuthentication):
def authenticate_credentials(self, key):
try:
token = self.get_model().objects.get(key=key)
except ObjectDoesNotExist:
raise exceptions.AuthenticationFailed('Invalid token')


if not token.user.is_active:
raise exceptions.AuthenticationFailed('User inactive or deleted')


if token.created < timezone.now() - timedelta(hours=EXPIRE_HOURS):
raise exceptions.AuthenticationFailed('Token has expired')


return token.user, token

视野,视野

import datetime
from pytz import utc
from rest_framework import status
from rest_framework.response import Response
from rest_framework.authtoken.models import Token
from rest_framework.authtoken.views import ObtainAuthToken
from rest_framework.authtoken.serializers import AuthTokenSerializer




class ObtainExpiringAuthToken(ObtainAuthToken):
def post(self, request, **kwargs):
serializer = AuthTokenSerializer(data=request.data)


if serializer.is_valid():
token, created = Token.objects.get_or_create(user=serializer.validated_data['user'])
if not created:
# update the created time of the token to keep it valid
token.created = datetime.datetime.utcnow().replace(tzinfo=utc)
token.save()


return Response({'token': token.key})
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
小开

作者问道

问题是,应用程序是否应该定期更新/更改令牌,如果是,如何更新?是手机应用程序需要更新令牌,还是网络应用程序自动更新令牌?

但是所有的答案都是关于如何自动更改令牌的。

我认为周期性地逐个令牌更改令牌是没有意义的。Rest 框架创建一个有40个字符的令牌,如果攻击者每秒钟测试1000个令牌,那么它需要 16**40/1000/3600/24/365=4.6*10^7年才能得到令牌。您不必担心攻击者会一个接一个地测试您的令牌。即使您更改了令牌,猜测令牌的概率也是一样的。

如果您担心攻击者可能会得到令牌,那么您可以定期更改它,而在攻击者得到令牌之后,他也可以更改您的令牌,而将真正的用户踢出去。

您真正应该做的是防止攻击者获取您的用户令牌 使用 https

顺便说一下,我只是说一个令牌一个令牌的更改是没有意义的,通过用户名和密码更改令牌有时是有意义的。可能这个令牌在某个 http 环境中使用(你应该避免这种情况)或者第三方(在这种情况下,你应该创建不同类型的令牌,使用 oauth2) ,当用户正在做一些危险的事情,比如更改绑定邮箱或删除帐户时,你应该确保不再使用原始令牌,因为它可能已经被攻击者使用嗅探器或 tcpdump 工具揭露了。

小开

只是为了继续添加@odedfos 应答,我认为对语法做了一些修改,所以 ExiringTokenAuthentication 的代码需要进行一些调整:

from rest_framework.authentication import TokenAuthentication
from datetime import timedelta
from datetime import datetime
import datetime as dtime
import pytz


class ExpiringTokenAuthentication(TokenAuthentication):


def authenticate_credentials(self, key):
model = self.get_model()
try:
token = model.objects.get(key=key)
except model.DoesNotExist:
raise exceptions.AuthenticationFailed('Invalid token')


if not token.user.is_active:
raise exceptions.AuthenticationFailed('User inactive or deleted')


# This is required for the time comparison
utc_now = datetime.now(dtime.timezone.utc)
utc_now = utc_now.replace(tzinfo=pytz.utc)


if token.created < utc_now - timedelta(hours=24):
raise exceptions.AuthenticationFailed('Token has expired')


return token.user, token

另外,不要忘记将它添加到 DEFAULT _ AUTHENTATION _ CLASSES,而不是 rest _ framework.entication.TokenAuthentication

小开

如果有人想在某段时间不活动之后让令牌过期,下面的答案会有所帮助。我正在调整这里给出的一个答案。我已经在添加的代码中添加了注释

from rest_framework.authentication import TokenAuthentication
from datetime import timedelta
from datetime import datetime
import datetime as dtime
import pytz


class ExpiringTokenAuthentication(TokenAuthentication):


def authenticate_credentials(self, key):
model = self.get_model()
try:
token = model.objects.get(key=key)
except model.DoesNotExist:
raise exceptions.AuthenticationFailed('Invalid token')


if not token.user.is_active:
raise exceptions.AuthenticationFailed('User inactive or deleted')


# This is required for the time comparison
utc_now = datetime.now(dtime.timezone.utc)
utc_now = utc_now.replace(tzinfo=pytz.utc)


if token.created < utc_now - timedelta(minutes=15):  # TOKEN WILL EXPIRE AFTER 15 MINUTES OF INACTIVITY
token.delete() # ADDED THIS LINE SO THAT EXPIRED TOKEN IS DELETED
raise exceptions.AuthenticationFailed('Token has expired')
else:
token.created = utc_now #THIS WILL SET THE token.created TO CURRENT TIME WITH EVERY REQUEST
token.save() #SAVE THE TOKEN


return token.user, token
小开

不管是为移动客户端还是 web 客户端,在应用程序上设置过期机制都是一个很好的做法。有两种常见的解决方案:

  1. 系统过期令牌(特定时间后) ,用户必须重新登录才能获得新的有效令牌。

  2. 系统自动过期旧令牌(在特定时间之后)并用新令牌(更改令牌)替换旧令牌。

这两种解决方案的共同点是:

Setings.py 中的更改

DEFAULT_AUTHENTICATION_CLASSES = [
# you replace right path of 'ExpiringTokenAuthentication' class
'accounts.token_utils.ExpiringTokenAuthentication'
]


TOKEN_EXPIRED_AFTER_MINUTES = 300

创建 token _ utils. py

from django.conf import settings
from datetime import timedelta


from django.conf import settings
from django.utils import timezone
from rest_framework.authentication import TokenAuthentication
from rest_framework.authtoken.models import Token
from rest_framework.exceptions import AuthenticationFailed




def expires_in(token: Token):
elapsed_time = timezone.now() - token.created
return timedelta(minutes=settings.TOKEN_EXPIRED_AFTER_MINUTES) - elapsed_time


def is_token_expired(token):
return expires_in(token) < timedelta(seconds=0)

改变你的观点:

@api_view(['GET'])
@authentication_classes([ExpiringTokenAuthentication])
@permission_classes([IsAuthenticated])
def test(request):
...
return Response(response, stat_code)

如果使用选项1,请将这些行添加到 token _ utils. py

def handle_token_expired(token):
Token.objects.filter(key=token).delete()




class ExpiringTokenAuthentication(TokenAuthentication):


def authenticate_credentials(self, key):
try:
token = Token.objects.get(key=key)
except Token.DoesNotExist:
raise AuthenticationFailed("Invalid Token!")


if not token.user.is_active:
raise AuthenticationFailed("User inactive or deleted")


if is_token_expired(token):
handle_token_expired(token)
msg = "The token is expired!, user have to login again."
response = {"msg": msg}
raise AuthenticationFailed(response)


return token.user, token

如果使用选项2,请将这些行添加到 token _ utils. py

def handle_token_expired(token):
is_expired = is_token_expired(token)
if is_expired:
token.delete()
token = Token.objects.create(user = token.user)
return is_expired, token




class ExpiringTokenAuthentication(TokenAuthentication):
"""
when token is expired, it will be removed
and new one will be created
"""
def authenticate_credentials(self, key):
try:
token = Token.objects.get(key = key)
except Token.DoesNotExist:
raise AuthenticationFailed("Invalid Token")
    

if not token.user.is_active:
raise AuthenticationFailed("User is not active")


is_expired, token = handle_token_expired(token)
if is_expired:
raise AuthenticationFailed("The Token is expired")
    

return (token.user, token)

提交答案