1.DRF节流组件自定义(限制访问频率)
方式一 自定义类和方法:
和上述的认证组件使用方式一样,定义一个频率组件类,推荐继承BaseThrottle类,
需定义defallow_request(self,request,view):pass方法和defwait(self):pass提示信息方法
seetings.py
INSTALLED_APPS = [ 'django.contrib.admin', 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.messages', 'django.contrib.staticfiles', 'app01.apps.App01Config', 'rest_framework', ] MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', # 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', ] REST_FRAMEWORK = { #认证配置(全局配置)----针对所有的继承APIView的类,最终都会有结果返回 'DEFAULT_AUTHENTICATION_CLASSES' : ['app01.utils.auth.MyAuth',],#可以自定义多个认证类 # 'UNAUTHENTICATED_USER':lambda :'匿名用户request.user自定义值',#request.user有默认值 # 'UNAUTHENTICATED_TOKEN':lambda :'request.auth自定义值',#request.auth有默认值 #权限配置(全局配置)----针对所有的继承APIView的类,在认证之后执行,没有权限会返回message,有权限继续执行 'DEFAULT_PERMISSION_CLASSES':['app01.utils.permission.SVIPPermission',],#可以自定义多个权限 #频率配置(全局配置)----针对所有的继承APIView的类,在认证和权限校验之后 'DEFAULT_THROTTLE_CLASSES':['app01.utils.throttle.VisitThrottle',],#可以定义多个访问频率类 }
utils--auth.py--MyAuth认证类
#认证组件 from rest_framework.authentication import BaseAuthentication,BasicAuthentication class MyAuth(BaseAuthentication):#可以直接继承BaseAuthentication类,可以省略authenticate_header方法,或者继承BasicAuthentication def authenticate(self, request): token = request._request.GET.get('token') token_obj = models.UserToken.objects.get(token=token) if not token_obj: raise exceptions.AuthenticationFailed('未认证用户!!!') return (token_obj.user', 'request.auth') # 认证函数执行结果如果通过则为元组,元组第一个元素封装在为request.user
utils--permission.py--SVIPPermission/MyPermission权限类
from rest_framework.permissions import BasePermission # 权限组件 class SVIPPermission(BasePermission):#推荐继承BasePermission类 # message = 'You do not have permission to perform this action.'#默认值 message = '无此权限!!!' def has_permission(self,request, view): if request.user.user_type == 3: return False #False为没权限 return True #True为有权限 class MyPermission(BasePermission):#推荐继承BasePermission类 def has_permission(self,request, view): if request.user.user_type != 3: return False return True
utils--throttle.py--VisitThrottle频率类
''' 访问频率一般存储在缓存或者数据库中,以往程序重启数据消失 再次示例使用字典存储,通过ip进行节流演示 ''' import time from rest_framework.throttling import BaseThrottle # 节流组件 visit_record = {} # 设置访问频率5次/60s TIME_LIMIT = 60 NUM_LIMIT = 5 # class VisitThrottle(object): class VisitThrottle(BaseThrottle): # 推荐继承BaseThrottle类 ''' 自定义频率组件类,推荐继承BaseThrottle类, 需定义 def allow_request(self, request, view):pass方法和def wait(self):pass提示信息方法 ''' def __init__(self): self.visit_history = [] def allow_request(self, request, view): # remote_addr = request.META.get('REMOTE_ADDR') # 获取客户端ip:request._request.META.get('REMOTE_ADDR')同样功能 remote_addr = self.get_ident(request) # 父类BaseThrottle中已经实现了此方法可以直接调用 visit_time = time.time() if remote_addr not in visit_record: # 当前ip访问记录为空是第一次访问 visit_record[remote_addr] = [visit_time] return True else: visit_history = visit_record.get(remote_addr) while visit_history and (visit_time - visit_history[-1]) > TIME_LIMIT: # 访问记录存在并且最早时间记录与本次间隔大于限制时间就删除 visit_history.pop() if len(visit_history) < NUM_LIMIT: # 当前访问记录次数与设定值比较,如果小于限定次数即可访问 visit_history.insert(0, visit_time) return True # 访问记录与本次访问时间封装在对象中以便wait调用 self.visit_history = visit_record.get(remote_addr) self.visit_time = visit_time return False # False表示超次数 def wait(self): ''' 超出次数提示信息 :return: 提示信息:秒数 ''' return TIME_LIMIT - (self.visit_time - self.visit_history[-1])
models.py
from django.db import models # Create your models here class UserInfo(models.Model): """ 用户表 """ user_type_choices = [ (1, '普通用户'), (2, 'VIP用户'), (3, 'SVIP用户'), ] user_type = models.IntegerField(choices=user_type_choices) username = models.CharField(max_length=10, unique=True) password = models.CharField(max_length=12, null=False) class UserToken(models.Model): """ token表 """ user = models.OneToOneField(to='UserInfo') token = models.CharField(max_length=64) create_time = models.DateTimeField(auto_now=True) class Book(models.Model): name = models.CharField(max_length=12)
urls.py
from django.conf.urls import url from django.contrib import admin from app01 import views urlpatterns = [ url(r'^admin/', admin.site.urls), url(r'^api/v1/login/$', views.AuthView.as_view()), url(r'^book/$', views.BookView.as_view(),name='book'), url(r'^order/$', views.OrderView.as_view(),name='order'), ]
views.py
from django.shortcuts import render, HttpResponse from rest_framework.views import APIView from app01 import models from django.http import JsonResponse from app01.utils.auth import MyAuth from app01.utils.permission import MyPermission,SVIPPermission from app01.utils.throttle import VisitThrottle from django.views import View # Create your views here. # 实例url:http://127.0.0.1:8000/book/?token=1 class BookView(APIView): # # (1)认证组件(局部使用) # authentication_classes = [MyAuth, ] #(2)权限组件(局部使用) permission_classes = [MyPermission,] # (3)频率组件(局部使用) # throttle_classes = [VisitThrottle, ] def get(self, request): print(request.user) # request.user在APIViewD的dispatch中进行封装的 return HttpResponse('GET') def post(self, request): return HttpResponse('POST') def put(self, request): return HttpResponse('PUT') def patch(self, request): return HttpResponse('PATCH') def delete(self, request): return HttpResponse('DELETE') class OrderView(APIView): # (1)认证组件(局部使用) # authentication_classes = [MyAuth, ] # (2)权限组件(局部使用) # permission_classes = [SVIPPermission] #(3)频率组件(局部使用) # throttle_classes = [VisitThrottle,] def get(self, request): print(request.user) # request.user在认证组件中进行封装的 return HttpResponse('GET') def post(self, request): return HttpResponse('POST') def put(self, request): return HttpResponse('PUT') def patch(self, request): return HttpResponse('PATCH') def delete(self, request): return HttpResponse('DELETE') import time import hashlib def token_md5(username): """ 自定义token :param username: :return: """ t = time.time() md5 = hashlib.md5(str(t).encode('utf-8')) md5.update(username.encode('utf-8')) return md5.hexdigest() class AuthView(View): #如果不注册自定义组件,走默认的认证,最后返回了request.user和request.auth都是匿名用户默认值,可以在settings.py中加载自定义配置 #但是在权限认证时不不好处理,所以还是直接继承View def post(self, request): """ 用户登录 :param request:进行封装之后的request对象 :return: 登录结果信息 """ ret = {'code': 0, 'msg': ''} username = request.POST.get('username', None) password = request.POST.get('password', None) # 每次登陆如果有就更新没有就创建 try: user_obj = models.UserInfo.objects.filter(username=username, password=password).first() if user_obj: token = token_md5(username) print(token) # 每次登陆如果有就更新没有就创建 models.UserToken.objects.update_or_create(user=user_obj, defaults={'token': token}) ret['msg'] = '登陆成功!' ret['token'] = token else: ret['code'] = 1 ret['msg'] = '账号或密码有误!!!' except Exception as e: ret['code'] = 2 ret['msg'] = '未知错误!!!' finally: return JsonResponse(ret)
2. DRF节流组件简单配置方式全局
继承SimpleRateThrottle类可以直接进行简单配置即可,无需自己实现节流方法
实现:scope和defget_cache_key(self,request,view):pass
示例中的utils--throttle.py--VisitThrottle频率类方式二实现方式(结合settings.py配置)
settings.py
INSTALLED_APPS = [ 'django.contrib.admin', 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.messages', 'django.contrib.staticfiles', 'app01.apps.App01Config', 'rest_framework', ] MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', # 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', ] REST_FRAMEWORK = { #认证配置(全局配置)----针对所有的继承APIView的类,最终都会有结果返回(认证列表是或条件) 'DEFAULT_AUTHENTICATION_CLASSES' : ['app01.utils.auth.MyAuth',],#可以自定义多个认证类 # 'UNAUTHENTICATED_USER':lambda :'匿名用户request.user自定义值',#request.user有默认值 # 'UNAUTHENTICATED_TOKEN':lambda :'request.auth自定义值',#request.auth有默认值 #权限配置(全局配置)----针对所有的继承APIView的类,在认证之后执行,没有权限会返回message,有权限继续执行 'DEFAULT_PERMISSION_CLASSES':['app01.utils.permission.SVIPPermission',],#可以自定义多个权限 #频率配置(全局配置)----针对所有的继承APIView的类,在认证和权限校验之后(节流校验是并列的条件) 'DEFAULT_THROTTLE_CLASSES':['app01.utils.throttle.VisitThrottle','app01.utils.throttle.UserThrottle',],#可以定义多个访问频率类 'DEFAULT_THROTTLE_RATES':{ #继承节流组件的SimpleRateThrottle类使用 'ThrottleTest':'5/m',#该key是在自定义的组件类定义的,value值形如:'5/s'或者'5/seconds'均可(只要是以s,m,h,d即可) #'LoginedUser':'10/m',#可以针对不懂得身份标识进行节流规则制定 } }
utils--auth.py--MyAuth认证类
#认证组件 from rest_framework.authentication import BaseAuthentication,BasicAuthentication class MyAuth(BaseAuthentication):#可以直接继承BaseAuthentication类,可以省略authenticate_header方法,或者继承BasicAuthentication def authenticate(self, request): token = request._request.GET.get('token') token_obj = models.UserToken.objects.get(token=token) if not token_obj: raise exceptions.AuthenticationFailed('未认证用户!!!') return (token_obj.user', 'request.auth') # 认证函数执行结果如果通过则为元组,元组第一个元素封装在为request.user
utils--permission.py--SVIPPermission/MyPermission权限类
from rest_framework.permissions import BasePermission # 权限组件 class SVIPPermission(BasePermission):#推荐继承BasePermission类 # message = 'You do not have permission to perform this action.'#默认值 message = '无此权限!!!' def has_permission(self,request, view): if request.user.user_type == 3: return False #False为没权限 return True #True为有权限 class MyPermission(BasePermission):#推荐继承BasePermission类 def has_permission(self,request, view): if request.user.user_type != 3: return False return True
utils--throttle.py--VisitThrottle频率类
''' 访问频率一般存储在缓存或者数据库中,以往程序重启数据消失 再次示例使用字典存储,通过ip进行节流演示 ''' import time from rest_framework.throttling import BaseThrottle, SimpleRateThrottle # 方式一节流组件(继承BaseThrottle类)----完全自定义写法 """ visit_record = {} # 设置访问频率5次/60s TIME_LIMIT = 60 NUM_LIMIT = 5 # class VisitThrottle(object): class VisitThrottle(BaseThrottle): # 推荐继承BaseThrottle类 ''' 自定义频率组件类,推荐继承BaseThrottle类, 需定义 def allow_request(self, request, view):pass方法和def wait(self):pass提示信息方法 ''' def __init__(self): self.visit_history = [] def allow_request(self, request, view): # remote_addr = request.META.get('REMOTE_ADDR') # 获取客户端ip:request._request.META.get('REMOTE_ADDR')同样功能 remote_addr = self.get_ident(request) # 父类BaseThrottle中已经实现了此方法可以直接调用 visit_time = time.time() if remote_addr not in visit_record: # 当前ip访问记录为空是第一次访问 visit_record[remote_addr] = [visit_time] return True else: visit_history = visit_record.get(remote_addr) while visit_history and (visit_time - visit_history[-1]) > TIME_LIMIT: # 访问记录存在并且最早时间记录与本次间隔大于限制时间就删除 visit_history.pop() if len(visit_history) < NUM_LIMIT: # 当前访问记录次数与设定值比较,如果小于限定次数即可访问 visit_history.insert(0, visit_time) return True # 访问记录与本次访问时间封装在对象中以便wait调用 self.visit_history = visit_record.get(remote_addr) self.visit_time = visit_time return False # False表示超次数 def wait(self): ''' 超出次数提示信息 :return: 提示信息:秒数 ''' return TIME_LIMIT - (self.visit_time - self.visit_history[-1]) """ # 方式二节流组件(继承SimpleRateThrottle类)----需要在全局直接配置访问频率 # 该方式直接使用rest_framework自带的缓存机制,指定配置访问频率,还需重写def get_cache_key(self, request, view):pass返回用户访问身份标识key class VisitThrottle(SimpleRateThrottle): scope = 'ThrottleTest' # 继承SimpleRateThrottle类实现节流必须指定scope的值以便在全局配置使用 def get_cache_key(self, request, view): return self.get_ident(request)#通过ip或代理进行节流 class UserThrottle(SimpleRateThrottle): ''' 本节流类以登录用户名为标识 ''' scope = 'LoginedUser' def get_cache_key(self, request, view): return request.user#也可以通过用户名进行节流
models.py
from django.db import models # Create your models here class UserInfo(models.Model): """ 用户表 """ user_type_choices = [ (1, '普通用户'), (2, 'VIP用户'), (3, 'SVIP用户'), ] user_type = models.IntegerField(choices=user_type_choices) username = models.CharField(max_length=10, unique=True) password = models.CharField(max_length=12, null=False) class UserToken(models.Model): """ token表 """ user = models.OneToOneField(to='UserInfo') token = models.CharField(max_length=64) create_time = models.DateTimeField(auto_now=True) class Book(models.Model): name = models.CharField(max_length=12)
urls.py
from django.conf.urls import url from django.contrib import admin from app01 import views urlpatterns = [ url(r'^admin/', admin.site.urls), url(r'^api/v1/login/$', views.AuthView.as_view()), url(r'^book/$', views.BookView.as_view(),name='book'), url(r'^order/$', views.OrderView.as_view(),name='order'), ]
views.py
from django.shortcuts import render, HttpResponse from rest_framework.views import APIView from app01 import models from django.http import JsonResponse from app01.utils.auth import MyAuth from app01.utils.permission import MyPermission,SVIPPermission from app01.utils.throttle import VisitThrottle from django.views import View # Create your views here. # 实例url:http://127.0.0.1:8000/book/?token=1 class BookView(APIView): # # (1)认证组件(局部使用) # authentication_classes = [MyAuth, ] #(2)权限组件(局部使用) permission_classes = [MyPermission,] # (3)频率组件(局部使用) # throttle_classes = [VisitThrottle, ] def get(self, request): print(request.user) # request.user在APIViewD的dispatch中进行封装的 return HttpResponse('GET') def post(self, request): return HttpResponse('POST') def put(self, request): return HttpResponse('PUT') def patch(self, request): return HttpResponse('PATCH') def delete(self, request): return HttpResponse('DELETE') class OrderView(APIView): # (1)认证组件(局部使用) # authentication_classes = [MyAuth, ] # (2)权限组件(局部使用) # permission_classes = [SVIPPermission] #(3)频率组件(局部使用) # throttle_classes = [VisitThrottle,] def get(self, request): print(request.user) # request.user在认证组件中进行封装的 return HttpResponse('GET') def post(self, request): return HttpResponse('POST') def put(self, request): return HttpResponse('PUT') def patch(self, request): return HttpResponse('PATCH') def delete(self, request): return HttpResponse('DELETE') import time import hashlib def token_md5(username): """ 自定义token :param username: :return: """ t = time.time() md5 = hashlib.md5(str(t).encode('utf-8')) md5.update(username.encode('utf-8')) return md5.hexdigest() class AuthView(View): #如果不注册自定义组件,走默认的认证,最后返回了request.user和request.auth都是匿名用户默认值,可以在settings.py中加载自定义配置 #但是在权限认证是不好通过,所以还是直接继承View def post(self, request): """ 用户登录 :param request:进行封装之后的request对象 :return: 登录结果信息 """ ret = {'code': 0, 'msg': ''} username = request.POST.get('username', None) password = request.POST.get('password', None) # 每次登陆如果有就更新没有就创建 try: user_obj = models.UserInfo.objects.filter(username=username, password=password).first() if user_obj: token = token_md5(username) print(token) # 每次登陆如果有就更新没有就创建 models.UserToken.objects.update_or_create(user=user_obj, defaults={'token': token}) ret['msg'] = '登陆成功!' ret['token'] = token else: ret['code'] = 1 ret['msg'] = '账号或密码有误!!!' except Exception as e: ret['code'] = 2 ret['msg'] = '未知错误!!!' finally: return JsonResponse(ret)