djangorestframework-simplejwt使用

djangorestframework-simplejwt

环境

Python (3.7, 3.8, 3.9, 3.10)
Django (2.2, 3.1, 3.2, 4.0)
Django REST Framework (3.10, 3.11, 3.12, 3.13)

安装

普通安装

pip3 install djangorestframework-jwt

加密安装

pip install djangorestframework-simplejwt[crypto]
#建议在使用 Simple JWT 的项目中使用 djangorestframework-simplejwt[crypto] 格式，以确保所有必要的依赖都被正确地安装和维护。

全局配置

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework_simplejwt.authentication.JWTAuthentication',
    )
}

需要在url中配置也达到刷新token

from rest_framework_simplejwt.views import (
    TokenObtainPairView,#获取token
    TokenRefreshView,#刷新token
)
urlpatterns = [
    path('api/token/', TokenObtainPairView.as_view()),
    path('api/token/refresh/', TokenRefreshView.as_view()),
]

如果需要做国际化，可以这样配置

INSTALLED_APPS = [
    'rest_framework_simplejwt',
]

LANGUAGE_CODE = 'en-us'

TIME_ZONE = 'UTC'

USE_I18N = True

USE_L10N = True

USE_TZ = True

用法

验证jwt是否正常引入

-X POST \
  -H "Content-Type: application/json" \
  -d '{"username": "davidattenborough", "password": "boatymcboatface"}' \
  http://localhost:8000/api/token/
{ "access":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX3BrIjoxLCJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiY29sZF9zdHVmZiI6IuKYgyIsImV4cCI6MTIzNDU2LCJqdGkiOiJmZDJmOWQ1ZTFhN2M0MmU4OTQ5MzVlMzYyYmNhOGJjYSJ9.NHlztMGER7UADHZJlxNG0WSi22a2KaYSfd1S-AuT7lU",
  "refresh":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX3BrIjoxLCJ0b2tlbl90eXBlIjoicmVmcmVzaCIsImNvbGRfc3R1ZmYiOiLimIMiLCJleHAiOjIzNDU2NywianRpIjoiZGUxMmY0ZTY3MDY4NDI3ODg5ZjE1YWMyNzcwZGEwNTEifQ.aEoAYkSJjoWH1boshQAaTkf8G3yn0kapko6HFRt7Rh4"
}

settings配置

from datetime import timedelta

SIMPLE_JWT = {
    'ACCESS_TOKEN_LIFETIME': timedelta(minutes=5),
    # 设置token过期时间，上面是5分钟
    'REFRESH_TOKEN_LIFETIME': timedelta(days=1),
    # 设置token刷新过期时间，上面是1天
    'ROTATE_REFRESH_TOKENS': False,
    #
    'BLACKLIST_AFTER_ROTATION': False,
    #黑名单应用程序【https://django-rest-framework-simplejwt.readthedocs.io/en/latest/blacklist_app.html】
    'UPDATE_LAST_LOGIN': False,
	#当设置为 时True，auth_user 表中的 last_login 字段在登录时更新 (TokenObtainPairView)。
    #会更新刷新token
    'ALGORITHM': 'HS256',
    #解码方式hs256
    'SIGNING_KEY': SECRET_KEY,
    'VERIFYING_KEY': None,
    'AUDIENCE': None,
    'ISSUER': None,
    'JWK_URL': None,
    'LEEWAY': 0,

    'AUTH_HEADER_TYPES': ('Bearer',),
    #请求头中协带Authorization: Bearer <token>
    'AUTH_HEADER_NAME': 'HTTP_AUTHORIZATION',
    'USER_ID_FIELD': 'id',
    'USER_ID_CLAIM': 'user_id',
    'USER_AUTHENTICATION_RULE': 'rest_framework_simplejwt.authentication.default_user_authentication_rule',

    'AUTH_TOKEN_CLASSES': ('rest_framework_simplejwt.tokens.AccessToken',),
    'TOKEN_TYPE_CLAIM': 'token_type',
    'TOKEN_USER_CLASS': 'rest_framework_simplejwt.models.TokenUser',

    'JTI_CLAIM': 'jti',

    'SLIDING_TOKEN_REFRESH_EXP_CLAIM': 'refresh_exp',
    'SLIDING_TOKEN_LIFETIME': timedelta(minutes=5),
    'SLIDING_TOKEN_REFRESH_LIFETIME': timedelta(days=1),
}

自定义令牌

from rest_framework_simplejwt.serializers import TokenObtainPairSerializer
from rest_framework_simplejwt.views import TokenObtainPairView

class MyTokenObtainPairSerializer(TokenObtainPairSerializer):
    @classmethod
    def get_token(cls, user):
        token = super().get_token(user)
        #get_token返回
        token['name'] = user.name
        return token
    
# Django project settings.py

SIMPLE_JWT = {
  "TOKEN_OBTAIN_SERIALIZER": "rest_framework_simplejwt.serializers.MyTokenObtainPairSerializer",
  # ...
}

手动创建令牌

from rest_framework_simplejwt.tokens import RefreshToken

def get_tokens_for_user(user):
    refresh = RefreshToken.for_user(user)

    return {
        'refresh': str(refresh),
        'access': str(refresh.access_token),
    }

token的类型

1  access #访问
2  sliding #滑动
3  refresh #刷新

sliding token(性能低)

from rest_framework_simplejwt.views import (
    TokenObtainSlidingView,
    TokenRefreshSlidingView,
)

urlpatterns = [
    path('api/token/', TokenObtainSlidingView.as_view(), name='token_obtain'),
    path('api/token/refresh/', TokenRefreshSlidingView.as_view(), name='token_refresh'),
]

Blacklist app

settings 配置

# Django project settings.py
INSTALLED_APPS = (
    'rest_framework_simplejwt.token_blacklist',
)

#创建 BlacklistMixin 子类实例并调用实例的黑名单方法将令牌列入黑名单：

from rest_framework_simplejwt.tokens import RefreshToken

token = RefreshToken(base64_encoded_token_string)
token.blacklist()

# url
from rest_framework_simplejwt.views import TokenBlacklistView

urlpatterns = [
  path('api/token/blacklist/', TokenBlacklistView.as_view(), name='token_blacklist'),
]

无状态用户身份验证

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework_simplejwt.authentication.JWTStatelessUserAuthentication',
    )
}

from rest_framework_simplejwt.serializers import TokenObtainPairSerializer
from rest_framework_simplejwt.views import TokenObtainPairView

class MyTokenObtainPairSerializer(TokenObtainPairSerializer):
    @classmethod
    def get_token(cls, user):
        token = super().get_token(user)
        #get_token返回
        token['name'] = user.name
        return token
#get_token
@classmethod
def for_user(cls, user):
    token = super().for_user(user)
    jti = token[api_settings.JTI_CLAIM]
    exp = token["exp"]
    OutstandingToken.objects.create(
        user=user,
        jti=jti,
        token=str(token),
        created_at=token.current_time,
        expires_at=datetime_from_epoch(exp),
    )

    return token
#for_user
@classmethod
def for_user(cls, user):
    user_id = getattr(user, api_settings.USER_ID_FIELD)
    if not isinstance(user_id, int):
        user_id = str(user_id)
        token = cls()
        token[api_settings.USER_ID_CLAIM] = user_id
        return token
    _token_backend = None