我正在尝试创建一个中间件来使用JWT进行身份验证,但在视图中,request.user始终是AnonymUser。
当我验证中间件通过用户模型更改request.user时,它确实如此,但在到达视图时,由于某种原因,request.user始终是anonymousUser
我使用Django 1.11
# coding=utf-8
from django.utils.functional import SimpleLazyObject
from django.utils.deprecation import MiddlewareMixin
from django.contrib.auth.models import AnonymousUser, User
from django.conf import settings
from django.contrib.auth.middleware import get_user
from rest_framework_jwt.authentication import JSONWebTokenAuthentication
import jwt
import json
class JWTAuthenticationMiddleware(MiddlewareMixin):
def process_request(self, request):
request.user = SimpleLazyObject(lambda: self.__class__.get_jwt_user(request))
@staticmethod
def get_jwt_user(request):
user_jwt = get_user(request)
if user_jwt.is_authenticated():
return user_jwt
token = request.META.get('HTTP_AUTHORIZATION', None)
user_jwt = None
if token is not None:
try:
user_jwt = jwt.decode(
token,
settings.SECRET_KEY,
algorithms=['HS256']
)
user_jwt = User.objects.get(
id=user_jwt['user_id']
)
except Exception as e:
user_jwt = AnonymousUser
return user_jwt
MIDDLEWARE = [
'corsheaders.middleware.CorsMiddleware',
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'user.middlewares.JWTAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
答案 0 :(得分:1)
我试图复制你的错误,但在我的情况下,它运作良好,我认为你的问题的根本原因是异常处理方法。 jwt.decode可以引发多种类型的异常,包括DecodeError,ExpiredSignatureError,InvalidKeyError等等,甚至从jwt.decode检索到的dict都没有'user_id'键。 / p>
这是一个完全有效的代码
# coding=utf-8
import jwt
import traceback
from django.utils.functional import SimpleLazyObject
from django.utils.deprecation import MiddlewareMixin
from django.contrib.auth.models import AnonymousUser, User
from django.conf import LazySettings
from django.contrib.auth.middleware import get_user
settings = LazySettings()
class JWTAuthenticationMiddleware(MiddlewareMixin):
def process_request(self, request):
request.user = SimpleLazyObject(lambda: self.__class__.get_jwt_user(request))
@staticmethod
def get_jwt_user(request):
user_jwt = get_user(request)
if user_jwt.is_authenticated():
return user_jwt
token = request.META.get('HTTP_AUTHORIZATION', None)
user_jwt = AnonymousUser()
if token is not None:
try:
user_jwt = jwt.decode(
token,
settings.WP_JWT_TOKEN,
)
user_jwt = User.objects.get(
id=user_jwt['data']['user']['id']
)
except Exception as e: # NoQA
traceback.print_exc()
return user_jwt
只需要考虑几个因素,使用LazySettings设置Check this thread
总是一个好习惯这也是我的中间件订单
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'applications.custom_authentication.middleware.JWTAuthenticationMiddleware', # This is my middleware
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
请记住将自定义中间件放在django.contrib.auth.middleware.AuthenticationMiddleware中间件
答案 1 :(得分:1)
尝试使用此中间件:
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'applications.custom_authentication.middleware.JWTAuthenticationMiddleware', # This is my middleware
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]