使用Flask 编写的RESTful API,都是完全开放的,任何客户端都能随意调用,如果只是纯粹编写Demo级别的API,倒无所谓,如果企业级开发,必然会涉及到API的安全调用问题, 接下来我们一起探讨这个话题。
生成Token
from itsdangerous import TimedJSONWebSignatureSerializer as Serializer
@token.route('', methods=['POST'])
def get_token():
data = request.json
froms = LoginForms(data=data)
if froms.validate():
# 查询用户和密码是否输入正确
user_info = User.verify_account(froms.account.data, froms.password.data)
# 用户或者密码错误
if 'error_code' in user_info:
return jsonify(user_info)
# 输入正确生成token
else:
# token生效时间
expiration = current_app.config['TOKEN_EXPIRATION']
# 生成token
token = create_token(user_info['uid'], user_info['nickname'], expiration)
return jsonify({'token': token.decode('ascii')})
else:
return jsonify({'msg': froms.errors})
#
# uid,nickanme用户信息
# expiration有效时间(秒)
# scoped 权限作用域
def create_token(uid, nickname, scoped=None, expiration=60):
# 生成token SECRET_KEY秘钥
s = Serializer(current_app.config['SECRET_KEY'], expires_in=expiration)
# 写入信息
return s.dumps({
'uid': uid,
'nickname': nickname
})解析Token
from flask import current_app, g, jsonify
from flask_httpauth import HTTPBasicAuth
from itsdangerous import TimedJSONWebSignatureSerializer as Serializer, BadSignature, SignatureExpired
auth = HTTPBasicAuth()
# 路由权限保护验证token是否失效
@auth.verify_password
def verify_token(token, password):
user_info = verify_auth_token(token)
# 出现错误返回False不会进入路由
if not user_info:
return False
else:
g.user = user_info
return True
#重写返回错误信息
@auth.error_handler
def error_handler():
return jsonify({'code': 401, 'message': 'token不合法'})
# BadSignature 捕捉token是否解析成功
# SignatureExpired 捕捉token是否过期
def verify_auth_token(token):
s = Serializer(current_app.config['SECRET_KEY'])
try:
data = s.loads(token)
except BadSignature:
return False
except SignatureExpired:
return False
uid = data['uid']
nickname = data['nickname']
return {
'uid': uid,
'nickname': nickname
}
发表评论
侧栏公告
寄语
譬如朝露博客是一个分享前端知识的网站,联系方式11523518。
热评文章
标签列表
热门文章
友情链接