基于Django实现
在使用RestFramework之前我们先用Django自己实现以下API。
API完全可以有我们基于Django自己开发,原理是给出一个接口(URL),前端向URL发送请求以获取数据。这样能实现前后端分离的效果。但Django实现的API许多功能都需要我们自己写。
URL
from django.contrib import admin
from django.conf.urls import url, include
from app01 import views
from app02 import views urlpatterns = [
url('admin/', admin.site.urls),
url('app02/', include('app02.urls'))#路由分发
]
全局路由
from app02 import views
from django.conf.urls import url
urlpatterns = [
url('^users/', views.users),
url('^user/(\d+)', views.user),
#######FBV与CBV的分界线########
url('^users/', views.UsersView.as_view()),
url('^user/', views.UserView.as_view()),
]
app02/urls.py
views.py
FBV
from django.shortcuts import render,HttpResponse import json def users(request):
response = {'code':1000,'data':None} #code用来表示状态,比如1000代表成功,1001代表
response['data'] = [
{'name':'Damon','age':22},
{'name':'Stefan','age':10},
{'name':'Elena','age':11},
]
return HttpResponse(json.dumps(response)) #返回就送字符串,前端解析 def user(request,pk):
if request.method =='GET':
return HttpResponse(json.dumps({'name':'Stefan','age':11})) #返回一条数据
elif request.method =='POST':
return HttpResponse(json.dumps({'code':1111})) #返回一条数据
elif request.method =='PUT':
pass
elif request.method =='DELETE':
pass
FBV
CBV
from django.views import View
class UsersView(View):
def get(self,request):
response = {'code':1000,'data':None}
response['data'] = [
{'name': 'Damon', 'age': 22},
{'name': 'Stefan', 'age': 10},
{'name': 'Elena', 'age': 11},
]
return HttpResponse(json.dumps(response),stutas=200) class UserView(View):
def get(self,request,pk):
return HttpResponse(json.dumps({'name':'haiyan','age':11})) #返回一条数据
def post(self,request,pk):
return HttpResponse(json.dumps({'code':1111})) #返回一条数据
def put(self,request,pk):
pass
def delete(self,request,pk):
pass
CBV
注:通常我们在前后端分离进行编程时会推崇使用CBV的形式,CBV的代码可读性较高。
基于RestFramework实现
安装:
pip3 install djangorestframework -i http://pypi.douban.com/simple/ --trusted-host=pypi.douban.com
RestFramework可以直接在Django中使用,安装完RestFramework后在Django中可以当做模块一般导入即可使用。(记得在settings.py中进行注册,如app)
URL与基于Django实现相同,这里选用CBV的形式
from app02 import views
from django.conf.urls import url
urlpatterns = [
url('^users/', views.UsersView.as_view()),#CBV必须要有as_view()
url('^user/', views.UserView.as_view()),
]
views.py
CBV
#导入rest_framework,自定义视图的类需继承APIView
from rest_framework.views import APIView
from rest_framework.response import Response class TestView(APIView):
def dispatch(self, request, *args, **kwargs):
"""
请求到来之后,在url中执行as_view()就会执行dispatch方法,dispatch方法是APIView类中内置的,根据请求方式不同触发 get/post/put等方法。可自定制~ 注意:APIView中的dispatch方法有好多好多的功能
"""
return super().dispatch(request, *args, **kwargs) def get(self, request, *args, **kwargs):
return Response('GET请求,响应内容') def post(self, request, *args, **kwargs):
return Response('POST请求,响应内容') def put(self, request, *args, **kwargs):
return Response('PUT请求,响应内容')
注:重要的功都在APIView的dispatch中触发。要掌握RestFramework,必须弄懂dispatch方法做了些什么,这样我们才可以根据自己的需求进行自定制。
dispatch基本源码剖析
我们在继承了APIView之后就可以重写里面的方法进行自定制。此时我们需要先弄懂APIView里到底封装了哪些方法。在APIView中,最重要的就是dispatch方法。
请求在url中执行as_view()时就会触发dispatch,进入源码我们可以看到dispatch主要做了四件事:
#在APIView类中:
def dispatch(self, request, *args, **kwargs):
"""
`.dispatch()` is pretty much the same as Django's regular dispatch,
but with extra hooks for startup, finalize, and exception handling.
"""
self.args = args
self.kwargs = kwargs
# 1.封装Django原始的request,使得用了framework以后的request都具有更多功能
"""
增加的功能
parsers=self.get_parsers(),
authenticators=self.get_authenticators(),#获取认证相关的所有类并实例化,传入request对象
negotiator=self.get_content_negotiator(),
parser_context=parser_context
"""
request = self.initialize_request(request, *args, **kwargs)
self.request = request#将封装后的request赋值给原始request
self.headers = self.default_response_headers # deprecate? try:
"""
2.版本处理、用户认证、权限、访问频率限制
"""
self.initial(request, *args, **kwargs) # Get the appropriate handler method
if request.method.lower() in self.http_method_names:
handler = getattr(self, request.method.lower(),
self.http_method_not_allowed)
else:
handler = self.http_method_not_allowed
#3.执行函数get/post/put/delete
response = handler(request, *args, **kwargs) except Exception as exc:
response = self.handle_exception(exc)
#4.对返回结果进行再次加工
self.response = self.finalize_response(request, response, *args, **kwargs)
return self.response
接下来我们对每一步进行具体的分析
第一步:封装request
request = self.initialize_request(request, *args, **kwargs)
#查看initialize_request做了什么
def initialize_request(self, request, *args, **kwargs):
"""
Returns the initial request object.
"""
parser_context = self.get_parser_context(request) return Request(
request,
parsers=self.get_parsers(),
authenticators=self.get_authenticators(),#获取认证相关的所有类并实例化,传入request对象。优先找自己的,没有就找父类的
negotiator=self.get_content_negotiator(),
parser_context=parser_context
)
1.1、我们看到request封装了一个认证的功能——获取认证相关的所有的类并实例化,看看get_authenticators()做了什么
def get_authenticators(self):
"""
Instantiates and returns the list of authenticators that this view can use.
"""
#返回的是对象列表[SessionAuthentication,BaseAuthentication]
return [auth() for auth in self.authentication_classes] #self.authentication_classes是封装有认证功能的类的列表
authentication_classes = api_settings.DEFAULT_AUTHENTICATION_CLASSES #默认的,如果自己有会优先执行直接的
1.2、去settings.py查看默认的配置是什么
DEFAULTS = {
# Base API policies
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.SessionAuthentication', #这时候就找到了他默认认证的类了,可以导入看看
'rest_framework.authentication.BasicAuthentication'
),
1.3、导入SessionAutentication和BasicAuthentication查看这两个雷兜风装了什么功能
from rest_framework.authentication import SessionAuthentication
from rest_framework.authentication import BaseAuthentication
class BaseAuthentication(object):
"""
All authentication classes should extend BaseAuthentication.
""" def authenticate(self, request):
"""
Authenticate the request and return a two-tuple of (user, token).
"""
raise NotImplementedError(".authenticate() must be overridden.") def authenticate_header(self, request):
"""
Return a string to be used as the value of the `WWW-Authenticate`
header in a `401 Unauthenticated` response, or `None` if the
authentication scheme should return `403 Permission Denied` responses.
"""
pass
BaseAuthentication
class BasicAuthentication(BaseAuthentication):
"""
HTTP Basic authentication against username/password.
"""
www_authenticate_realm = 'api' def authenticate(self, request):
"""
Returns a `User` if a correct username and password have been supplied
using HTTP Basic authentication. Otherwise returns `None`.
"""
auth = get_authorization_header(request).split() if not auth or auth[0].lower() != b'basic':
return None #返回none不处理。让下一个处理 if len(auth) == 1:
msg = _('Invalid basic header. No credentials provided.')
raise exceptions.AuthenticationFailed(msg)
elif len(auth) > 2:
msg = _('Invalid basic header. Credentials string should not contain spaces.')
raise exceptions.AuthenticationFailed(msg) try:
auth_parts = base64.b64decode(auth[1]).decode(HTTP_HEADER_ENCODING).partition(':') #用partition切割冒号也包括
except (TypeError, UnicodeDecodeError, binascii.Error):
msg = _('Invalid basic header. Credentials not correctly base64 encoded.')
raise exceptions.AuthenticationFailed(msg) userid, password = auth_parts[0], auth_parts[2] # 返回用户和密码
return self.authenticate_credentials(userid, password, request) def authenticate_credentials(self, userid, password, request=None):
"""
Authenticate the userid and password against username and password
with optional request for context.
"""
credentials = {
get_user_model().USERNAME_FIELD: userid,
'password': password
}
user = authenticate(request=request, **credentials) if user is None:
raise exceptions.AuthenticationFailed(_('Invalid username/password.')) if not user.is_active:
raise exceptions.AuthenticationFailed(_('User inactive or deleted.')) return (user, None) def authenticate_header(self, request):
return 'Basic realm="%s"' % self.www_authenticate_realm
BasicAuthentication
1.4、简单自定制认证的类
我们可以看到源码中最重要的就是BasicAuthentication的authenticate方法,所以要自定制认证的类只需重写该方法即可
class MyAuthentication(BaseAuthentication):
def authenticate(self, request):
token = request.query_params.get('token')#登录用户有tocken字段
obj = models.UserInfo.objects.filter(token=token).first()
if obj:
return (obj.username,obj)
return None def authenticate_header(self, request):
pass
第二步、版本处理、认证、权限、访问频率限制
self.initial(request, *args, **kwargs) #查看initial方法做了什么
def initial(self, request, *args, **kwargs):
"""
Runs anything that needs to occur prior to calling the method handler.
"""
self.format_kwarg = self.get_format_suffix(**kwargs) # Perform content negotiation and store the accepted info on the request
neg = self.perform_content_negotiation(request)
request.accepted_renderer, request.accepted_media_type = neg # Determine the API version, if versioning is in use.
#2.1 处理版本信息,获取版本必须用version
version, scheme = self.determine_version(request, *args, **kwargs)
request.version, request.versioning_scheme = version, scheme # Ensure that the incoming request is permitted
#2.2认证,将user封装到request对象中
self.perform_authentication(request)
#2.3 权限
self.check_permissions(request)
#2.4 对请求用户进行访问频率的限制
self.check_throttles(request)
2.2.1、认证:查看perform_authentication方法,发现只是将user封装到了request中
def perform_authentication(self, request): request.user
2.2.2、查看request.user中都封装了什么
class Request(object):
@property
def user(self):
"""
Returns the user associated with the current request, as authenticated
by the authentication classes provided to the request.
"""
if not hasattr(self, '_user'):
self._authenticate()#执行用户认证
return self._user
2.2.3、执行self._authenticate() 开始用户认证,如果验证成功后返回元组: (用户,用户Token)
def _authenticate(self):
"""
Attempt to authenticate the request using each authentication instance
in turn.
"""
#循环对象列表
for authenticator in self.authenticators:
try:
# 执行每一个对象的authenticate 方法
user_auth_tuple = authenticator.authenticate(self)
except exceptions.APIException:
self._not_authenticated()
raise if user_auth_tuple is not None:
self._authenticator = authenticator
self.user, self.auth = user_auth_tuple#返回一个元组,赋给了self,就可以request.user,request.auth了
return self._not_authenticated()
2.2.4、在user_auth_tuple = authenticator.authenticate(self) 进行验证,如果验证成功,执行类里的authenticatie方法。如果用户没有认证成功:self._not_authenticated()
def _not_authenticated(self):
"""
Set authenticator, user & authtoken representing an unauthenticated request. Defaults are None, AnonymousUser & None.
"""
# 如果跳过了所有认证,默认用户和Token和使用配置文件进行设置
self._authenticator = None if api_settings.UNAUTHENTICATED_USER:
self.user = api_settings.UNAUTHENTICATED_USER()# 默认值为:匿名用户AnonymousUser
else:
self.user = None# None 表示跳过该认证 if api_settings.UNAUTHENTICATED_TOKEN:
self.auth = api_settings.UNAUTHENTICATED_TOKEN()# 默认值为:None
else:
self.auth = None #默认值都可以在settings.py中进行自定制配置
REST_FRAMEWORK = {
'UNAUTHENTICATED_USER': None,
'UNAUTHENTICATED_TOKEN': None, }
2.3.、权限控制
######check_permissions方法#######
def check_permissions(self, request):
"""
Check if the request should be permitted.
Raises an appropriate exception if the request is not permitted.
"""
for permission in self.get_permissions():#寻找类中的get_permissions()方法
if not permission.has_permission(request, self):#无权限则抛出异常
self.permission_denied(
request, message=getattr(permission, 'message', None)
) ######get_permissions方法#######
def get_permissions(self):
"""
Instantiates and returns the list of permissions that this view requires.
"""
return [permission() for permission in self.permission_classes]#去settings.py中查是否有权限配置
2.4、对访问频率进行限制(以下简称限流)
限流的主要目的还是为了防爬。一个网站的最终目的是为了让人去访问的,但是有时候会有一些人工智能做一些对网站有伤害的事,这时候我们就需要进行相应的限制了。权限的分配是一种对网站的保护的限制,但有些功能(比如看新闻、看动态等)是不需要任何权限只需要进入网站就可以查看的,这时我们就需要进行相应的限流操作,区分出非人类的用户访问予以限制。
def check_throttles(self, request):
"""
Check if request should be throttled.
Raises an appropriate exception if the request is throttled.
"""
"""
循环每一个throttle对象,执行allow_request方法
allow_request:
返回False,说明限制访问频率
返回True,说明不限制,通行
可自定制
"""
for throttle in self.get_throttles():
if not throttle.allow_request(request, self):
self.throttled(request, throttle.wait())#throttle.wait()表示多少秒后可再次访问
from __future__ import unicode_literals import time from django.core.cache import cache as default_cache
from django.core.exceptions import ImproperlyConfigured from rest_framework.settings import api_settings class BaseThrottle(object):
"""
Rate throttling of requests.
""" def allow_request(self, request, view):
"""
Return `True` if the request should be allowed, `False` otherwise.
"""
raise NotImplementedError('.allow_request() must be overridden') def get_ident(self, request):#唯一标识
"""
Identify the machine making the request by parsing HTTP_X_FORWARDED_FOR
if present and number of proxies is > 0. If not use all of
HTTP_X_FORWARDED_FOR if it is available, if not use REMOTE_ADDR.
"""
xff = request.META.get('HTTP_X_FORWARDED_FOR')
remote_addr = request.META.get('REMOTE_ADDR')#获取IP等
num_proxies = api_settings.NUM_PROXIES#获取代理信息 if num_proxies is not None:
if num_proxies == 0 or xff is None:
return remote_addr
addrs = xff.split(',')
client_addr = addrs[-min(num_proxies, len(addrs))]
return client_addr.strip() return ''.join(xff.split()) if xff else remote_addr def wait(self):
"""
Optionally, return a recommended number of seconds to wait before
the next request.
"""
return None#等待时长,可重写
BaseThrottle
class SimpleRateThrottle(BaseThrottle):
"""
一个简单的缓存实现,只需要` get_cache_key() `。被覆盖。
速率(请求/秒)是由视图上的“速率”属性设置的。类。该属性是一个字符串的形式number_of_requests /期。
周期应该是:(的),“秒”,“M”,“min”,“h”,“小时”,“D”,“一天”。
以前用于节流的请求信息存储在高速缓存中。
A simple cache implementation, that only requires `.get_cache_key()`
to be overridden. The rate (requests / seconds) is set by a `throttle` attribute on the View
class. The attribute is a string of the form 'number_of_requests/period'. Period should be one of: ('s', 'sec', 'm', 'min', 'h', 'hour', 'd', 'day') Previous request information used for throttling is stored in the cache.
"""
cache = default_cache
timer = time.time
cache_format = 'throttle_%(scope)s_%(ident)s'
scope = None
THROTTLE_RATES = api_settings.DEFAULT_THROTTLE_RATES def __init__(self):
if not getattr(self, 'rate', None):
self.rate = self.get_rate()#点进去看到需要些一个scope ,2/m
self.num_requests, self.duration = self.parse_rate(self.rate) def get_cache_key(self, request, view):#这个相当于是一个半成品,我们可以来补充它
"""
Should return a unique cache-key which can be used for throttling.
Must be overridden. May return `None` if the request should not be throttled.
"""
raise NotImplementedError('.get_cache_key() must be overridden') def get_rate(self):
"""
Determine the string representation of the allowed request rate.
"""
if not getattr(self, 'scope', None):#检测必须有scope,没有就报错了
msg = ("You must set either `.scope` or `.rate` for '%s' throttle" %
self.__class__.__name__)
raise ImproperlyConfigured(msg) try:
return self.THROTTLE_RATES[self.scope]
except KeyError:
msg = "No default throttle rate set for '%s' scope" % self.scope
raise ImproperlyConfigured(msg) def parse_rate(self, rate):
"""
Given the request rate string, return a two tuple of:
<allowed number of requests>, <period of time in seconds>
"""
if rate is None:
return (None, None)
num, period = rate.split('/')
num_requests = int(num)
duration = {'s': 1, 'm': 60, 'h': 3600, 'd': 86400}[period[0]]
return (num_requests, duration) # 1、一进来首先执行,
def allow_request(self, request, view):
"""
Implement the check to see if the request should be throttled. On success calls `throttle_success`.
On failure calls `throttle_failure`.
"""
if self.rate is None:
return True self.key = self.get_cache_key(request, view)#2、执行get_cache_key
if self.key is None:
return True#不限制 self.history = self.cache.get(self.key, [])#3、得到的key,默认是一个列表,赋值给了self.history,
# self.history可以理解为每一个ip对应的访问记录
self.now = self.timer() # Drop any requests from the history which have now passed the
# throttle duration
while self.history and self.history[-1] <= self.now - self.duration:
self.history.pop()
if len(self.history) >= self.num_requests:
return self.throttle_failure()
return self.throttle_success() def throttle_success(self):
"""
Inserts the current request's timestamp along with the key
into the cache.
"""
self.history.insert(0, self.now)
self.cache.set(self.key, self.history, self.duration)
return True def throttle_failure(self):
"""
Called when a request to the API has failed due to throttling.
"""
return False def wait(self):
"""
Returns the recommended next request time in seconds.
"""
if self.history:
remaining_duration = self.duration - (self.now - self.history[-1])
else:
remaining_duration = self.duration available_requests = self.num_requests - len(self.history) + 1
if available_requests <= 0:
return None return remaining_duration / float(available_requests)
SimpleRateThrottle
第三步、执行函数get/post/put/delete
if request.method.lower() in self.http_method_names:#http_method_names = ['get', 'post', 'put', 'patch', 'delete', 'head', 'options', 'trace']
handler = getattr(self, request.method.lower(),self.http_method_not_allowed)#反射
else:
handler = self.http_method_not_allowed#抛出异常
第四步、对返回结果进行再次加工