Django RESTful API的令牌身份验证：是否应定期更改令牌？

我正在用Django和构建一个RESTful API

作为身份验证机制，我们选择了“令牌身份验证”，我已经在Django REST框架的文档中实现了它，问题是，应用程序是否应该定期更新/更改令牌，如果是，如何更新/更改？是移动应用程序需要更新令牌，还是web应用程序应该自动更新令牌

最佳做法是什么

这里有谁对Django REST框架有经验并能提出一个技术解决方案吗

---

（最后一个问题的优先级较低）

如果您注意到令牌类似于会话cookie，那么您可以坚持Django中会话cookie的默认生存期：

---

我不知道Django Rest Framework是否会自动处理这些问题，但您可以编写一个简短的脚本，过滤掉过期的内容并将其标记为过期。

让移动客户端定期更新其身份验证令牌是一个很好的做法。这当然取决于服务器来实施

默认TokenAuthentication类不支持此功能，但是您可以对其进行扩展以实现此功能

例如：

别忘了修改URL：

urlpatterns += patterns(
    '',
    url(r'^users/login/?$', '<path_to_file>.obtain_expiring_auth_token'),
)

urlpatterns+=模式(
'',
url（r“^users/login/？$”，获取“正在过期的身份验证令牌”），
)

我已经尝试了@odedfos答案，但是。这里有相同的答案，固定和适当的进口

views.py

from django.utils import timezone
from rest_framework import status
from rest_framework.response import Response
from rest_framework.authtoken.models import Token
from rest_framework.authtoken.views import ObtainAuthToken

class ObtainExpiringAuthToken(ObtainAuthToken):
    def post(self, request):
        serializer = self.serializer_class(data=request.DATA)
        if serializer.is_valid():
            token, created =  Token.objects.get_or_create(user=serializer.object['user'])

            if not created:
                # update the created time of the token to keep it valid
                token.created = datetime.datetime.utcnow().replace(tzinfo=utc)
                token.save()

            return Response({'token': token.key})
        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

from datetime import timedelta
from django.conf import settings
from django.utils import timezone
from rest_framework.authentication import TokenAuthentication
from rest_framework import exceptions

EXPIRE_HOURS = getattr(settings, 'REST_FRAMEWORK_TOKEN_EXPIRE_HOURS', 24)

class ExpiringTokenAuthentication(TokenAuthentication):
    def authenticate_credentials(self, key):
        try:
            token = self.model.objects.get(key=key)
        except self.model.DoesNotExist:
            raise exceptions.AuthenticationFailed('Invalid token')

        if not token.user.is_active:
            raise exceptions.AuthenticationFailed('User inactive or deleted')

        if token.created < timezone.now() - timedelta(hours=EXPIRE_HOURS):
            raise exceptions.AuthenticationFailed('Token has expired')

        return (token.user, token)

authentication.py

from django.utils import timezone
from rest_framework import status
from rest_framework.response import Response
from rest_framework.authtoken.models import Token
from rest_framework.authtoken.views import ObtainAuthToken

class ObtainExpiringAuthToken(ObtainAuthToken):
    def post(self, request):
        serializer = self.serializer_class(data=request.DATA)
        if serializer.is_valid():
            token, created =  Token.objects.get_or_create(user=serializer.object['user'])

            if not created:
                # update the created time of the token to keep it valid
                token.created = datetime.datetime.utcnow().replace(tzinfo=utc)
                token.save()

            return Response({'token': token.key})
        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

from datetime import timedelta
from django.conf import settings
from django.utils import timezone
from rest_framework.authentication import TokenAuthentication
from rest_framework import exceptions

EXPIRE_HOURS = getattr(settings, 'REST_FRAMEWORK_TOKEN_EXPIRE_HOURS', 24)

class ExpiringTokenAuthentication(TokenAuthentication):
    def authenticate_credentials(self, key):
        try:
            token = self.model.objects.get(key=key)
        except self.model.DoesNotExist:
            raise exceptions.AuthenticationFailed('Invalid token')

        if not token.user.is_active:
            raise exceptions.AuthenticationFailed('User inactive or deleted')

        if token.created < timezone.now() - timedelta(hours=EXPIRE_HOURS):
            raise exceptions.AuthenticationFailed('Token has expired')

        return (token.user, token)

从日期时间导入时间增量
从django.conf导入设置
从django.utils导入时区
从rest\u framework.authentication导入令牌身份验证
从rest_框架导入异常
EXPIRE\u HOURS=getattr（设置“REST\u框架\u令牌\u EXPIRE\u HOURS”，24）
类过期TokenAuthentication（TokenAuthentication）：
def认证_凭据（自身、密钥）：
尝试：
token=self.model.objects.get（key=key）
除self.model.DoesNotExist外：
引发异常。身份验证失败（“无效令牌”）
如果token.user.u未处于活动状态：
引发异常。身份验证失败（“用户不活动或已删除”）
如果token.created

如果有人对该解决方案感兴趣，但想拥有一个在特定时间内有效的令牌，则会被一个新令牌替换，以下是完整的解决方案（Django 1.6）：

yourmodule/views.py：

import datetime
from django.utils.timezone import utc
from rest_framework.authtoken.views import ObtainAuthToken
from rest_framework.authtoken.models import Token
from django.http import HttpResponse
import json

class ObtainExpiringAuthToken(ObtainAuthToken):
    def post(self, request):
        serializer = self.serializer_class(data=request.DATA)
        if serializer.is_valid():
            token, created =  Token.objects.get_or_create(user=serializer.object['user'])

            utc_now = datetime.datetime.utcnow()    
            if not created and token.created < utc_now - datetime.timedelta(hours=24):
                token.delete()
                token = Token.objects.create(user=serializer.object['user'])
                token.created = datetime.datetime.utcnow()
                token.save()

            #return Response({'token': token.key})
            response_data = {'token': token.key}
            return HttpResponse(json.dumps(response_data), content_type="application/json")

        return HttpResponse(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

obtain_expiring_auth_token = ObtainExpiringAuthToken.as_view()

您的项目urls.py（在urlpatterns数组中）：

yourmodule/authentication.py：

import datetime
from django.utils.timezone import utc
from rest_framework.authentication import TokenAuthentication
from rest_framework import exceptions

class ExpiringTokenAuthentication(TokenAuthentication):
    def authenticate_credentials(self, key):

        try:
            token = self.model.objects.get(key=key)
        except self.model.DoesNotExist:
            raise exceptions.AuthenticationFailed('Invalid token')

        if not token.user.is_active:
            raise exceptions.AuthenticationFailed('User inactive or deleted')

        utc_now = datetime.datetime.utcnow()

        if token.created < utc_now - datetime.timedelta(hours=24):
            raise exceptions.AuthenticationFailed('Token has expired')

        return (token.user, token)

你可以利用

此库能够生成具有过期日期的令牌

要了解DRF默认令牌和DRF提供的令牌之间的区别，请查看：

---

我想我应该用DRY给出Django 2.0的答案。有人已经为我们构建了这个，google Django OAuth工具包。可与pip一起使用，

pip安装django oauth工具包

。有关使用路由器添加令牌视图集的说明：。它类似于官方教程

所以基本上OAuth1.0更像是昨天的安全性，这就是TokenAuthentication。为了获得新奇的过期代币，OAuth2.0现在非常流行。您可以获得AccessToken、RefreshToken和scope变量来微调权限。你最终会有这样的信条：

{
    "access_token": "<your_access_token>",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "<your_refresh_token>",
    "scope": "read"
}

{
“访问令牌”：“，
“令牌类型”：“承载者”，
“expires_in”：3600，
“刷新令牌”：“”，
“范围”：“已读”
}

我只是想添加我的，因为这对我很有帮助。我通常使用JWT方法，但有时类似这样的方法更好。我用正确的导入更新了django 2.1的公认答案

身份验证.py

from datetime import timedelta
from django.conf import settings
from django.core.exceptions import ObjectDoesNotExist
from django.utils import timezone
from rest_framework.authentication import TokenAuthentication
from rest_framework import exceptions

EXPIRE_HOURS = getattr(settings, 'REST_FRAMEWORK_TOKEN_EXPIRE_HOURS', 24)


class ExpiringTokenAuthentication(TokenAuthentication):
    def authenticate_credentials(self, key):
        try:
            token = self.get_model().objects.get(key=key)
        except ObjectDoesNotExist:
            raise exceptions.AuthenticationFailed('Invalid token')

        if not token.user.is_active:
            raise exceptions.AuthenticationFailed('User inactive or deleted')

        if token.created < timezone.now() - timedelta(hours=EXPIRE_HOURS):
            raise exceptions.AuthenticationFailed('Token has expired')

    return token.user, token

作者问道

问题是，应用程序是否应该定期更新/更改令牌？如果是，如何更新/更改？是移动应用程序需要更新令牌，还是web应用程序应该自动更新令牌

但所有的答案都是关于如何自动更改令牌的

我认为按令牌定期更改令牌是没有意义的。rest框架创建一个具有40个字符的令牌，如果攻击者每秒测试1000个令牌，则需要

16**40/1000/3600/24/365=4.6*10^7

年才能获得令牌。您不应该担心攻击者会逐个测试您的令牌。即使您更改了您的令牌，猜测您的令牌的概率也是相同的

如果您担心攻击者可能会获得您的令牌，那么您会定期更改它，而不是在攻击者获得令牌后，他也可以更改您的令牌，而不是将真正的用户踢出

您真正应该做的是防止攻击者获取您用户的令牌，使用https

---

顺便说一句，我只是说一个令牌一个令牌的更改是没有意义的，按用户名和密码更改令牌有时是有意义的。可能该令牌用于某个http环境（您应该始终避免这种情况）或某个第三方（在这种情况下，您应该创建不同类型的令牌，使用oauth2），并且当用户正在做一些危险的事情，例如更改绑定邮箱或删除帐户时，您应该确保不再使用原始令牌，因为它可能已被攻击者使用嗅探器或tcpdump工具泄露。

为了继续添加到@odedfos answer，我认为语法已发生一些更改，因此ExpiringTokenAuthentication的代码需要进行一些调整：

from rest_framework.authentication import TokenAuthentication
from datetime import timedelta
from datetime import datetime
import datetime as dtime
import pytz

class ExpiringTokenAuthentication(TokenAuthentication):

    def authenticate_credentials(self, key):
        model = self.get_model()
        try:
            token = model.objects.get(key=key)
        except model.DoesNotExist:
            raise exceptions.AuthenticationFailed('Invalid token')

        if not token.user.is_active:
            raise exceptions.AuthenticationFailed('User inactive or deleted')

        # This is required for the time comparison
        utc_now = datetime.now(dtime.timezone.utc)
        utc_now = utc_now.replace(tzinfo=pytz.utc)

        if token.created < utc_now - timedelta(hours=24):
            raise exceptions.AuthenticationFailed('Token has expired')

        return token.user, token

来自rest\u framework.authentication导入令牌身份验证
从日期时间导入时间增量
从日期时间导入日期时间
将日期时间导入为dtime
进口皮茨
类过期TokenAuthentication（TokenAuthentication）：
def认证_凭据（自身、密钥）：
模式
{
    "access_token": "<your_access_token>",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "<your_refresh_token>",
    "scope": "read"
}

from datetime import timedelta
from django.conf import settings
from django.core.exceptions import ObjectDoesNotExist
from django.utils import timezone
from rest_framework.authentication import TokenAuthentication
from rest_framework import exceptions

EXPIRE_HOURS = getattr(settings, 'REST_FRAMEWORK_TOKEN_EXPIRE_HOURS', 24)


class ExpiringTokenAuthentication(TokenAuthentication):
    def authenticate_credentials(self, key):
        try:
            token = self.get_model().objects.get(key=key)
        except ObjectDoesNotExist:
            raise exceptions.AuthenticationFailed('Invalid token')

        if not token.user.is_active:
            raise exceptions.AuthenticationFailed('User inactive or deleted')

        if token.created < timezone.now() - timedelta(hours=EXPIRE_HOURS):
            raise exceptions.AuthenticationFailed('Token has expired')

    return token.user, token

import datetime
from pytz import utc
from rest_framework import status
from rest_framework.response import Response
from rest_framework.authtoken.models import Token
from rest_framework.authtoken.views import ObtainAuthToken
from rest_framework.authtoken.serializers import AuthTokenSerializer


class ObtainExpiringAuthToken(ObtainAuthToken):
    def post(self, request, **kwargs):
        serializer = AuthTokenSerializer(data=request.data)

        if serializer.is_valid():
            token, created = Token.objects.get_or_create(user=serializer.validated_data['user'])
            if not created:
                # update the created time of the token to keep it valid
                token.created = datetime.datetime.utcnow().replace(tzinfo=utc)
                token.save()

            return Response({'token': token.key})
        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

from rest_framework.authentication import TokenAuthentication
from datetime import timedelta
from datetime import datetime
import datetime as dtime
import pytz

class ExpiringTokenAuthentication(TokenAuthentication):

    def authenticate_credentials(self, key):
        model = self.get_model()
        try:
            token = model.objects.get(key=key)
        except model.DoesNotExist:
            raise exceptions.AuthenticationFailed('Invalid token')

        if not token.user.is_active:
            raise exceptions.AuthenticationFailed('User inactive or deleted')

        # This is required for the time comparison
        utc_now = datetime.now(dtime.timezone.utc)
        utc_now = utc_now.replace(tzinfo=pytz.utc)

        if token.created < utc_now - timedelta(hours=24):
            raise exceptions.AuthenticationFailed('Token has expired')

        return token.user, token

from rest_framework.authentication import TokenAuthentication
from datetime import timedelta
from datetime import datetime
import datetime as dtime
import pytz

class ExpiringTokenAuthentication(TokenAuthentication):

    def authenticate_credentials(self, key):
        model = self.get_model()
        try:
            token = model.objects.get(key=key)
        except model.DoesNotExist:
            raise exceptions.AuthenticationFailed('Invalid token')

        if not token.user.is_active:
            raise exceptions.AuthenticationFailed('User inactive or deleted')

        # This is required for the time comparison
        utc_now = datetime.now(dtime.timezone.utc)
        utc_now = utc_now.replace(tzinfo=pytz.utc)

        if token.created < utc_now - timedelta(minutes=15):  # TOKEN WILL EXPIRE AFTER 15 MINUTES OF INACTIVITY
            token.delete() # ADDED THIS LINE SO THAT EXPIRED TOKEN IS DELETED
            raise exceptions.AuthenticationFailed('Token has expired')
        else: 
            token.created = utc_now #THIS WILL SET THE token.created TO CURRENT TIME WITH EVERY REQUEST
            token.save() #SAVE THE TOKEN

        return token.user, token