詳解Django的CSRF認證

 

1.csrf原理

csrf要求發送post,put或delete請求的時候,是先以get方式發送請求,服務端響應時會分配一個隨機字符串給客戶端,客戶端第二次發送post,put或delete請求時攜帶上次分配的隨機字符串到服務端進行校驗

2.Django中的CSRF中間件

首先,咱們知道Django中間件做用於整個項目。javascript

在一個項目中,若是想對全局全部視圖函數或視圖類起做用時,就能夠在中間件中實現,好比想實現用戶登陸判斷,基於用戶的權限管理(RBAC)等均可以在Django中間件中來進行操做java

Django內置了不少中間件,其中之一就是CSRF中間件sql

MIDDLEWARE_CLASSES = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

上面第四個就是Django內置的CSRF中間件django

3.Django中間件的執行流程

Django中間件中最多能夠定義5個方法markdown

process_request
process_response
process_view
process_exception
process_template_response

Django中間件的執行順序cookie

1.請求進入到Django後,會按中間件的註冊順序執行每一箇中間件中的process_request方法 若是全部的中間件的process_request方法都沒有定義return語句,則進入路由映射,進行url匹配 不然直接執行return語句,返回響應給客戶端 2.依次按順序執行中間件中的process_view方法 若是某個中間件的process_view方法沒有return語句,則根據第1步中匹配到的URL執行對應的視圖函數或視圖類 若是某個中間件的process_view方法中定義了return語句,則後面的視圖函數或視圖類不會執行,程序會直接返回 3.視圖函數或視圖類執行完成以後,會按照中間件的註冊順序逆序執行中間件中的process_response方法 若是中間件中定義了return語句,程序會正常執行,把視圖函數或視圖類的執行結果返回給客戶端 不然程序會拋出異常 4.程序在視圖函數或視圖類的正常執行過程當中 若是出現異常,則會執行按順序執行中間件中的process_exception方法 不然process_exception方法不會執行 若是某個中間件的process_exception方法中定義了return語句,則後面的中間件中的process_exception方法不會繼續執行了 5.若是視圖函數或視圖類中使用render方法來向客戶端返回數據,則會觸發中間件中的process_template_response方法

4.Django CSRF中間件的源碼解析

Django CSRF中間件的源碼session

class CsrfViewMiddleware(MiddlewareMixin):

    def _accept(self, request):
        request.csrf_processing_done = True
        return None

    def _reject(self, request, reason):
        logger.warning(
            'Forbidden (%s): %s', reason, request.path,
            extra={
                'status_code': 403,
                'request': request,
            }
        )
        return _get_failure_view()(request, reason=reason)

    def _get_token(self, request):
        if settings.CSRF_USE_SESSIONS:
            try:
                return request.session.get(CSRF_SESSION_KEY)
            except AttributeError:
                raise ImproperlyConfigured(
                    'CSRF_USE_SESSIONS is enabled, but request.session is not '
                    'set. SessionMiddleware must appear before CsrfViewMiddleware '
                    'in MIDDLEWARE%s.' % ('_CLASSES' if settings.MIDDLEWARE is None else '')
                )
        else:
            try:
                cookie_token = request.COOKIES[settings.CSRF_COOKIE_NAME]
            except KeyError:
                return None

            csrf_token = _sanitize_token(cookie_token)
            if csrf_token != cookie_token:
                # Cookie token needed to be replaced;
                # the cookie needs to be reset.
                request.csrf_cookie_needs_reset = True
            return csrf_token

    def _set_token(self, request, response):
        if settings.CSRF_USE_SESSIONS:
            request.session[CSRF_SESSION_KEY] = request.META['CSRF_COOKIE']
        else:
            response.set_cookie(
                settings.CSRF_COOKIE_NAME,
                request.META['CSRF_COOKIE'],
                max_age=settings.CSRF_COOKIE_AGE,
                domain=settings.CSRF_COOKIE_DOMAIN,
                path=settings.CSRF_COOKIE_PATH,
                secure=settings.CSRF_COOKIE_SECURE,
                httponly=settings.CSRF_COOKIE_HTTPONLY,
            )
            patch_vary_headers(response, ('Cookie',))

    def process_request(self, request):
        csrf_token = self._get_token(request)
        if csrf_token is not None:
            # Use same token next time.
            request.META['CSRF_COOKIE'] = csrf_token

    def process_view(self, request, callback, callback_args, callback_kwargs):
        if getattr(request, 'csrf_processing_done', False):
            return None

        if getattr(callback, 'csrf_exempt', False):
            return None

        if request.method not in ('GET', 'HEAD', 'OPTIONS', 'TRACE'):
            if getattr(request, '_dont_enforce_csrf_checks', False):
                return self._accept(request)

            if request.is_secure():
                referer = force_text(
                    request.META.get('HTTP_REFERER'),
                    strings_only=True,
                    errors='replace'
                )
                if referer is None:
                    return self._reject(request, REASON_NO_REFERER)

                referer = urlparse(referer)

                if '' in (referer.scheme, referer.netloc):
                    return self._reject(request, REASON_MALFORMED_REFERER)

                if referer.scheme != 'https':
                    return self._reject(request, REASON_INSECURE_REFERER)

                good_referer = (
                    settings.SESSION_COOKIE_DOMAIN
                    if settings.CSRF_USE_SESSIONS
                    else settings.CSRF_COOKIE_DOMAIN
                )
                if good_referer is not None:
                    server_port = request.get_port()
                    if server_port not in ('443', '80'):
                        good_referer = '%s:%s' % (good_referer, server_port)
                else:
                    good_referer = request.get_host()

                good_hosts = list(settings.CSRF_TRUSTED_ORIGINS)
                good_hosts.append(good_referer)

                if not any(is_same_domain(referer.netloc, host) for host in good_hosts):
                    reason = REASON_BAD_REFERER % referer.geturl()
                    return self._reject(request, reason)

            csrf_token = request.META.get('CSRF_COOKIE')
            if csrf_token is None:
                return self._reject(request, REASON_NO_CSRF_COOKIE)

            request_csrf_token = ""
            if request.method == "POST":
                try:
                    request_csrf_token = request.POST.get('csrfmiddlewaretoken', '')
                except IOError:
                    pass

            if request_csrf_token == "":
                request_csrf_token = request.META.get(settings.CSRF_HEADER_NAME, '')

            request_csrf_token = _sanitize_token(request_csrf_token)
            if not _compare_salted_tokens(request_csrf_token, csrf_token):
                return self._reject(request, REASON_BAD_TOKEN)

        return self._accept(request)

    def process_response(self, request, response):
        if not getattr(request, 'csrf_cookie_needs_reset', False):
            if getattr(response, 'csrf_cookie_set', False):
                return response

        if not request.META.get("CSRF_COOKIE_USED", False):
            return response

        self._set_token(request, response)
        response.csrf_cookie_set = True
        return response

從上面的源碼中能夠看到,CsrfViewMiddleware中間件中定義了process_request,process_view和process_response三個方法app

先來看process_request方法dom

def _get_token(self, request):  
    if settings.CSRF_USE_SESSIONS:  
        try:  
            return request.session.get(CSRF_SESSION_KEY)  
        except AttributeError:  
            raise ImproperlyConfigured(  
                'CSRF_USE_SESSIONS is enabled, but request.session is not '  
 'set. SessionMiddleware must appear before CsrfViewMiddleware ' 'in MIDDLEWARE%s.' % ('_CLASSES' if settings.MIDDLEWARE is None else '')  
            )  
    else:  
        try:  
            cookie_token = request.COOKIES[settings.CSRF_COOKIE_NAME]  
        except KeyError:  
            return None  
  
  csrf_token = _sanitize_token(cookie_token)  
        if csrf_token != cookie_token:  
            # Cookie token needed to be replaced;  
 # the cookie needs to be reset.  request.csrf_cookie_needs_reset = True  
 return csrf_token

def process_request(self, request):  
        csrf_token = self._get_token(request)  
        if csrf_token is not None:  
            # Use same token next time.  
      request.META['CSRF_COOKIE'] = csrf_token

從Django項目配置文件夾中讀取CSRF_USE_SESSIONS的值,若是獲取成功,則從session中讀取CSRF_SESSION_KEY的值,默認爲'_csrftoken',若是沒有獲取到CSRF_USE_SESSIONS的值,則從發送過來的請求中獲取CSRF_COOKIE_NAME的值,若是沒有定義則返回None。函數

再來看process_view方法

在process_view方法中,先檢查視圖函數是否被csrf_exempt裝飾器裝飾,若是視圖函數沒有被csrf_exempt裝飾器裝飾,則程序繼續執行,不然返回None。接着從request請求頭中或者cookie中獲取攜帶的token並進行驗證,驗證經過纔會繼續執行與URL匹配的視圖函數,不然就返回403 Forbidden錯誤。

實際項目中,會在發送POST,PUT,DELETE,PATCH請求時,在提交的form表單中添加

{% csrf_token %}

便可,不然會出現403的錯誤

5.csrf_exempt裝飾器和csrf_protect裝飾器

5.1 基於Django FBV

在一個項目中,若是註冊起用了CsrfViewMiddleware中間件,則項目中全部的視圖函數和視圖類在執行過程當中都要進行CSRF驗證。

此時想使某個視圖函數或視圖類不進行CSRF驗證,則可使用csrf_exempt裝飾器裝飾不想進行CSRF驗證的視圖函數

from django.views.decorators.csrf import csrf_exempt

@csrf_exempt  
def index(request):  
    pass

也能夠把csrf_exempt裝飾器直接加在URL路由映射中,使某個視圖函數不通過CSRF驗證

from django.views.decorators.csrf import csrf_exempt  
  
from users import views  
 
urlpatterns = [  
    url(r'^admin/', admin.site.urls),  
    url(r'^index/',csrf_exempt(views.index)),  
]

一樣的,若是在一個Django項目中,沒有註冊起用CsrfViewMiddleware中間件,可是想讓某個視圖函數進行CSRF驗證,則可使用csrf_protect裝飾器

csrf_protect裝飾器的用法跟csrf_exempt裝飾器用法相同,均可以加上視圖函數上方裝飾視圖函數或者在URL路由映射中直接裝飾視圖函數

from django.views.decorators.csrf import csrf_exempt  

@csrf_protect  
def index(request):  
    pass

或者

from django.views.decorators.csrf import csrf_protect  
  
from users import views  
 
urlpatterns = [  
    url(r'^admin/', admin.site.urls),  
    url(r'^index/',csrf_protect(views.index)),  
]

5.1 基於Django CBV

上面的狀況是基於Django FBV的,若是是基於Django CBV,則不能夠直接加在視圖類的視圖函數中了

此時有三種方式來對Django CBV進行CSRF驗證或者不進行CSRF驗證

方法一,在視圖類中定義dispatch方法,爲dispatch方法加csrf_exempt裝飾器

from django.views.decorators.csrf import csrf_exempt
from django.utils.decorators import method_decorator

class UserAuthView(View):

    @method_decorator(csrf_exempt)
    def dispatch(self, request, *args, **kwargs):
        return super(UserAuthView,self).dispatch(request,*args,**kwargs)

    def get(self,request,*args,**kwargs):
        pass

    def post(self,request,*args,**kwargs):
        pass

    def put(self,request,*args,**kwargs):
        pass

    def delete(self,request,*args,**kwargs):
        pass
方法二:爲視圖類上方添加裝飾器
@method_decorator(csrf_exempt,name='dispatch')
class UserAuthView(View):
    def get(self,request,*args,**kwargs):
        pass

    def post(self,request,*args,**kwargs):
        pass

    def put(self,request,*args,**kwargs):
        pass

    def delete(self,request,*args,**kwargs):
        pass

方式三:在url.py中爲類添加裝飾器

from django.views.decorators.csrf import csrf_exempt

urlpatterns = [
    url(r'^admin/', admin.site.urls),
    url(r'^auth/', csrf_exempt(views.UserAuthView.as_view())),
]
相關文章
相關標籤/搜索