drf的頻率認證
頻率認證源碼分析
APIView ---》dispatch方法---》self.initial(request, *args, **kwargs)---》 self.check_throttles(request)
#從新訪問這個接口的時候,都會從新調用這個方法,每次訪問都會throtttle_durations=[]置空
def check_throttles(self, request):
"""
Check if request should be throttled.
Raises an appropriate exception if the request is throttled.
"""
#好比一分鐘只能訪問三次,第一,二,三次訪問的時候都沒有限制,第四次訪問就會制
#限次的持續時間,還有多少秒才能接着訪問這個接口
throtttle_durations=[]
# self.get_throttles()全局或局部配置的類
for throttle in self.get_throttles():
#allow_request容許請求返回True,不容許就返回False,爲false時成立,
if not throttle.allow_request(request, self):
#throttle.wait()等待的限次持續時間
self.throttled(request, throttle.wait())
# 第四次限制,有限制持續時間纔會走這部
if throttle_durations:
durations = [
duration for duration in throttle_durations
if duration is not None
]
duration = max(durations, default=None)
self.throttled(request, duration)
這說明咱們自定義類要重寫allow_request(request, self)和wait(),由於throttle調用了
點擊 self.get_throttles()查看
def get_throttles(self):
"""
Instantiates and returns the list of throttles that this view uses.
"""
return [throttle() for throttle in self.throttle_classes]
點擊 self.throttle_classes
throttle_classes = api_settings.DEFAULT_THROTTLE_CLASSES
throttle_classes跟以前同樣可局部配置throttle_classes=[] ,可全局配置settings文件中配置
到drf資源文件settings.py文件中的APISettings類中查看默認配置:ctrl+f鍵查找DEFAULT_THROTTLE_CLASSES
'DEFAULT_THROTTLE_CLASSES': [],#因此說任何接口均可以無限次訪問
回到def check_throttles(self, request):pass 中的allow_request方法進行思考,首先去獲取下多長時間可以訪問多少次,而後就是訪問一次就計數一次,超次了就不能訪問了,因此要去獲取時間,在必定的時間內不能超次,若是在必定的時間內超次了就調用wait,倒計時多久才能再次訪問,
allow_request其實就是先獲取到多長時間訪問多少次,每來一次請求把當前的時間和次數保存着,若是它兩的間隔時間足夠大,就重置次數爲0,若是間隔時間較小就次數累加
找到drf資源文件throttling.py (有如下類) AnonRateThrottle(SimpleRateThrottle) BaseThrottle(object) ScopedRateThrottle(SimpleRateThrottle) SimpleRateThrottle(BaseThrottle) UserRateThrottle(SimpleRateThrottle) 咱們自定義的類有可能繼承BaseThrottle,或SimpleRateThrottle
class BaseThrottle(object):
"""
Rate throttling of requests.
"""
#判斷是否限次:沒有限次能夠請求True,限次就不能夠請求False
def allow_request(self, request, view):
"""
Return `True` if the request should be allowed, `False` otherwise.
"""
#若是繼承 BaseThrottle,必須重寫allow_request
raise NotImplementedError('.allow_request() must be overridden')
def get_ident(self, request):
"""
Identify the machine making the request by parsing HTTP_X_FORWARDED_FOR
if present and number of proxies is > 0. If not use all of
HTTP_X_FORWARDED_FOR if it is available, if not use REMOTE_ADDR.
"""
xff = request.META.get('HTTP_X_FORWARDED_FOR')
remote_addr = request.META.get('REMOTE_ADDR')
num_proxies = api_settings.NUM_PROXIES
if num_proxies is not None:
if num_proxies == 0 or xff is None:
return remote_addr
addrs = xff.split(',')
client_addr = addrs[-min(num_proxies, len(addrs))]
return client_addr.strip()
return ''.join(xff.split()) if xff else remote_addr
#限次後調用,還需等待多長時間才能再訪問
def wait(self):
"""
Optionally, return a recommended number of seconds to wait before
the next request.
"""
return None #返回的是等待的時間秒數
返回到 def check_throttles(self, request):
throtttle_durations=[]
for throttle in self.get_throttles():
if not throttle.allow_request(request, self):
#wait()的返回值就是要等待的多少秒,把秒數添加到數組裏面
self.throttled(request, throttle.wait())
#數組就是要等待的秒時間
if throttle_durations:
#格式化,展現還須要等待多少秒
durations = [
duration for duration in throttle_durations
if duration is not None
]
duration = max(durations, default=None)
self.throttled(request, duration)
分析def get_ident(self, request):pass 查看: num_proxies = api_settings.NUM_PROXIES 到APISettings中ctrl+F查找NUM_PROXIES 'NUM_PROXIES'=None 返回到def get_ident(self, request):pass函數方法 NUM_PROXIES若是爲空走: return ''.join(xff.split()) if xff else remote_addr
查看 SimpleRateThrottle類,繼承BaseThrottle,並無寫get_ident方法
可是寫了allow_request,和wait
class SimpleRateThrottle(BaseThrottle):
"""
A simple cache implementation, that only requires `.get_cache_key()`
to be overridden.
The rate (requests / seconds) is set by a `rate` attribute on the View
class. The attribute is a string of the form 'number_of_requests/period'.
Period should be one of: ('s', 'sec', 'm', 'min', 'h', 'hour', 'd', 'day')
Previous request information used for throttling is stored in the cache.
"""
cache = default_cache
timer = time.time
cache_format = 'throttle_%(scope)s_%(ident)s'
scope = None
THROTTLE_RATES = api_settings.DEFAULT_THROTTLE_RATES
def __init__(self):
if not getattr(self, 'rate', None):
self.rate = self.get_rate()
self.num_requests, self.duration = self.parse_rate(self.rate)
def get_cache_key(self, request, view):
"""
Should return a unique cache-key which can be used for throttling.
Must be overridden.
May return `None` if the request should not be throttled.
"""
raise NotImplementedError('.get_cache_key() must be overridden')
def get_rate(self):
"""
Determine the string representation of the allowed request rate.
"""
if not getattr(self, 'scope', None):
msg = ("You must set either `.scope` or `.rate` for '%s' throttle" %
self.__class__.__name__)
raise ImproperlyConfigured(msg)
try:
return self.THROTTLE_RATES[self.scope]
except KeyError:
msg = "No default throttle rate set for '%s' scope" % self.scope
raise ImproperlyConfigured(msg)
def parse_rate(self, rate):
"""
Given the request rate string, return a two tuple of:
<allowed number of requests>, <period of time in seconds>
"""
if rate is None:
return (None, None)
num, period = rate.split('/')
num_requests = int(num)
duration = {'s': 1, 'm': 60, 'h': 3600, 'd': 86400}[period[0]]
return (num_requests, duration)
def allow_request(self, request, view):
"""
Implement the check to see if the request should be throttled.
On success calls `throttle_success`.
On failure calls `throttle_failure`.
"""
if self.rate is None:
return True
self.key = self.get_cache_key(request, view)
if self.key is None:
return True
self.history = self.cache.get(self.key, [])
self.now = self.timer()
# Drop any requests from the history which have now passed the
# throttle duration
while self.history and self.history[-1] <= self.now - self.duration:
self.history.pop()
if len(self.history) >= self.num_requests:
return self.throttle_failure()
return self.throttle_success()
def throttle_success(self):
"""
Inserts the current request's timestamp along with the key
into the cache.
"""
self.history.insert(0, self.now)
self.cache.set(self.key, self.history, self.duration)
return True
def throttle_failure(self):
"""
Called when a request to the API has failed due to throttling.
"""
return False
def wait(self):
"""
Returns the recommended next request time in seconds.
"""
if self.history:
remaining_duration = self.duration - (self.now - self.history[-1])
else:
remaining_duration = self.duration
available_requests = self.num_requests - len(self.history) + 1
if available_requests <= 0:
return None
return remaining_duration / float(available_requests)
分析SimpleRateThrottle中的__init__方法
由於返回到get_throttles(self): return[throttle() for throttle in self.throttle_classes]
throttle()對象加括號調用觸發__init__方法
#初始化沒有傳入參數,因此沒有'rate'參數
def __init__(self):
# 若是沒有rate就調用get_rate()進行賦值
if not getattr(self, 'rate', None):
self.rate = self.get_rate()
#解析rate,用兩個變量存起來
self.num_requests, self.duration = self.parse_rate(self.rate)
全部繼承SimpleRateThrottle都會走__init__
返回到
def check_throttles(self, request):
throtttle_durations=[]
#throttle初始化成功以後
for throttle in self.get_throttles():
#初始化成功以後調用allow_request方法,也就是SimpleRateThrottle中的allow_request
if not throttle.allow_request(request, self):
self.throttled(request, throttle.wait())
分析SimpleRateThrottle中的allow_request方法
def allow_request(self, request, view):
"""
Implement the check to see if the request should be throttled.
On success calls `throttle_success`.
On failure calls `throttle_failure`.
"""
#rate沒有值,就永遠也不會限制訪問
if self.rate is None:
return True
#若是有值往下走
#獲取緩存的key賦值給self.key
self.key = self.get_cache_key(request, view)
if self.key is None:
return True
self.history = self.cache.get(self.key, [])
self.now = self.timer()
# Drop any requests from the history which have now passed the
# throttle duration
while self.history and self.history[-1] <= self.now - self.duration:
self.history.pop()
if len(self.history) >= self.num_requests:
#頻率失敗
return self.throttle_failure()
#頻率成功
return self.throttle_success()
#頻率失敗,返回false,沒有請求次數
def throttle_failure(self):
"""
Called when a request to the API has failed due to throttling.
"""
return False
#頻率成功
def throttle_success(self):
"""
Inserts the current request's timestamp along with the key
into the cache.
"""
# history中加時間,再成功再加,並且是加在insert列表的第一個,history長度就會愈來愈大,因此history的長度就是訪問了幾回
self.history.insert(0, self.now)
self.cache.set(self.key, self.history, self.duration)
return True
#一直成功一直成功,而後就超次了,因此就會返回False,因此就調用wait()
返回到
def check_throttles(self, request):
throtttle_durations=[]
#throttle初始化成功以後
for throttle in self.get_throttles():
#初始化成功以後調用allow_request方法,也就是SimpleRateThrottle中的allow_request
if not throttle.allow_request(request, self):
self.throttled(request, throttle.wait())
找到drf資源文件throttling.py (有如下類) 如下是系統提供的三大頻率認證類,能夠局部或者全局配置 ScopedRateThrottle(SimpleRateThrottle) SimpleRateThrottle(BaseThrottle) UserRateThrottle(SimpleRateThrottle)
分析UserRateThrottle(SimpleRateThrottle)
class UserRateThrottle(SimpleRateThrottle):
"""
Limits the rate of API calls that may be made by a given user.
The user id will be used as a unique cache key if the user is
authenticated. For anonymous requests, the IP address of the request will
be used.
"""
scope = 'user'
#返回一個字符串
def get_cache_key(self, request, view):
#有用戶而且是認證用戶
if request.user.is_authenticated:
#獲取到用戶的id
ident = request.user.pk
else:
ident = self.get_ident(request)
#'throttle_%(user)s_%(request.user.pk)s'
return self.cache_format % {
'scope': self.scope,
'ident': ident
}
點擊self.cache_format
cache_format = 'throttle_%(scope)s_%(ident)s'
假設個人認證類採用了UserRateThrottle(SimpleRetaThrottle),
for throttle in self.get_throttles():pass 產生的throttle的就是UserRateThrottle產生的對象,而後UserRateThrottle中沒有__init__,因此走SimpleRetaThrottle的__init__方法
def __init__(self):
if not getattr(self, 'rate', None):
self.rate = self.get_rate()
self.num_requests, self.duration = self.parse_rate(self.rate)
點擊self.get_rate(),
def get_rate(self):
"""
Determine the string representation of the allowed request rate.
"""
#若是沒有scope直接拋異常,
#這裏的self就是UserRateThrottle產生的對象,返回到UserRateThrottle獲取到 scope = 'user'
if not getattr(self, 'scope', None):
msg = ("You must set either `.scope` or `.rate` for '%s' throttle" %
self.__class__.__name__)
raise ImproperlyConfigured(msg)
try:
#self.THROTTLE_RATES['user'] ,這種格式就能夠判斷THROTTLE_RATES是一個字典,點擊進入THROTTLE_RATES = api_settings.DEFAULT_THROTTLE_RATES ,,跟以前同樣資源settings.py中ctrl+F查找DEFAULT_THROTTLE_RATES,
# 'DEFAULT_THROTTLE_RATES': {
# 'user': None,
# 'anon': None,
# },
#而後在本身的settings.py中進行配置,就先走本身的配置,
#因此在這裏的返回值是None
return self.THROTTLE_RATES[self.scope]
except KeyError:
# 當key沒有對應的value的時候就會報錯,而這裏的user對應None因此是有value的
msg = "No default throttle rate set for '%s' scope" % self.scope
raise ImproperlyConfigured(msg)
返回到SimpleRetaThrottle
def __init__(self):
if not getattr(self, 'rate', None):
#self.rate=None
self.rate = self.get_rate()
self.num_requests, self.duration = self.parse_rate(self.rate)
點擊 self.parse_rate(self.rate)
def parse_rate(self, rate):
"""
Given the request rate string, return a two tuple of:
<allowed number of requests>, <period of time in seconds>
"""
#若是rate是None,返回None,None
if rate is None:
return (None, None)
#若是rate不是None,就獲得的是字符串而且包含有一個‘/’,由於拆分後獲得得是兩個結果,而後有int強轉,因此num必定是一個數字
num, period = rate.split('/')
num_requests = int(num)
#period[0]取第一位,而後做爲key到字典duration中查找,因此字母開頭必定要是s /m / h / d,發現value都是以秒來計算,因此獲得rate得格式是'3/min' 也就是'3/60'
duration = {'s': 1, 'm': 60, 'h': 3600, 'd': 86400}[period[0]]
return (num_requests, duration)
返回到SimpleRetaThrottle
def __init__(self):
if not getattr(self, 'rate', None):
#self.rate=None
self.rate = self.get_rate()
#self.num_requests, self.duration =None,None
self.num_requests, self.duration = self.parse_rate(self.rate)
爲了能rate拿到值,就能夠到本身得settings.py中配置
# drf配置
REST_FRAMEWORK = {
# 頻率限制條件配置
'DEFAULT_THROTTLE_RATES': {
'user': '3/min',
'anon': None,
},
}
返回
def get_rate(self):
if not getattr(self, 'scope', None):
msg = ("You must set either `.scope` or `.rate` for '%s' throttle" %
self.__class__.__name__)
raise ImproperlyConfigured(msg)
try:
#return '3/min'
return self.THROTTLE_RATES[self.scope]
except KeyError:
msg = "No default throttle rate set for '%s' scope" % self.scope
raise ImproperlyConfigured(msg)
返回到SimpleRetaThrottle
def __init__(self):
if not getattr(self, 'rate', None):
self.rate = self.get_rate()
#self.num_requests:3, self.duration:60
self.num_requests, self.duration = self.parse_rate(self.rate)
返回到
def check_throttles(self, request):
throtttle_durations=[]
for throttle in self.get_throttles():
# 而後調用allow_request,到UserRateThrottle找,沒有走UserRateThrottle得父類SimpleRetaThrottle
if not throttle.allow_request(request, self):
self.throttled(request, throttle.wait())
def allow_request(self, request, view):
"""
Implement the check to see if the request should be throttled.
On success calls `throttle_success`.
On failure calls `throttle_failure`.
"""
if self.rate is None:
return True
#rate有值rate = '3/60'
# self.get_cache_key父級有這個方法,是拋異常,本身去實現這個方法
#而後子級UserRateThrottle實現了這個方法
self.key = self.get_cache_key(request, view)
if self.key is None:
return True
self.history = self.cache.get(self.key, [])
self.now = self.timer()
# Drop any requests from the history which have now passed the
# throttle duration
while self.history and self.history[-1] <= self.now - self.duration:
self.history.pop()
if len(self.history) >= self.num_requests:
return self.throttle_failure()
return self.throttle_success()
UserRateThrottle中得get_cache_key方法
class UserRateThrottle(SimpleRateThrottle):
"""
Limits the rate of API calls that may be made by a given user.
The user id will be used as a unique cache key if the user is
authenticated. For anonymous requests, the IP address of the request will
be used.
"""
scope = 'user'
def get_cache_key(self, request, view):
if request.user.is_authenticated:
ident = request.user.pk
else:
ident = self.get_ident(request)
#'throttle_%(scope)s_%(ident)s' =》'throttle_user_1'
return self.cache_format % {
'scope': self.scope,
'ident': ident
}
def allow_request(self, request, view):
"""
Implement the check to see if the request should be throttled.
On success calls `throttle_success`.
On failure calls `throttle_failure`.
"""
if self.rate is None:
return True
#self.key = 'throttle_user_1'
self.key = self.get_cache_key(request, view)
if self.key is None:
return True
#django緩存
#導包cache:from django.core.cache import cache as default_cache
#緩存有過時時間,key,value,,,default是默認值
#添加緩存:cache.set(key,defalut)
#獲取緩存:cache.get(key,default) 沒有獲取到key採用默認值
#獲取緩存key:'throttle_user_1'
#初次訪問緩存爲空列表,self.history=[],
self.history = self.cache.get(self.key, [])
#獲取當前時間存入到self.now
self.now = self.timer()
while self.history and self.history[-1] <= self.now - self.duration:
self.history.pop()
#history的長度與限制次數3進行比較
if len(self.history) >= self.num_requests:
return self.throttle_failure()
#history的長度未達到限制次數3,表明能夠訪問
return self.throttle_success()
點擊self.throttle_success()
#將當前時間插入到history列表的開頭,將history列表做爲數據存到緩存中,key是'throttle_user_1' ,過時時間60s
def throttle_success(self):
"""
Inserts the current request's timestamp along with the key
into the cache.
"""
#將當前的時間插到第一位
self.history.insert(0, self.now)
#設置緩存,key:'throttle_user_1' history:[self.now, self.now...]
# duration過時時間60s:'60'
self.cache.set(self.key, self.history, self.duration)
return True
第二次訪問走到這個函數的時候
def allow_request(self, request, view):
"""
Implement the check to see if the request should be throttled.
On success calls `throttle_success`.
On failure calls `throttle_failure`.
"""
if self.rate is None:
return True
#self.key = 'throttle_user_1'
self.key = self.get_cache_key(request, view)
if self.key is None:
return True
#第二次訪問self.history已經有值,就是第一次訪問存放的時間
self.history = self.cache.get(self.key, [])
#獲取當前時間存入到self.now
self.now = self.timer()
#也就是當前的時間減去history緩存的時間(永遠都取第一次訪問的時間,因此是-1)是否大於過時時間
#self.now - self.history[-1] >= self.duration
#當超出的過時時間時,也就是第四次訪問
while self.history and self.history[-1] <= self.now - self.duration:
#pop是將最後的時間拿出來
self.history.pop()
#history的長度與限制次數3進行比較
#history長度 第一次訪問爲0, 第二次訪問爲1,第三次訪問的時間長度爲2,第四次訪問失敗
if len(self.history) >= self.num_requests:
#直接返回False,表明頻率限制了
return self.throttle_failure()
#history的長度未達到限制次數3,表明能夠訪問
return self.throttle_success()
def throttle_failure(self):
return False
返回到
def check_throttles(self, request):
throtttle_durations=[]
for throttle in self.get_throttles():
#只要頻率限制了,allow_request 返回False,纔會調用wait
if not throttle.allow_request(request, self):
self.throttled(request, throttle.wait())
調用的是SimpleRateThrottle的wait,由於UserRateThrouttle中沒有wait這個方法
def wait(self):
"""
Returns the recommended next request time in seconds.
"""
#若是緩存中還有history等30s
if self.history:
#self.duration=60, self.now當前時間-self.history[-1]第一次訪問時間
remaining_duration = self.duration - (self.now - self.history[-1])
else:
#若是緩存中沒有,直接等60s
remaining_duration = self.duration
#self.num_requests=3,len(self.history)=3 結果3-3+1=1
available_requests = self.num_requests - len(self.history) + 1
if available_requests <= 0:
return None
# 30/1=30 返回的就是30s
#若是意外第二次訪問就被限制了就是30/2=15s
return remaining_duration / float(available_requests)
自定義頻率類
# 1) 自定義一個繼承 SimpleRateThrottle 類 的頻率類
# 2) 設置一個 scope 類屬性,屬性值爲任意見名知意的字符串
# 3) 在settings配置文件中,配置drf的DEFAULT_THROTTLE_RATES,格式爲 {scope字符串: '次數/時間'}
# 4) 在自定義頻率類中重寫 get_cache_key 方法
# 限制的對象返回 與限制信息有關的字符串
# 不限制的對象返回 None (只能放回None,不能是False或是''等)
短信接口 1/min 頻率限制
頻率:api/throttles.py
from rest_framework.throttling import SimpleRateThrottle
class SMSRateThrottle(SimpleRateThrottle):
scope = 'sms'
# 只對提交手機號的get方法進行限制,由於get請求發送數據就是在params中傳送數據的,若是想要禁用post請發送過來的數據就要mobile = request.query_params.get('mobile') or request.data.get('mobile')
def get_cache_key(self, request, view):
mobile = request.query_params.get('mobile')
# 沒有手機號,就不作頻率限制
if not mobile:
return None
# 返回能夠根據手機號動態變化,且不易重複的字符串,做爲操做緩存的key
return 'throttle_%(scope)s_%(ident)s' % {'scope': self.scope, 'ident': mobile}
配置:settings.py
# drf配置
REST_FRAMEWORK = {
# 頻率限制條件配置
'DEFAULT_THROTTLE_RATES': {
'sms': '3/min' #60s內能夠訪問三次請求
},
}
視圖:views.py
from .throttles import SMSRateThrottle
class TestSMSAPIView(APIView):
# 局部配置頻率認證
throttle_classes = [SMSRateThrottle]
def get(self, request, *args, **kwargs):
return APIResponse(0, 'get 獲取驗證碼 OK')
def post(self, request, *args, **kwargs):
return APIResponse(0, 'post 獲取驗證碼 OK')
路由:api/url.py
url(r'^sms/$', views.TestSMSAPIView.as_view()),
限制的接口
# 只會對 /api/sms/?mobile=具體手機號 接口才會有頻率限制 # 1)對 /api/sms/ 或其餘接口發送無限制 # 2)對數據包提交mobile的/api/sms/接口無限制 # 3)對不是mobile(如phone)字段提交的電話接口無限制
測試
相關文章
- 1. DRF之權限認證頻率組件
- 2. DRF的版本控制,認證,權限和頻率限制
- 3. 【DRF頻率】
- 4. drf-jwt認證
- 5. DRF-jwt認證
- 6. 10.DRF-認證
- 7. DRF 權限 頻率
- 8. DRF的權限和頻率
- 9. DRF 版本 認證
- 10. DRF認證組件
- 更多相關文章...
- • MySQL默認值(DEFAULT) - MySQL教程
- • XML 驗證 - XML 教程
- • 使用Rxjava計算圓周率
- • 漫談MySQL的鎖機制
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. DRF之權限認證頻率組件
- 2. DRF的版本控制,認證,權限和頻率限制
- 3. 【DRF頻率】
- 4. drf-jwt認證
- 5. DRF-jwt認證
- 6. 10.DRF-認證
- 7. DRF 權限 頻率
- 8. DRF的權限和頻率
- 9. DRF 版本 認證
- 10. DRF認證組件