Python api認證
本節內容:html
- 基本的api
- 升級的api
- 終極版api
環境:Djanao,linux
項目名:api_auto,django
app:apiapi
角色:api端,客戶端,黑客端安全
1.基本的api
【api端】服務器
#api_auto/urls.py from django.conf.urls import url,include from django.contrib import admin from api import urls urlpatterns = [ url(r'^admin/', admin.site.urls), url(r'^api/', include('api.urls')), ]
#api/urls.py from django.conf.urls import url from . import views import include urlpatterns = [ url(r'^asset.html', views.asset), ]
#api/views.py from django.shortcuts import render,HttpResponse # Create your views here. def asset(request): print(request.POST) return HttpResponse('api訪問成功')
#輸出,這樣api端就能夠拿到客戶端的數據
<QueryDict: {'k2': ['sssss'], 'k1': ['v1sss']}
【客戶端】app
# -*- coding: UTF-8 -*- #blog:http://www.cnblogs.com/linux-chenyang/ import requests data_dict = { 'k1':'v1sss', 'k2':'sssss', } ret = requests.post( url='http://127.0.0.1:8000/api/asset.html', data=data_dict, ) print(ret.text)
#輸出,api段會返回給客戶端一個結果
api訪問成功
2.升級的api
因爲上面這種方法沒有認證,假如任何人均可以發post請求,很不安全,引出下面這種方法,讓客戶端帶個key過來,api端先檢查在不在個人列表裏,不在的話就不容許訪問。ide
【api端】post
#api/views.py def asset(request): app_key_dict = { 'de3908e1-31c3-4de8-a535-7830cca5a427':{'name':'中共中央國務院','level':10}, 'd7b64313-9e62-4441-9f10-b21288a1431a':{'name':'老男孩教育','level':1}, } agent_app_key= request.GET.get('app_key') if agent_app_key in app_key_dict: name = app_key_dict[agent_app_key]['name'] print(name) return HttpResponse('api訪問成功!') else: return HttpResponse('認證失敗,不能訪問api')
#輸出 [08/Aug/2017 15:48:27] "POST /api/asset.html?app_key=de3908e1-31c3-4de8-a535-7830cca5a427 HTTP/1.1" 200 3 中共中央國務院
【客戶端】加密
import requests app_key = 'de3908e1-31c3-4de8-a535-7830cca5a427' data_dict = { 'k1':'v1', 'k2':'v2', } ret = requests.post( url='http://127.0.0.1:8000/api/asset.html', params={'app_key':app_key}, data=data_dict, ) print(ret.text)
這種方法有個弊端,假如黑客經過抓包或者其餘方法獲取到服務器的url,那麼客戶端依然能夠訪問。
【黑客端】
import requests data_dict = { 'k1':'v1sss', 'k2':'sssss', } ret = requests.post( url='http://127.0.0.1:8000/api/asset.html?app_key=de3908e1-31c3-4de8-a535-7830cca5a427', data=data_dict, ) print(ret.text)
3.終極版api
【api端】
#api/views.py def asset2(request): ''' 用於驗證3的加密匹配 :param request: :return: ''' def create_md5(app_key,app_secret,timestamp): import hashlib m = hashlib.md5(bytes(app_secret,encoding='utf-8')) temp = "%s|%s" %(app_key,timestamp,) m.update(bytes(temp,encoding='utf-8')) return m.hexdigest() ''' api端存放的客戶段的key ''' app_key_dict = { '66244932-3a61-48c5-b847-9a750ba6567e': { 'name':'中共中央國務院', 'level': 10, 'secret': 'asd=asdfkdf', 'record': [ {'sign': '3a8530132a55512c9937c60df63ba868','timestamp': 1494042557.7139883} ] }, '49684626-71fc-450a-b2bb-dfde77d2cbd3': {'name':'老男孩教育','level': 1,'secret': 'as2dasdf=asdf','record': []}, } """ 從客戶發來的url後拿到所須要的數據,key """ agent_app_key = request.GET.get('app_key') agent_app_sign = request.GET.get('app_sign') agent_app_timestamp = float(request.GET.get('app_timestamp')) """ 驗證1.判斷祕鑰app_key正不正確 """ if agent_app_key not in app_key_dict: return HttpResponse('二貨,一壘都上不了...') """ 驗證2.客戶端過來的key和服務器端之間時間不超過5秒 """ server_timestamp = time.time() if (server_timestamp - 5) > agent_app_timestamp: return HttpResponse('滾,時間怎麼這麼長...') """ 驗證3.反解密,匹配加密的key是否正確,secret從api端拿 """ server_sign = create_md5(agent_app_key,app_key_dict[agent_app_key]['secret'],agent_app_timestamp) if agent_app_sign != server_sign: return HttpResponse('小樣,你還給我修改url,太嫩了...') """ 驗證4.有了一個訪問的客戶端,一樣的key在不能訪問 """ record_list = app_key_dict[agent_app_key]['record'] for item in record_list: if agent_app_sign == item['sign']: return HttpResponse('煞筆,來晚了...') app_key_dict[agent_app_key]['record'].append({'sign': agent_app_sign,'timestamp': agent_app_timestamp}) # 數據加密 rsa # http://www.cnblogs.com/wupeiqi/articles/6746744.html name = app_key_dict[agent_app_key]['name'] return HttpResponse(name)
import requests,time def god2(): """ app_sign:這樣就根據app_key+app_secret+timestamp生成動態的字符串 :return: """ def create_md5(app_key,app_secret,timestamp): import hashlib m = hashlib.md5(bytes(app_secret,encoding='utf-8')) temp = "%s|%s" %(app_key,timestamp,) m.update(bytes(temp,encoding='utf-8')) return m.hexdigest() app_key = '66244932-3a61-48c5-b847-9a750ba6567e' app_secret = "asd=asdfkdf" app_timestamp = time.time() app_sign = create_md5(app_key,app_secret,app_timestamp) """ api請求: 加密的app_sign和 app_key還有時間app_timestamp傳到API 可是app_secret不能傳過去 params:數據會存在url後面?app_sign=****&app_key=*** """ data_dict = { 'k1':'v1', 'v2':'v2' } ret = requests.post( url='http://127.0.0.1:8000/api/asset2.html', params={'app_sign': app_sign,"app_key": app_key, 'app_timestamp': app_timestamp}, data=data_dict ) print(ret.text) def god1(): app_key = 'de3908e1-31c3-4de8-a535-7830cca5a427' data_dict = { 'k1': 'v1', 'k2': 'v2', } ret = requests.post( url='http://127.0.0.1:8000/api/asset.html', params={'app_key': app_key}, data=data_dict, ) print(ret.text) if __name__ == '__main__': #god1() god2()
相關文章
- 1. python(Django之Logging、API認證)
- 2. python API的安全認證
- 3. API認證&SDK&RESTful
- 4. api安全認證
- 5. python api接口認證腳本
- 6. Laravel5.4 Api Token認證
- 7. API接口認證
- 8. Django REST framework 之 API認證
- 9. 身份證明名認證API接口
- 10. Python https認證
- 更多相關文章...
- • SQLite - Python - SQLite教程
- • Docker 安裝 Python - Docker教程
- • YAML 入門教程
- • ☆基於Java Instrument的Agent實現
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 跳槽面試的幾個實用小技巧,不妨看看!
- 2. Mac實用技巧 |如何使用Mac系統中自帶的預覽工具將圖片變成黑白色?
- 3. Mac實用技巧 |如何使用Mac系統中自帶的預覽工具將圖片變成黑白色?
- 4. 如何使用Mac系統中自帶的預覽工具將圖片變成黑白色?
- 5. Mac OS非兼容Windows軟件運行解決方案——「以VMware & Microsoft Access爲例「
- 6. 封裝 pyinstaller -F -i b.ico excel.py
- 7. 數據庫作業三ER圖待完善
- 8. nvm安裝使用低版本node.js(非命令安裝)
- 9. 如何快速轉換圖片格式
- 10. 將表格內容分條轉換爲若干文檔
歡迎關注本站公眾號,獲取更多信息
相關文章