0401自學web後端之——認證

認證（Authentication）基礎概念

簡單來說，目前流行的認證方式有HTTP basic auth和OAuth，其中前者沒有後者安全性高，後者使用Token進行認證，而Token的一種流行規範是JWT（Json Web Token）
JWT格式：

最終格式形如：

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dnZWRJbkFzIjoiYWRtaW4iLCJpYXQiOjE0MjI3Nzk2Mzh9.gzSraSYS8EXBxLN_oWnFSRgCzcmJmMjLiuyu5CSpyHI

參考：

1. 阮一峯JSON Web Token 入門教程 https://www.ruanyifeng.com/blog/2018/07/json_web_token-tutorial.html
2. OAuth、Token、JWT三者之間的關係 https://www.jianshu.com/p/9f80be6ba2e9
3. https://blog.csdn.net/gdp12315_gu/article/details/79905424
4. https://www.jianshu.com/p/537b356d34c9
5. https://segmentfault.com/a/1190000010312468
6. https://www.jianshu.com/p/50ade6f2e4fd

相關Python包

• itsdangerous，參考：https://itsdangerous.palletsprojects.com/en/1.1.x/

>>> from itsdangerous import JSONWebSignatureSerializer
>>> s = JSONWebSignatureSerializer("secret")
>>> encoded = s.dumps({'some': 'payload'})
>>> s.loads(encoded)
{'some': 'payload'}

• pyjwt，參考：https://pyjwt.readthedocs.io/en/latest/

>>> import jwt
>>> encoded = jwt.encode({'some': 'payload'}, 'secret', algorithm='HS512')
>>> encoded
>>> b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJzb21lIjoicGF5bG9hZCJ9.EgMnzcJYrElON09Bw_OwaqR_Z7Cq30n7cgTZGJqtK1YHfG1cGnGJoJGwOLj6AWg9taOyJN3Dnqd9NXeTCjTCwA'
>>> jwt.decode(encoded, 'secret', algorithms=['HS512'])
{'some': 'payload'}

• Flask-HTTPAuth，參考：https://flask-httpauth.readthedocs.io/en/latest/

封裝jwt

# jwtauth.py
import jwt
from flask import current_app
 
def generate_jwt(payload, expiry, secret=None):
    """
    生成jwt
    :param payload: dict 載荷
    :param expiry: datetime 有效期
    :param secret: 密鑰
    :return: jwt
    """
    _payload = {'exp': expiry}
    _payload.update(payload)
 
    if not secret:
        secret = current_app.config['JWT_SECRET']
 
    token = jwt.encode(_payload, secret, algorithm='HS256')
    return token.decode()
 
def verify_jwt(token, secret=None):
    """
    檢驗jwt
    :param token: jwt
    :param secret: 密鑰
    :return: dict: payload
    """
    if not secret:
        secret = current_app.config['JWT_SECRET']
 
    try:
        payload = jwt.decode(token, secret, algorithm=['HS256'])
    except jwt.PyJWTError:
        payload = None
 
    return payload

調用jwtauth.py

>>> import jwtauth
# 到期時間爲2020年4月1日17點7分0秒
>>> token = jwtauth.generate_jwt({'aaa':'111','bbb':'222'}, 1585732020, 'secret')
>>> print(token)
'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1ODU3MzIwMjAsImFhYSI6IjExMSIsImJiYiI6IjIyMiJ9.KKWEroUmY3dLbAdrnUi-kKbHd8-R916GWQhn8ozgeF8'
>>> payload = jwtauth.verify_jwt(token, 'secret')
>>> print(payload)
{'exp': 1585732020, 'aaa': '111', 'bbb': '222'}
# 時間到期
>>> payload = jwtauth.verify_jwt(token, 'secret')
>>> print(payload)
返回爲空