認證(Authentication)基礎概念
簡單來說,目前流行的認證方式有HTTP basic auth和OAuth,其中前者沒有後者安全性高,後者使用Token進行認證,而Token的一種流行規範是JWT(Json Web Token)
JWT格式:
最終格式形如:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dnZWRJbkFzIjoiYWRtaW4iLCJpYXQiOjE0MjI3Nzk2Mzh9.gzSraSYS8EXBxLN_oWnFSRgCzcmJmMjLiuyu5CSpyHI
參考:
- 阮一峯JSON Web Token 入門教程 https://www.ruanyifeng.com/blog/2018/07/json_web_token-tutorial.html
- OAuth、Token、JWT三者之間的關係 https://www.jianshu.com/p/9f80be6ba2e9
- https://blog.csdn.net/gdp12315_gu/article/details/79905424
- https://www.jianshu.com/p/537b356d34c9
- https://segmentfault.com/a/1190000010312468
- https://www.jianshu.com/p/50ade6f2e4fd
相關Python包
- itsdangerous,參考:https://itsdangerous.palletsprojects.com/en/1.1.x/
>>> from itsdangerous import JSONWebSignatureSerializer
>>> s = JSONWebSignatureSerializer("secret")
>>> encoded = s.dumps({'some': 'payload'})
>>> s.loads(encoded)
{'some': 'payload'}
>>> import jwt
>>> encoded = jwt.encode({'some': 'payload'}, 'secret', algorithm='HS512')
>>> encoded
>>> b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJzb21lIjoicGF5bG9hZCJ9.EgMnzcJYrElON09Bw_OwaqR_Z7Cq30n7cgTZGJqtK1YHfG1cGnGJoJGwOLj6AWg9taOyJN3Dnqd9NXeTCjTCwA'
>>> jwt.decode(encoded, 'secret', algorithms=['HS512'])
{'some': 'payload'}
- Flask-HTTPAuth,參考:https://flask-httpauth.readthedocs.io/en/latest/
封裝jwt
# jwtauth.py
import jwt
from flask import current_app
def generate_jwt(payload, expiry, secret=None):
"""
生成jwt
:param payload: dict 載荷
:param expiry: datetime 有效期
:param secret: 密鑰
:return: jwt
"""
_payload = {'exp': expiry}
_payload.update(payload)
if not secret:
secret = current_app.config['JWT_SECRET']
token = jwt.encode(_payload, secret, algorithm='HS256')
return token.decode()
def verify_jwt(token, secret=None):
"""
檢驗jwt
:param token: jwt
:param secret: 密鑰
:return: dict: payload
"""
if not secret:
secret = current_app.config['JWT_SECRET']
try:
payload = jwt.decode(token, secret, algorithm=['HS256'])
except jwt.PyJWTError:
payload = None
return payload
調用jwtauth.py
>>> import jwtauth
# 到期時間爲2020年4月1日17點7分0秒
>>> token = jwtauth.generate_jwt({'aaa':'111','bbb':'222'}, 1585732020, 'secret')
>>> print(token)
'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1ODU3MzIwMjAsImFhYSI6IjExMSIsImJiYiI6IjIyMiJ9.KKWEroUmY3dLbAdrnUi-kKbHd8-R916GWQhn8ozgeF8'
>>> payload = jwtauth.verify_jwt(token, 'secret')
>>> print(payload)
{'exp': 1585732020, 'aaa': '111', 'bbb': '222'}
# 時間到期
>>> payload = jwtauth.verify_jwt(token, 'secret')
>>> print(payload)
返回爲空