tastypie - 從手機登錄到Django，我如何使用ApiKeyAuthentication設置

Question

我在Django項目中設置了Tastypie，API正確地爲資源提供服務。我現在試圖允許移動用戶（應用程序）通過所述API註冊，登錄和註銷。

class BaseResource(ModelResource): 

    class Meta: 
     allowed_methods = [ 'get' ] 
     authentication = BasicAuthentication() 

class UserResource(BaseResource): 

    class Meta: 
     queryset  = User.objects.all() 
     resource_name = 'users' 
     ... 


class ProfileResource(BaseResource): 

    class Meta: 
     queryset  = Profile.objects.all() 
     resource_name = 'profiles' 
     ... 

因此，這成爲我的第一個目的。關於登錄，我認爲BasicAuthentication不適用於移動設備的請求。從我讀過似乎有幾種方法可以做我想做的：

• How can I login to django using tastypie
• How to sign-in? Django TastyPie with ApiKeyAuthentication actual authentication Process

讓我困擾的第一個鏈接（見the answer）是移動應用程序必須發送包含原始密碼的JSON：

{ 'username' : 'me', 'password' : 'l33t' } 

是不是有可能某人/某物抓住了這個JSON，因此hav e訪問密碼？用ApiKeyAuthentication不是更好嗎？

我的理解越來越少，我讀到的東西越多。如果帳戶是從Web平臺（django-userena）創建的，那麼我不能使用ApiKeyAuthentication，因爲應該創建密鑰when a new User is saved。

我可以找到幾種方法做我想做的事，但我找不到正確的 ......我意識到這個問題已被問及許多次回答，但我正在尋找有關方向根據我的需求以最佳方式執行此操作。

Answer 1

最後我做了以下內容：

# ────────────────────────────────────────────────────────────────────────────── 
class BaseResource(ModelResource): 

    # ────────────────────────────────────── 
    def prepend_urls(self): 
     try: 
      additional_urls = self._meta.additional_urls 
     except AttributeError: 
      additional_urls = [] 
     return [url(r'^'+u[0]+'$', self.wrap_view(u[1]), name=u[2]) for u in additional_urls] 

    # ────────────────────────────────────── 
    def update_in_place(self, request, original_bundle, new_data): 
     try: 
      allowed_fields = self._meta.allowed_fields 
     except AttributeError: 
      allowed_fields = None 
     if allowed_fields and set(new_data.keys()) - set(allowed_fields): 
      raise BadRequest('Only alterable field(s): {}'.format(', '.join(allowed_fields))) 
     return super(ProfileResource, self).update_in_place(request, original_bundle, new_data) 

    # ────────────────────────────────────── 
    class Meta: 
     abstract = True 
     allowed_methods = ['get',] 
     authentication = ApiKeyAuthentication() 
     authorization = DjangoAuthorization() 
     max_limit = 1000 

# ────────────────────────────────────────────────────────────────────────────── 
class UserResource(BaseResource): 

    ... 

    # ────────────────────────────────────── 
    def signup(self, request, **kwargs): 
     ... 

    # ────────────────────────────────────── 
    def signin(self, request, **kwargs): 
     self.method_check(request, allowed=['post']) 
     data = self.deserialize(
      request, 
      request.body, 
      format=request.META.get('CONTENT_TYPE', 'application/json') 
     ) 
     username = data.get('username', '') 
     password = data.get('password', '') 
     user = authenticate(username=username, password=password) 
     if user: 
      if user.is_active: 
       # login(request, user) 
       try: 
        key = ApiKey.objects.get(user=user) 
        if not key.key: 
         key.save() 
       except ApiKey.DoesNotExist: 
        key = ApiKey.objects.create(user=user) 
       return self.create_response(request, { 
        'success': True, 
        'data': key.key, 
       }) 
      else: 
       return self.create_response(request, { 
        'success': False, 
        'message': 'User is not active', 
       }, HttpForbidden) 
     else: 
      return self.create_response(request, { 
       'success': False, 
       'message': 'Wrong password', 
       }, HttpUnauthorized) 

    # ────────────────────────────────────── 
    class Meta(BaseResource.Meta): 
     allowed_methods = ['get', 'patch',] 
     queryset  = User.objects.all() 
     resource_name = 'users' 
     excludes  = [ 'first_name', 'last_name', 'password' ] 
     filtering = { 
      ... 
     } 
     additional_urls = [ 
      ('signup/', 'signup', 'api-signup'), 
      ('signin/', 'signin', 'api-signin'), 
     ] 
     allowed_fields = ['email',]