Django oauth2 request.user返回AnonymousUser

kognpnkq  于 2023-06-25  发布在  Go
关注(0)|答案(1)|浏览(165)

bounty还有7天到期。此问题的答案有资格获得+50声望奖励。Emmanuel Murairi正在寻找一个答案从一个有信誉的来源

我是一个Django新手,正在尝试创建一个API到后端供iOS客户端使用。目前,我正在测试我的API访问与 curl 。
我已使用以下命令成功生成访问令牌:

curl -X POST -d "grant_type=password&username=example_user&password=example_password" http://clientID:clientSecret@localhost:8000/o/token/

它产生了以下响应-

{
    "access_token": "oAyNlYuGVk1Sr8oO1EsGnLwOTL7hAY", 
    "scope": "write read", 
    "expires_in": 36000, 
    "token_type": "Bearer", 
    "refresh_token": "pxd5rXzz1zZIKEtmqPgE608a4H9E5m"
}

然后,我使用访问令牌尝试访问以下类视图:

from django.http import JsonResponse
from oauth2_provider.views.generic import ProtectedResourceView
from django.views.decorators.csrf import csrf_exempt
from django.utils.decorators import method_decorator

class post_test(ProtectedResourceView):

    def get(self, request, *args, **kwargs):
        print(request.user)
        return JsonResponse({'Message': "You used a GET request"})

    def post(self, request, *args, **kwargs):
        print(request.user)
        return JsonResponse({'Message': 'You used a POST request'})

    @method_decorator(csrf_exempt)
    def dispatch(self, *args, **kwargs):
        return super(post_test, self).dispatch(*args, **kwargs)

以下是curl请求:

curl -H "Authorization: Bearer oAyNlYuGVk1Sr8oO1EsGnLwOTL7hAY" -X GET http://localhost:8000/api/post-test/

它正确地响应客户端:

{"Message": "You used a GET request"}

但是在控制台中,我期望的是request.user变量,我得到了AnonymousUser
令牌不是应该分配给example_user吗?这不应该是request.user返回的吗?

9njqaruj

9njqaruj1#

使用request.resource_owner代替request.user
Django OAuth Toolkit区分了与承载令牌相关联的用户和与可能附加到请求的任何其他Django身份验证相关联的用户。具体来说,ProtectedResourceView包括来自ProtectedResourceMixin的行为,其中包括以下分派方法:

def dispatch(self, request, *args, **kwargs):
    # let preflight OPTIONS requests pass
    if request.method.upper() == "OPTIONS":
        return super().dispatch(request, *args, **kwargs)

    # check if the request is valid and the protected resource may be accessed
    valid, r = self.verify_request(request)
    if valid:
        request.resource_owner = r.user
        return super().dispatch(request, *args, **kwargs)
    else:
        return HttpResponseForbidden()

相关问题