django rest framework - token authentication logout

前端 未结 3 1523
感情败类
感情败类 2020-12-30 20:32

I have implemented the Token Authentication according to the django rest framework Docs.

Form what I read, the Token Authentication of DRF is quite simple - one to

相关标签:
3条回答
  • 2020-12-30 21:02

    WHOLE IDEA OF TOKEN AUTHENTICATION:

    Normally in authentication services, there is a lifetime associated with a token. After a specific time, the token will get expired. Here, we get an access token which has an expiry time sent along with it by the server. Now the client needs to send this token everytime in the request header so that the server can identify who the user is. Either we can keep track of when it expires or we can just keep using it until we get an INVALID_TOKEN error. In that case we would have to again get the token from the server.

    The lifetime of the access_token is independent of the login session of a user who grants access to a client. OAuth2,lets say, has no concept of a user login or logout, or a session. The token is just used to identify the user if he is who he says he is.

    The token is unique for a user and client. You may save it to cookies to enable something like remember me but on the server you don't need to delete it. Whenever the token expires, the client need to send a request to the server to obtain the token again.

    Token Expiry in DRF Token Authetication:

    Currently, DRF Token authentication does not support this functionality. You would have to implement it yourself or use a third party package which provides this functionality. It should check for token expiry and raise an exception if the token has expired.

    To implement it yourself, you can subclass from the DRF Token Authentication class and add your logic.
    You can even use a third-party package django-rest-framework-expiring-tokens.

    Some References:
    1. Token Authentication for RESTful API: should the token be periodically changed?
    2. How to Logout of an Application Where I Used OAuth2 To Login With Google?

    0 讨论(0)
  • 2020-12-30 21:18

    It sounds like SessionAuthentication is what you are really looking. You can start(login) a session via BasicAuthentication or TokenAuthentication. Then use sessionid as your "token" for the rest of api calls. The "token" expires when you logout or exceed certain timing.

    If you run into csrftoken issue using session authentication, this could be a very helpful.

    0 讨论(0)
  • 2020-12-30 21:20

    Here's a simple view that I'm using to log out:

    from rest_framework import status
    from rest_framework.response import Response
    from rest_framework.views import APIView
    
    class Logout(APIView):
        def get(self, request, format=None):
            # simply delete the token to force a login
            request.user.auth_token.delete()
            return Response(status=status.HTTP_200_OK)
    

    Then add it to your urls.py:

    urlpatterns = [
        ...
        url(r'^logout/', Logout.as_view()),
    ]
    
    0 讨论(0)
提交回复
热议问题