Django更改中间件中的request.path（通过url中的令牌进行身份验证）

发布于 2024-12-14 02:04:45 字数 1825 浏览 8 评论 0原文

亲爱的 Stackoverflow 的全知者，

在 Django 1.3 中，我正在制作一个 process_request 中间件，它从 url 获取令牌，让用户登录（如果正确）并从 url 中删除令牌。但是：

我）Django 建议不要在中间件中访问 POST/GET 数据，我不太确定为什么会这样......这同样适用于 request.path 吗？ https://docs.djangoproject.com/en/dev/ topic/http/middleware/#process-view

II) 我想从 URL 中删除令牌，因此 /album3/pic42/~53Cr3t70K3n/like/ -> /album3/pic42/like/。但是更改 request.path 不起作用。找不到页面，而

中间件确实处理正确（通过打印验证）
直接输入 /album3/pic42/like/ 确实有效
错误（带有令牌）显示请求 URL： http://www.site.com/album3/pic42/like/

这个问题有解决办法吗，还是我完全从错误的角度来解决这个问题？

提前致谢！

我刚刚意识到要在客户端进行更改，显然我需要重定向（为什么我没有想到这一点......）。然而，能够在没有新请求的情况下仅在服务器端重写它仍然很有用，例如访问个性化图像。

Ps：如果需要更多详细信息，请随意跳过

我正在开发一个向用户发送个性化电子邮件的网站。我希望用户能够单击电子邮件中的链接并通过电子邮件链接中的令牌自动登录。这是对正常登录的补充。（我知道它不太安全，因为人们可能会转发电子邮件，但它对于我的网站来说已经足够了）。该网址看起来像这样： /album3/pic42/~53Cr3t70K3n/like/ （剥离 http://www.site.com 后，Django 会这样做那）

我正在编写一个中间件来匹配它并在适当的时候让用户登录，一个身份验证后端用于接受令牌作为有效凭证和令牌模型。

中间件process_request函数： def process_request(self, request)：

    if '/~' in request.path:
        result = re.search('(.*)/~(.+?)/(.*)', request.path)
        (uidb36, token) = result.group(2).split('-', 2)
        user = authenticate(uidb36 = uidb36, token = token)
        if user: login(request, user)
        return HttpResponseRedirect('%s/%s' % (result.group(1), result.group(3)) + ('?' + '&'.join('='.join(item) for item in request.GET.items()) if request.GET else ''))
    return None

现在它可以使用重定向，我也希望能够在内部执行此操作。

原文

Dear omnoscient beings at Stackoverflow,

In Django 1.3 I am making a process_request middleware that gets a token from an url, logs the user in (if it's correct) and removes the token from the url. However:

I) Django recommends against accessing POST/GET data in middleware, I'm not really sure why so... Does the same apply to request.path ? https://docs.djangoproject.com/en/dev/topics/http/middleware/#process-view

II) I want to remove the token from the URL, so /album3/pic42/~53Cr3t70K3n/like/ -> /album3/pic42/like/. Changing request.path however does not work. The page will not be found, while

The middleware does process correctly (verified by print)
Directly entering /album3/pic42/like/ does work
The error (with token) shows Request URL: http://www.site.com/album3/pic42/like/

Is there a fix for this, or am I approaching this from the wrong angle entirely?

Thanks in advance!

I just realized that to change it client side, obviously I need a redirect (why didn't I think of that...). However, it would still be useful to be able to rewrite it just server-side without a new request, for example for accessing a personalized image.

P.s.: more details if needed, feel free to skip

I am working on a site that (will) sends personalized emails to users. I would like users to be able to click links in the email and be logged in automatically, by means of a token in the email link. This is in addition to normal login. (I know it's a less secure because people might forward an e-mail, but it's good enough for my site). The url would look something like this:
/album3/pic42/~53Cr3t70K3n/like/ (with http://www.site.com stripped, Django does that)

I am writing a middleware to match this and log the user in when appropriate, a authentication backend for accepting a token as valid credentials and a token model.

Middleware process_request function:
def process_request(self, request):

    if '/~' in request.path:
        result = re.search('(.*)/~(.+?)/(.*)', request.path)
        (uidb36, token) = result.group(2).split('-', 2)
        user = authenticate(uidb36 = uidb36, token = token)
        if user: login(request, user)
        return HttpResponseRedirect('%s/%s' % (result.group(1), result.group(3)) + ('?' + '&'.join('='.join(item) for item in request.GET.items()) if request.GET else ''))
    return None

Right now it works with redirects, I'd like to also be able to do it internally.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

一曲爱恨情仇 2024-12-21 02:04:46

如果您不想搞乱上传处理程序，我有一个更好的解决方案给你：

在你的 urls.py 中创建一条规则来专门捕获带有令牌的访问
将其放在 urlpatterns 的开头，以确保首先对其进行评估。像这样的事情会做：
```
(r'/~', 'my_app_name.my_redirect_view'),
```

创建一个视图：

def my_redirect_view(请求):
    #编译后的正则表达式运行速度更快
    Loved_tokens = re.compile(r'(.*)/~(.+?)/(.*)')
    结果=loved_tokens.search(request.path)
    尝试：
        (uidb36, token) = result.group(2).split('-', 2)
        路径结束 = 结果.group(3)
    # 我们使用“try”来确保没有人有过
    # 弄乱了我们心爱的代币：
    除了属性错误： 
        引发Http404
    别的：
        用户 = 验证（uidb36 = uidb36，令牌 = 令牌）
        如果用户： 
            登录（请求，用户）
            return HttpResponseRedirect('%s/%s' % (result.group(1), result.group(3)) + ('?' + '&'.join('='.join(item) for item in ) request.GET.items()) if request.GET else ''))
        别的：
            引发Http404

If you don't want to mess up with upload handlers, I have a better solution for you:

Create a rule in your urls.py to specifically catch visits with tokens
Put it at the start of the urlpatterns to make sure that it will be evaluated first. Something like this will do:
```
(r'/~', 'my_app_name.my_redirect_view'),
```

Create a view:

def my_redirect_view(request):
    #Compiled regular expressions work much faster
    beloved_tokens = re.compile(r'(.*)/~(.+?)/(.*)')
    result = beloved_tokens.search(request.path)
    try:
        (uidb36, token) = result.group(2).split('-', 2)
        path_end = result.group(3)
    # We use "try" to be sure that no one had
    # messed with our beloved tokens:
    except AttributeError: 
        raise Http404
    else:
        user = authenticate(uidb36 = uidb36, token = token)
        if user: 
            login(request, user)
            return HttpResponseRedirect('%s/%s' % (result.group(1), result.group(3)) + ('?' + '&'.join('='.join(item) for item in request.GET.items()) if request.GET else ''))
        else:
            raise Http404

回复收藏 0 原文