One 、 authentication Authentication

Authentication needs to be used in combination with permissions ！Authentication Official configuration file

1.1 Global authentication

• Use DEFAULT_AUTHENTICATION_CLASSES Set the global default authentication scheme

# settings.py
# REST_FRAMEWORK DRF All configurations in are written in this 
REST_FRAMEWORK = {
    
		#  Configure global authentication scheme 
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework.authentication.BasicAuthentication', #  Basic authentication 
        'rest_framework.authentication.SessionAuthentication',# session authentication 
    )
}

1.2 Partial Certification

• Set it separately in the view authentication_classes Property to set , The view class that needs authentication can be written in the required view class .

from rest_framework.authentication import SessionAuthentication, BasicAuthentication
from rest_framework.permissions import IsAuthenticated
from rest_framework.response import Response
from rest_framework.views import APIView

class ExampleView(APIView):
		#  Set authentication 
    authentication_classes = (SessionAuthentication, BasicAuthentication)
    #  Set the permissions 
    permission_classes = (IsAuthenticated,)

    def get(self, request, format=None):
        content = {
    
            'user': unicode(request.user),  # `django.contrib.auth.User`  example .
            'auth': unicode(request.auth),  # None
        }
        return Response(content)

The return values of authentication failure are ：403 Authority is forbidden 、401 Uncertified . General authentication can use global authentication .

Two 、 jurisdiction Permissions

jurisdiction Permissions Official documents , The permissions provided are ：

• Allow all users ：AllowAny
• Only authenticated users ：isAuthenicated
• Only administrator users ：isAdminUser
• Authenticated users can fully operate , Otherwise, we can only get Access read ：IsAuthenticatedOrReadOnly

2.1 Global permissions

• The default permission policy can use DEFAULT_PERMISSION_CLASSES Set global settings .

REST_FRAMEWORK = {
    
    'DEFAULT_PERMISSION_CLASSES': (
    #  Only authenticated users can access 
        'rest_framework.permissions.IsAuthenticated', 
    )
}

• If not specified , This setting defaults to allow unrestricted access ：

'DEFAULT_PERMISSION_CLASSES': (
   'rest_framework.permissions.AllowAny',
)

2.2 Local permissions

from rest_framework.permissions import IsAuthenticated
class ExampleView(APIView):
    #  Set the permissions 
    permission_classes = (IsAuthenticated,)

Authentication is generally used globally , Permissions are generally used locally

3、 ... and 、 Current limiting Shrottling

Limit the frequency of interface access , To reduce server pressure . Current limiting Shrottling Official address

3.1 Global current limiting

Use DEFAULT_THROTTLE_CLASSES and DEFAULT_THROTTLE_RATES The default current limiting policy will be set globally , second second, branch minute、 when hour 、 God day As the current limiting period

REST_FRAMEWORK = {
    
    'DEFAULT_THROTTLE_CLASSES': (
        'rest_framework.throttling.AnonRateThrottle',
        'rest_framework.throttling.UserRateThrottle'
    ),
    'DEFAULT_THROTTLE_RATES': {
    
        'anon': '100/day', #  Anonymous users 
        'user': '1000/day' #  The logged in user 
    }
}

3.2 Local current limiting

• Based on APIView View of class , You can set the current limiting policy on a per view or per view set basis

from rest_framework.response import Response
from rest_framework.throttling import UserRateThrottle
from rest_framework.views import APIView

class ExampleView(APIView):
    throttle_classes = (UserRateThrottle,)

    def get(self, request, format=None):
        content = {
    
            'status': 'request was permitted'
        }
        return Response(content)