您可以編寫自己的認證模塊。這裏有一個例子:
class ApiKeyAuthentication(object):
def is_authenticated(self, request):
auth_string = request.META.get("HTTP_AUTHORIZATION")
if not auth_string:
return False
key = get_object_or_None(ApiKey, key=auth_string)
if not key:
request.user = AnonymousUser()
return False
request.user = key.user
return True
def challenge(self):
resp = HttpResponse("Authorization Required")
resp['WWW-Authenticate'] = "Key Based Authentication"
resp.status_code = 401
return resp
你需要一個模型,API密鑰的存儲映射到用戶:
class ApiKey(models.Model):
user = models.ForeignKey(User, related_name='keys')
key = models.CharField(max_length=KEY_SIZE)
你需要一些方法來生成實際的密鑰。這樣的事情就可以了(比如,在ApiKey模型save
方法:
key = User.objects.make_random_password(length=KEY_SIZE)
while ApiKey.objects.filter(key__exact=key).count():
key = User.objects.make_random_password(length=KEY_SIZE)
最後,連上新的認證後端:
# urls.py
key_auth = ApiKeyAuthentication()
def ProtectedResource(handler):
return resource.Resource(handler=handler, authentication=key_auth)
your_handler = ProtectedResource(YourHandler)
至於API密鑰交換的用戶名/密碼,只要編寫一個處理程序,使用BasicAuthentication創建並返回新的ApiKey(對於request.user)。
OAuth有什麼不對嗎? – klemens 2010-12-16 13:42:18