perf: 优化用户 access key 的使用和创建 (#11776)

* perf: 优化用户 access key 的使用和创建 * perf: 优化 access key api --------- Co-authored-by: ibuler <ibuler@qq.com>
2025-09-03 00:15:20 +00:00 · 2023-10-10 17:52:52 +08:00
parent 30b19d31eb
commit 333746e7c4
28 changed files with 417 additions and 330 deletions
--- a/apps/authentication/backends/drf.py
+++ b/apps/authentication/backends/drf.py
@@ -1,119 +1,33 @@
 # -*- coding: utf-8 -*-
 #

-import time
-import uuid
-
 from django.contrib.auth import get_user_model
 from django.core.cache import cache
+from django.utils import timezone
 from django.utils.translation import gettext as _
-from rest_framework import HTTP_HEADER_ENCODING
 from rest_framework import authentication, exceptions
-from six import text_type

 from common.auth import signature
-from common.utils import get_object_or_none, make_signature, http_to_unixtime
-from .base import JMSBaseAuthBackend
+from common.utils import get_object_or_none
 from ..models import AccessKey, PrivateToken

-UserModel = get_user_model()
+
+def date_more_than(d, seconds):
+    return d is None or (timezone.now() - d).seconds > seconds


-def get_request_date_header(request):
-    date = request.META.get('HTTP_DATE', b'')
-    if isinstance(date, text_type):
-        # Work around django test client oddness
-        date = date.encode(HTTP_HEADER_ENCODING)
-    return date
+def after_authenticate_update_date(user, token=None):
+    if date_more_than(user.date_api_key_last_used, 60):
+        user.date_api_key_last_used = timezone.now()
+        user.save(update_fields=['date_api_key_last_used'])

-
-class AccessKeyAuthentication(authentication.BaseAuthentication):
-    """App使用Access key进行签名认证, 目前签名算法比较简单,
-    app注册或者手动建立后,会生成 access_key_id 和 access_key_secret,
-    然后使用 如下算法生成签名:
-    Signature = md5(access_key_secret + '\n' + Date)
-    example: Signature = md5('d32d2b8b-9a10-4b8d-85bb-1a66976f6fdc' + '\n' +
-                    'Thu, 12 Jan 2017 08:19:41 GMT')
-    请求时设置请求header
-    header['Authorization'] = 'Sign access_key_id:Signature' 如:
-    header['Authorization'] =
-        'Sign d32d2b8b-9a10-4b8d-85bb-1a66976f6fdc:OKOlmdxgYPZ9+SddnUUDbQ=='
-
-    验证时根据相同算法进行验证, 取到access_key_id对应的access_key_id, 从request
-    headers取到Date, 然后进行md5, 判断得到的结果是否相同, 如果是认证通过, 否则 认证
-    失败
-    """
-    keyword = 'Sign'
-
-    def authenticate(self, request):
-        auth = authentication.get_authorization_header(request).split()
-        if not auth or auth[0].lower() != self.keyword.lower().encode():
-            return None
-
-        if len(auth) == 1:
-            msg = _('Invalid signature header. No credentials provided.')
-            raise exceptions.AuthenticationFailed(msg)
-        elif len(auth) > 2:
-            msg = _('Invalid signature header. Signature '
-                    'string should not contain spaces.')
-            raise exceptions.AuthenticationFailed(msg)
-
-        try:
-            sign = auth[1].decode().split(':')
-            if len(sign) != 2:
-                msg = _('Invalid signature header. '
-                        'Format like AccessKeyId:Signature')
-                raise exceptions.AuthenticationFailed(msg)
-        except UnicodeError:
-            msg = _('Invalid signature header. '
-                    'Signature string should not contain invalid characters.')
-            raise exceptions.AuthenticationFailed(msg)
-
-        access_key_id = sign[0]
-        try:
-            uuid.UUID(access_key_id)
-        except ValueError:
-            raise exceptions.AuthenticationFailed('Access key id invalid')
-        request_signature = sign[1]
-
-        return self.authenticate_credentials(
-            request, access_key_id, request_signature
-        )
-
-    @staticmethod
-    def authenticate_credentials(request, access_key_id, request_signature):
-        access_key = get_object_or_none(AccessKey, id=access_key_id)
-        request_date = get_request_date_header(request)
-        if access_key is None or not access_key.user:
-            raise exceptions.AuthenticationFailed(_('Invalid signature.'))
-        access_key_secret = access_key.secret
-
-        try:
-            request_unix_time = http_to_unixtime(request_date)
-        except ValueError:
-            raise exceptions.AuthenticationFailed(
-                _('HTTP header: Date not provide '
-                  'or not %a, %d %b %Y %H:%M:%S GMT'))
-
-        if int(time.time()) - request_unix_time > 15 * 60:
-            raise exceptions.AuthenticationFailed(
-                _('Expired, more than 15 minutes'))
-
-        signature = make_signature(access_key_secret, request_date)
-        if not signature == request_signature:
-            raise exceptions.AuthenticationFailed(_('Invalid signature.'))
-
-        if not access_key.user.is_active:
-            raise exceptions.AuthenticationFailed(_('User disabled.'))
-        return access_key.user, None
-
-    def authenticate_header(self, request):
-        return 'Sign access_key_id:Signature'
+    if token and hasattr(token, 'date_last_used') and date_more_than(token.date_last_used, 60):
+        token.date_last_used = timezone.now()
+        token.save(update_fields=['date_last_used'])


 class AccessTokenAuthentication(authentication.BaseAuthentication):
    keyword = 'Bearer'
-    # expiration = settings.TOKEN_EXPIRATION or 3600
    model = get_user_model()

    def authenticate(self, request):
@@ -125,19 +39,20 @@ class AccessTokenAuthentication(authentication.BaseAuthentication):
            msg = _('Invalid token header. No credentials provided.')
            raise exceptions.AuthenticationFailed(msg)
        elif len(auth) > 2:
-            msg = _('Invalid token header. Sign string '
-                    'should not contain spaces.')
+            msg = _('Invalid token header. Sign string should not contain spaces.')
            raise exceptions.AuthenticationFailed(msg)

        try:
            token = auth[1].decode()
        except UnicodeError:
-            msg = _('Invalid token header. Sign string '
-                    'should not contain invalid characters.')
+            msg = _('Invalid token header. Sign string should not contain invalid characters.')
            raise exceptions.AuthenticationFailed(msg)
-        return self.authenticate_credentials(token)
+        user, header = self.authenticate_credentials(token)
+        after_authenticate_update_date(user)
+        return user, header

-    def authenticate_credentials(self, token):
+    @staticmethod
+    def authenticate_credentials(token):
        model = get_user_model()
        user_id = cache.get(token)
        user = get_object_or_none(model, id=user_id)
@@ -151,15 +66,23 @@ class AccessTokenAuthentication(authentication.BaseAuthentication):
        return self.keyword


-class PrivateTokenAuthentication(JMSBaseAuthBackend, authentication.TokenAuthentication):
+class PrivateTokenAuthentication(authentication.TokenAuthentication):
    model = PrivateToken

+    def authenticate(self, request):
+        user_token = super().authenticate(request)
+        if not user_token:
+            return
+        user, token = user_token
+        after_authenticate_update_date(user, token)
+        return user, token
+

 class SessionAuthentication(authentication.SessionAuthentication):
    def authenticate(self, request):
        """
        Returns a `User` if the request session currently has a logged in user.
-        Otherwise returns `None`.
+        Otherwise, returns `None`.
        """

        # Get the session-based user from the underlying HttpRequest object
@@ -195,6 +118,7 @@ class SignatureAuthentication(signature.SignatureAuthentication):
            if not key.is_active:
                return None, None
            user, secret = key.user, str(key.secret)
+            after_authenticate_update_date(user, key)
            return user, secret
        except (AccessKey.DoesNotExist, exceptions.ValidationError):
            return None, None