perf: 优化confirm接口 (#8451)

* perf: 优化confirm接口 * perf: 修改校验 * perf: 优化 confirm API 逻辑 * Delete django.po Co-authored-by: feng626 <1304903146@qq.com> Co-authored-by: ibuler <ibuler@qq.com> Co-authored-by: Jiangjie.Bai <bugatti_it@163.com> Co-authored-by: feng626 <57284900+feng626@users.noreply.github.com>
2025-09-03 16:35:10 +00:00 · 2022-07-04 11:29:39 +08:00
parent ca19e45905
commit a6cc8a8b05
28 changed files with 273 additions and 188 deletions
--- a/apps/common/permissions.py
+++ b/apps/common/permissions.py
@@ -1,9 +1,12 @@
 # -*- coding: utf-8 -*-
 #
 import time
-from rest_framework import permissions
+
 from django.conf import settings
-from common.exceptions import MFAVerifyRequired
+from rest_framework import permissions
+
+from authentication.const import ConfirmType
+from common.exceptions import UserConfirmRequired


 class IsValidUser(permissions.IsAuthenticated, permissions.BasePermission):
@@ -29,18 +32,23 @@ class WithBootstrapToken(permissions.BasePermission):
        return settings.BOOTSTRAP_TOKEN == request_bootstrap_token


-class NeedMFAVerify(permissions.BasePermission):
+class UserConfirmation(permissions.BasePermission):
+    ttl = 300
+    min_level = 1
+    confirm_type = ConfirmType.ReLogin
+
    def has_permission(self, request, view):
-        if not settings.SECURITY_VIEW_AUTH_NEED_MFA:
-            return True
+        confirm_level = request.session.get('CONFIRM_LEVEL')
+        confirm_time = request.session.get('CONFIRM_TIME')

-        mfa_verify_time = request.session.get('MFA_VERIFY_TIME', 0)
-        if time.time() - mfa_verify_time < settings.SECURITY_MFA_VERIFY_TTL:
-            return True
-        raise MFAVerifyRequired()
+        if not confirm_level or not confirm_time or \
+                confirm_level < self.min_level or \
+                confirm_time < time.time() - self.ttl:
+            raise UserConfirmRequired(code=self.confirm_type)
+        return True

-
-class IsObjectOwner(IsValidUser):
-    def has_object_permission(self, request, view, obj):
-        return (super().has_object_permission(request, view, obj) and
-                request.user == getattr(obj, 'user', None))
+    @classmethod
+    def require(cls, confirm_type=ConfirmType.ReLogin, ttl=300):
+        min_level = ConfirmType.values.index(confirm_type) + 1
+        name = 'UserConfirmationLevel{}TTL{}'.format(min_level, ttl)
+        return type(name, (cls,), {'min_level': min_level, 'ttl': ttl, 'confirm_type': confirm_type})