U api update

2020-01-10 12:32:41 +08:00 · 2020-01-10 12:32:41 +08:00 · 93b2ea011f
parent e6873c7650
commit 93b2ea011f
4 changed files with 12 additions and 4 deletions
--- a/spug_api/apps/account/models.py
+++ b/spug_api/apps/account/models.py
@ -12,6 +12,7 @@ class User(models.Model, ModelMixin):
    access_token = models.CharField(max_length=32)
    token_expired = models.IntegerField(null=True)
    last_login = models.CharField(max_length=20)
+    last_ip = models.CharField(max_length=50)
    role = models.ForeignKey('Role', on_delete=models.PROTECT, null=True)

    created_at = models.CharField(max_length=20, default=human_datetime)
--- a/spug_api/apps/account/views.py
+++ b/spug_api/apps/account/views.py
@ -90,12 +90,18 @@ def login(request):
                return json_response(error="账户已被禁用")
            if user.verify_password(form.password):
                cache.delete(form.username)
+                x_real_ip = request.headers.get('x-real-ip', '')
                token_isvalid = user.access_token and len(user.access_token) == 32 and user.token_expired >= time.time()
                user.access_token = user.access_token if token_isvalid else uuid.uuid4().hex
                user.token_expired = time.time() + 8 * 60 * 60
                user.last_login = human_datetime()
+                user.last_ip = x_real_ip
                user.save()
-                return json_response({'access_token': user.access_token, 'nickname': user.nickname})
+                return json_response({
+                    'access_token': user.access_token,
+                    'nickname': user.nickname,
+                    'has_real_ip': True if x_real_ip else False
+                })

        value = cache.get_or_set(form.username, 0, 86400)
        if value >= 3:
--- a/spug_api/libs/middleware.py
+++ b/spug_api/libs/middleware.py
@ -26,10 +26,11 @@ class AuthenticationMiddleware(MiddlewareMixin):
            return None
        if any(x.match(request.path) for x in settings.AUTHENTICATION_EXCLUDES if hasattr(x, 'match')):
            return None
-        access_token = request.META.get('HTTP_X_TOKEN') or request.GET.get('x-token')
+        access_token = request.headers.get('x-token') or request.GET.get('x-token')
        if access_token and len(access_token) == 32:
+            x_real_ip = request.headers.get('x-real-ip', '')
            user = User.objects.filter(access_token=access_token).first()
-            if user and user.token_expired >= time.time() and user.is_active:
+            if user and x_real_ip == user.last_ip and user.token_expired >= time.time() and user.is_active:
                request.user = user
                user.token_expired = time.time() + 8 * 60 * 60
                user.save()
--- a/spug_api/spug/settings.py
+++ b/spug_api/spug/settings.py
@ -25,7 +25,7 @@ SECRET_KEY = 'vk0do47)egwzz!uk49%(y3s(fpx4+ha@ugt-hcv&%&d@hwr&p7'
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = True

-ALLOWED_HOSTS = []
+ALLOWED_HOSTS = ['127.0.0.1']

 # Application definition