Rest_Framework APIClient 测试 return 401 未授权使用令牌身份验证
Rest_Framework APIClient tests return 401 Unauthorized with Token Authentication
我正在为我的 rest_framework API 编写一些测试,并且我正在使用令牌身份验证来保护它。我决定使用 DRF 的 APIClient class 来模拟来自用户浏览器的调用。
我可以通过点击身份验证端点从 API 中获取令牌,但是当我尝试使用这些令牌来验证对其他端点的任何进一步请求时,我得到了一个 401 Unauthorized消息错误,"Invalid token"。
奇怪的是,我可以复制粘贴完全相同的令牌,并通过类似 HTTPIE 的方式向完全相同的端点发出成功的手动 GET 请求...
这是我的 tests.py:
import json
from rest_framework import status
from rest_framework.test import APIClient
from rest_framework.test import APITestCase
class TestUser(object):
"""
A basic user class to simplify requests to the API
Tokens can be generated by authing as a user to /v1/auth/
"""
def __init__(self, token):
self.client = APIClient()
self.token = token
self.client.credentials(HTTP_AUTHORIZATION='Token ' + token)
def get(self, url):
print("Token: {0}".format(self.token))
res = self.client.get(url)
print('GET {0}: {1}'.format(url, res.data))
return res
def post(self, url, data):
res = self.client.post(url, data, format='json')
print('POST {0}: {1}'.format(url, res.data))
return res
def patch(self, url, data):
res = self.client.patch(url, data, json=data)
print('PATCH {0}: {1}'.format(url, res.data))
return res
def delete(self, url):
res = self.client.delete(url)
print('DELETE {0}: {1}'.format(url, res.data))
return res
# Grab new tokens every time we run our tests
auth_client = APIClient()
SUPERUSER = TestUser(auth_client.post('/v1/auth/', {'username': 'TestUser',
'password': 'password'}).data['token'])
ADMIN = TestUser(auth_client.post('/v1/auth/', {'username': 'TestUser4',
'password': 'password'}).data['token'])
MANAGER = TestUser(auth_client.post('/v1/auth/', {'username': 'TestUser2',
'password': 'password'}).data['token'])
EMPLOYEE = TestUser(auth_client.post('/v1/auth/', {'username': 'TestUser3',
'password': 'password'}).data['token'])
class AdminSiteCompanies(APITestCase):
def test_list_crud_permissions(self):
# GET
url = "/v1/admin_site/companies/"
self.assertEqual(SUPERUSER.get(url).status_code, status.HTTP_200_OK)
self.assertEqual(ADMIN.get(url).status_code, status.HTTP_200_OK)
self.assertEqual(MANAGER.get(url).status_code, status.HTTP_403_FORBIDDEN)
self.assertEqual(EMPLOYEE.get(url).status_code, status.HTTP_403_FORBIDDEN)
这是上述测试的控制台输出,显示从 API 收到了一个有效令牌,就在我尝试在测试中使用它时它吐回 401 之前:
Creating test database for alias 'default'...
Token: d579dbe4980d8ac451a462fc78cf38f789decddf
GET /v1/admin_site/companies/: {'detail': 'Invalid token.'}
Destroying test database for alias 'default'...
这是我使用 HTTPIE 和上述令牌发出成功的手动 GET 请求的控制台输出:
D:\Projects\API-Server>http http://127.0.0.1:8000/v1/admin_site/companies/ "Authorization: Token d579dbe4980d8ac451a462fc78cf38f789decddf"
HTTP/1.0 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Date: Fri, 01 May 2015 05:43:59 GMT
Server: WSGIServer/0.2 CPython/3.4.3
Vary: Accept
X-Frame-Options: SAMEORIGIN
[
{
"address": "1234 Fake Street",
"id": 1,
"name": "FedEx",
"shift_type": "OE"
},
{
"address": "Bolivia",
"id": 2,
"name": "UPS",
"shift_type": "PS"
}
]
这是我 settings.py 的相关内容:
INSTALLED_APPS = (
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'rest_framework',
'rest_framework.authtoken',
'serverapp',
'rest_framework_swagger',
)
MIDDLEWARE_CLASSES = (
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django.middleware.security.SecurityMiddleware',
'serverapp.middlewares.EmployeeMiddleware',
)
ROOT_URLCONF = 'shiftserver.urls'
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.TokenAuthentication',
),
'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.IsAuthenticated',
),
'DEFAULT_FILTER_BACKENDS': (
'rest_framework.filters.DjangoFilterBackend',
)
}
# Database
# https://docs.djangoproject.com/en/1.8/ref/settings/#databases
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.sqlite3',
'NAME': os.path.join(BASE_DIR, 'db.sqlite3'),
}
}
这是我第一次为 Django/rest_framework 编写测试,所以我一直在努力关注 DRF's documentation on testing and authenticating。但是,无论我尝试什么,我仍然无法解决这个 "invalid token" 问题。
一个比我更精通 DRF 的朋友在我向他寻求帮助时被难住了,所以希望你们能揭示我们都缺少的东西。
我想通了!在 TestCase class 之外发布到 API 会命中实际的 API 服务器,我在 运行 进行测试时恰好拥有 运行。我重构了 AdminSiteCompanies(APITestCase) 以设置测试数据、用户,并在 class 的 setUp(self):
中对这些用户进行身份验证
class AdminSiteCompanies(APITestCase):
def setUp(self):
# Create test Objects here
...snip...
# Create test Users here
# SuperUser
create_user('TestUser', 'password', 'testuser@test.com', True, False, False, co1lo1.id)
...snip...
# Grab new tokens every time we run our tests
# APIClient allows us to emulate calls from a browser
auth_client = APIClient()
# Authenticate our users
self.SUPERUSER = TestUser(auth_client.post('/v1/auth/', {'username': 'TestUser', 'password': 'password'})
.data['token'])
...snip...
def test_list_crud_permissions(self):
# GET
url = "/v1/admin_site/companies/"
self.assertEqual(self.SUPERUSER.get(url).status_code, status.HTTP_200_OK)
# ^ Now passes test
...snip...
我正在为我的 rest_framework API 编写一些测试,并且我正在使用令牌身份验证来保护它。我决定使用 DRF 的 APIClient class 来模拟来自用户浏览器的调用。
我可以通过点击身份验证端点从 API 中获取令牌,但是当我尝试使用这些令牌来验证对其他端点的任何进一步请求时,我得到了一个 401 Unauthorized消息错误,"Invalid token"。
奇怪的是,我可以复制粘贴完全相同的令牌,并通过类似 HTTPIE 的方式向完全相同的端点发出成功的手动 GET 请求...
这是我的 tests.py:
import json
from rest_framework import status
from rest_framework.test import APIClient
from rest_framework.test import APITestCase
class TestUser(object):
"""
A basic user class to simplify requests to the API
Tokens can be generated by authing as a user to /v1/auth/
"""
def __init__(self, token):
self.client = APIClient()
self.token = token
self.client.credentials(HTTP_AUTHORIZATION='Token ' + token)
def get(self, url):
print("Token: {0}".format(self.token))
res = self.client.get(url)
print('GET {0}: {1}'.format(url, res.data))
return res
def post(self, url, data):
res = self.client.post(url, data, format='json')
print('POST {0}: {1}'.format(url, res.data))
return res
def patch(self, url, data):
res = self.client.patch(url, data, json=data)
print('PATCH {0}: {1}'.format(url, res.data))
return res
def delete(self, url):
res = self.client.delete(url)
print('DELETE {0}: {1}'.format(url, res.data))
return res
# Grab new tokens every time we run our tests
auth_client = APIClient()
SUPERUSER = TestUser(auth_client.post('/v1/auth/', {'username': 'TestUser',
'password': 'password'}).data['token'])
ADMIN = TestUser(auth_client.post('/v1/auth/', {'username': 'TestUser4',
'password': 'password'}).data['token'])
MANAGER = TestUser(auth_client.post('/v1/auth/', {'username': 'TestUser2',
'password': 'password'}).data['token'])
EMPLOYEE = TestUser(auth_client.post('/v1/auth/', {'username': 'TestUser3',
'password': 'password'}).data['token'])
class AdminSiteCompanies(APITestCase):
def test_list_crud_permissions(self):
# GET
url = "/v1/admin_site/companies/"
self.assertEqual(SUPERUSER.get(url).status_code, status.HTTP_200_OK)
self.assertEqual(ADMIN.get(url).status_code, status.HTTP_200_OK)
self.assertEqual(MANAGER.get(url).status_code, status.HTTP_403_FORBIDDEN)
self.assertEqual(EMPLOYEE.get(url).status_code, status.HTTP_403_FORBIDDEN)
这是上述测试的控制台输出,显示从 API 收到了一个有效令牌,就在我尝试在测试中使用它时它吐回 401 之前:
Creating test database for alias 'default'...
Token: d579dbe4980d8ac451a462fc78cf38f789decddf
GET /v1/admin_site/companies/: {'detail': 'Invalid token.'}
Destroying test database for alias 'default'...
这是我使用 HTTPIE 和上述令牌发出成功的手动 GET 请求的控制台输出:
D:\Projects\API-Server>http http://127.0.0.1:8000/v1/admin_site/companies/ "Authorization: Token d579dbe4980d8ac451a462fc78cf38f789decddf"
HTTP/1.0 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Date: Fri, 01 May 2015 05:43:59 GMT
Server: WSGIServer/0.2 CPython/3.4.3
Vary: Accept
X-Frame-Options: SAMEORIGIN
[
{
"address": "1234 Fake Street",
"id": 1,
"name": "FedEx",
"shift_type": "OE"
},
{
"address": "Bolivia",
"id": 2,
"name": "UPS",
"shift_type": "PS"
}
]
这是我 settings.py 的相关内容:
INSTALLED_APPS = (
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'rest_framework',
'rest_framework.authtoken',
'serverapp',
'rest_framework_swagger',
)
MIDDLEWARE_CLASSES = (
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django.middleware.security.SecurityMiddleware',
'serverapp.middlewares.EmployeeMiddleware',
)
ROOT_URLCONF = 'shiftserver.urls'
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.TokenAuthentication',
),
'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.IsAuthenticated',
),
'DEFAULT_FILTER_BACKENDS': (
'rest_framework.filters.DjangoFilterBackend',
)
}
# Database
# https://docs.djangoproject.com/en/1.8/ref/settings/#databases
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.sqlite3',
'NAME': os.path.join(BASE_DIR, 'db.sqlite3'),
}
}
这是我第一次为 Django/rest_framework 编写测试,所以我一直在努力关注 DRF's documentation on testing and authenticating。但是,无论我尝试什么,我仍然无法解决这个 "invalid token" 问题。
一个比我更精通 DRF 的朋友在我向他寻求帮助时被难住了,所以希望你们能揭示我们都缺少的东西。
我想通了!在 TestCase class 之外发布到 API 会命中实际的 API 服务器,我在 运行 进行测试时恰好拥有 运行。我重构了 AdminSiteCompanies(APITestCase) 以设置测试数据、用户,并在 class 的 setUp(self):
class AdminSiteCompanies(APITestCase):
def setUp(self):
# Create test Objects here
...snip...
# Create test Users here
# SuperUser
create_user('TestUser', 'password', 'testuser@test.com', True, False, False, co1lo1.id)
...snip...
# Grab new tokens every time we run our tests
# APIClient allows us to emulate calls from a browser
auth_client = APIClient()
# Authenticate our users
self.SUPERUSER = TestUser(auth_client.post('/v1/auth/', {'username': 'TestUser', 'password': 'password'})
.data['token'])
...snip...
def test_list_crud_permissions(self):
# GET
url = "/v1/admin_site/companies/"
self.assertEqual(self.SUPERUSER.get(url).status_code, status.HTTP_200_OK)
# ^ Now passes test
...snip...