Django websockets身份验证
我将tornado + sockjs用于websocket,将Django rest框架用于主要应用.我也使用rest-framework-jwt在Django应用程序上进行身份验证.现在,我必须确定龙卷风中的用户.我怎么看:
I use tornado + sockjs for websockets and Django rest framework for main app. Also I use rest-framework-jwt for auth on Django app. Now I have to determine user in tornado. How I see it:
- 当sockjs连接到龙卷风服务器时,用户在消息中发送jwt.
- 龙卷风服务器解析jwt并确定是否有效的jwt?但是对于这种解决方案,我必须阅读数据库.但是此操作是同步的,所以效果不好,因为龙卷风是异步的.
我还以为可以用芹菜.当用户连接到龙卷风时,龙卷风为芹菜创建任务,并且在此任务中将解析jwt.在这种情况下,解决方案不会阻止龙卷风.但是,然后如何通过websocket通知用户有关check jwt的信息呢?
Also I thought use Celery. When user connected to tornado, tornado creats task for celery and in this task jwt will be parsed. In that case solution is not blocking tornado. But how then to notice user via websockets about check jwt?
更新:
您无需读取数据库即可验证JWT.JWT是一个已签名的令牌,您需要的只是用于验证JWT的密钥.
You shouldn't need to read database to validate a JWT. JWT is a signed token, all you need is the secret key to validate the JWT.
旧答案:
(注意:下图对于JWT来说是多余的,因为JWT已经是一个已签名的令牌,可以进行验证而无需保存在任何地方.但是,该图适用于基于cookie的情况验证.)
(Note: The diagram below is rather redundant for JWT, as a JWT is already a signed token and can be validated without needing to be saved anywhere. This diagram, however, works for cookie based auth.)
您可以使用消息代理(例如Redis)在Django和Tornado之间共享身份验证令牌:
You can share auth tokens between Django and Tornado using a message broker (such as Redis):
Redis快速,轻巧,您可以从Tornado异步连接它.
Redis is fast and lightweight and you can connect with it asynchronously from Tornado.
这里不需要芹菜.