开发api接口,前后端分离,最好使用token,为什么这么说呢,因为session+cookies是基于web的。但是针对 api接口,可能会考虑到移动端,app是没有cookies和session的。JWT由header + payload + sign三部分组成,中间用.连接 以下是根据JWT的原理通过python语言自己实现的jwt接口
import base64 import hmac import json import time import copy class JWT: def __init__(self): pass @staticmethod def b64decode(b_s): # 补全签发时 替换掉的等号 rem = len(b_s) % 4 b_s += b'=' * (4 - rem) return base64.urlsafe_b64decode(b_s) @staticmethod def b64encode(j_s): return base64.urlsafe_b64encode(j_s).replace(b'=', b'') @staticmethod def encode(payload, key): header = {'alg': 'HS256', 'typ': 'JWT'} header = JWT.b64encode(json.dumps(header, separators=(',', ':')).encode()) payload = copy.deepcopy(payload) payload = JWT.b64encode(json.dumps(payload, separators=(',', ':')).encode()) s = header + b'.' + payload h = hmac.new(key.encode(), s, digestmod='SHA256') sign = h.digest() sign = JWT.b64encode(sign) return header + b'.' + payload + b'.' + sign @staticmethod def decode(key, jwt_s): # 前两项bs 再做一次hmac签名, 与第三部分进行比较,若两者相等,校验成功;失败 raise header_bs, payload_bs, sign_bs = jwt_s.split(b'.') if isinstance(key, str): key = key.encode() hm = hmac.new(key, header_bs + b'.' + payload_bs, digestmod='SHA256') new_sign_bs = JWT.b64encode(hm.digest()) if new_sign_bs != sign_bs: raise # 检查payload中的时间 payload_json = JWT.b64decode(payload_bs) # json字符串 --> python对象 payload = json.loads(payload_json) exp = payload['exp'] now_t = time.time() if now_t > exp: raise return payload if __name__ == '__main__': s = JWT.encode({'exp': time.time() + 300, 'username': 'xdj'}, 'abc') print(JWT.decode('abc', s))