问题重现

当查看DRF 文档时发现DRF内置的token是存储在数据库里，这和我在网上搜索资料时认识的token-based authentication有出入。

from rest_framework.authtoken.models import Token # 有Token这个model

原因

其实网上大多数的token是json web token，是和DRF自带的token不同的。JWT只存储在客户端。具体google:double submit cookie vs synchronizer token

引用DRF文档：

参考

1. https://www.django-rest-framework.org/api-guide/authentication/#json-web-token-authentication
2. https://stackoverflow.com/questions/57442082/why-django-rest-framework-stores-token-in-database?noredirect=1#comment101361728_57442082
3. https://stackoverflow.com/questions/29440014/should-i-use-jwt-or-basic-token-authentication-in-django-rest-framework
4. https://stackoverflow.com/questions/27578726/appropriate-choice-of-authentication-class-for-python-rest-api-used-by-web-app
5. https://stackoverflow.com/questions/31600497/django-drf-token-based-authentication-vs-json-web-token
6. https://stackoverflow.com/questions/14567586/token-authentication-for-restful-api-should-the-token-be-periodically-changed
7. https://stackoverflow.com/questions/43452896/authentication-jwt-usage-vs-session