Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
invalidate token #385
with DRF authtoken it is possible to make a 'logout' in this way;
As you see here we have a delete() method.
I can map this view and create an endpoint in order to have a logout call from frontend client! then for login again I can recreate a new token for that user..
How can I make this thing using django-rest-framework-jwt ??
On your user model add a field:
Then create a function that returns this field:
And use a string with the path to that function in the
Then in the logout view, just save a new UUID as the jwt_secret value on the user instance.
@uber1geek Conceptually what you want is a UUIDField on the user model, and then every time the user does something that should log them out of the site (clicking Logout, changing their password, etc.) you then generate a new UUID and save it to that field on the user model.
Then as part of the auth process, the jwt_secret field is added to the token, and the JWT in the token is compared with the JWT on the user model. If they aren't the same, then we know the user has done something to log them out of the site (or otherwise invalidate the token) in between when the token was issued and when it's being checked, so the token should be treated as invalid and the user needs to re-authenticate.
Checking the secret key is now part of the authentication process, so once you set the values above the only thing you need to worry about is saving a new UUID for the user when they do something that should log them out of the site. (And write tests to make sure it's working correctly.)