New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

invalidate token #385

Open
davidrdz93 opened this Issue Oct 2, 2017 · 5 comments

Comments

Projects
None yet
5 participants
@davidrdz93

davidrdz93 commented Oct 2, 2017

with DRF authtoken it is possible to make a 'logout' in this way;

class Logout(APIView):  
    queryset = User.objects.all()  
    def get(self, request, format=None):  
        # simply delete the token to force a login  
        request.user.auth_token.delete()  
        return Response(status=status.HTTP_200_OK)

As you see here we have a delete() method.

I can map this view and create an endpoint in order to have a logout call from frontend client! then for login again I can recreate a new token for that user..

How can I make this thing using django-rest-framework-jwt ??

@Alex3917

This comment has been minimized.

Contributor

Alex3917 commented Oct 3, 2017

On your user model add a field:

jwt_secret = models.UUIDField(default=uuid.uuid4)

Then create a function that returns this field:

def jwt_get_secret_key(user_model):
    return user_model.jwt_secret

And use a string with the path to that function in the JWT_GET_USER_SECRET_KEY variable.

Then in the logout view, just save a new UUID as the jwt_secret value on the user instance.

@uber1geek

This comment has been minimized.

uber1geek commented Nov 7, 2017

@Alex3917 This sounds interesting, Can you please elaborate a bit on this?

@Alex3917

This comment has been minimized.

Contributor

Alex3917 commented Nov 7, 2017

@uber1geek Conceptually what you want is a UUIDField on the user model, and then every time the user does something that should log them out of the site (clicking Logout, changing their password, etc.) you then generate a new UUID and save it to that field on the user model.

Then as part of the auth process, the jwt_secret field is added to the token, and the JWT in the token is compared with the JWT on the user model. If they aren't the same, then we know the user has done something to log them out of the site (or otherwise invalidate the token) in between when the token was issued and when it's being checked, so the token should be treated as invalid and the user needs to re-authenticate.

Checking the secret key is now part of the authentication process, so once you set the values above the only thing you need to worry about is saving a new UUID for the user when they do something that should log them out of the site. (And write tests to make sure it's working correctly.)

@ray525

This comment has been minimized.

ray525 commented Mar 26, 2018

@Alex3917
if a user login on two different browsers, how can we handle this situation ?
if we logout on one browser, then another browser need to relogin again, am i right ?

@tjquinn1

This comment has been minimized.

tjquinn1 commented Jul 9, 2018

@ray525
I know this is old but no one answered your question. You are right, this method will logout out all sessions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment