-
Notifications
You must be signed in to change notification settings - Fork 649
invalidate token #385
Comments
On your user model add a field:
Then create a function that returns this field:
And use a string with the path to that function in the Then in the logout view, just save a new UUID as the jwt_secret value on the user instance. |
@Alex3917 This sounds interesting, Can you please elaborate a bit on this? |
@uber1geek Conceptually what you want is a UUIDField on the user model, and then every time the user does something that should log them out of the site (clicking Logout, changing their password, etc.) you then generate a new UUID and save it to that field on the user model. Then as part of the auth process, the jwt_secret field is added to the token, and the JWT in the token is compared with the JWT on the user model. If they aren't the same, then we know the user has done something to log them out of the site (or otherwise invalidate the token) in between when the token was issued and when it's being checked, so the token should be treated as invalid and the user needs to re-authenticate. Checking the secret key is now part of the authentication process, so once you set the values above the only thing you need to worry about is saving a new UUID for the user when they do something that should log them out of the site. (And write tests to make sure it's working correctly.) |
@Alex3917 |
@ray525 |
any solution for the problem invoked by @ray525 ? |
@RahmaMzoughi @ray525 I don't have a good solution for that. You could obviously just delete the token from localstorage, although that wouldn't eliminate the ability for someone who already had the token from using it. I could see this being an issue where someone uses a public computer as their desktop computer, and then uses their phone as their private computer. But I don't run a site where this is an issue. |
I am also looking for a solution. I want both provisions.
|
with DRF authtoken it is possible to make a 'logout' in this way;
As you see here we have a delete() method.
I can map this view and create an endpoint in order to have a logout call from frontend client! then for login again I can recreate a new token for that user..
How can I make this thing using django-rest-framework-jwt ??
The text was updated successfully, but these errors were encountered: