How to expire token in a logout endpoint ?

[Ahtii]

Hi,
I moved from Django to FastAPI because of its speed (native support for asynchronous code). I am learning it from past few weeks. I have implemented login authentication with OAuth2PasswordBearer and generating tokens with JWT so far so good.

Now I want to implement Logout endpoint I googled it didn't found anything useful so I thought of implementing it by manipulating the token by setting expire minutes to 0 but I don't really know how to do it here is my code so for:

main.py

@app.post("/api/logout")
async def logout(token: str = Depends(settings.TOKEN_MANAGER)):
    views.set_expiry(0, token)
    return {"response": "Logged out"}

settings.py

ACCESS_TOKEN_EXPIRE_MINUTES = 30
TOKEN_URL = "/api/auth/token"
TOKEN_MANAGER = OAuth2PasswordBearer(tokenUrl=TOKEN_URL)

views.py

def set_expiry(timestamp, token):
    # code to expire token

I also thought of simply assigning token to None. I just wanna know what is the best practice to do it ? I will be working in back-end only.

[includeamin]

there are many solutions for that.
for example.
1- the first, token should remove from the client-side.
2- add token to Blacklist that store in DB ( better to use Redis for better Performance ) with TTL== Expiration time of token.
so before token expiration, all requests with that token will ignored or blocked and after TTL or expiration of token. all requests with that token, of course, will be ignored because of expiration.

[ArcLightSlavik]

If your building from the ground up and require strict logout then it's better to use cookie auth instead of jwt.
If you are stuck with jwt you can create a Blacklist with TTL (redis is a very good choice) after which you make middleware which checks if the token is in the Blacklist, if it is it returns a 401.

[Ahtii]

@includeamin thanks for the response :) I would definitely use redis I am using MySQL as my database I will post the code here after I am done for your advice about any optimisation as I like to create fast and secure products :) thanks

[Ahtii]

@ArcLightSlavik Thanks for the response. But aren't cookies insecure as opposite to using jwt ? I just wanna make it a habit to stick to creating secure products that way I would learn a lot :)

[ArcLightSlavik]

@Ahtii Both cookie auth and jwt have there security issues and neither is completely safe or better than the other solution. Something like CSRF is handled in Django (not sure about fastapi). As a tldr cookie auth is safe if you use it correctly (secure and httponly and all that jazz).

[Ahtii]

@ArcLightSlavik Okay I just learned that httponly hides the cookie from the client scripts which means we get rid of XSS. Now my question is what if I use cookie auth as well as jwt ? Is it possible ? and would it increase security ?

[Ahtii]

@includeamin @ArcLightSlavik can you guys please provide me with some information of how to setup redis with fastapi for blacklisting of tokens ? I don't seem to find it.

[pythonhacked]

@router.get('/logout/')
async def logout(request: Request):
if '_messages' in request.session:
if 'username' in request.session['_messages'][0]:
request.session.clear()
return RedirectResponse('/')

{how tom expire to login token with logout API }

[simplylu]

Can you please (1) format the code and (2) elaborate on that snippet @pythonhacked ?

[shivamkr9]

I want to add a logout functionality but I am unable to do that. Can anyone explain how the logout functionality works in http://127.0.0.1:8000/docs#/.

my /login code

from fastapi import APIRouter, Depends, status, HTTPException
from sqlalchemy.orm import Session
from app.configurations.database import get_db
from app.configurations import models, utils, oauth2
from app.configurations.schemas import Token
from fastapi.security import OAuth2PasswordRequestForm

from app.configurations.oauth2 import oauth2_scheme

routes = APIRouter(
prefix="/user",
tags=["Authentication"]
)

@routes.post("/login", response_model=Token)
def userlogin(user_credentials: OAuth2PasswordRequestForm = Depends(), db: Session = Depends(get_db)):
_user = db.query(models.User).filter(
models.User.email == user_credentials.username).first()

if not _user:
    raise HTTPException(
        status_code=status.HTTP_404_NOT_FOUND, detail="Invalid credential")

if not utils.verify(user_credentials.password, _user.password):
    raise HTTPException(
        status_code=status.HTTP_404_NOT_FOUND, detail="Invalid credential")

_data = {
    "id": _user.id,
    "name": _user.name,
    "email": _user.email
}

access_token = oauth2.create_access_token(_data)
return {"access_token": access_token, "token_type": "bearer"}

If there is any possible article/ video or any thing for how logout works please explain or pin in the reply

Thank You 🙂

[caeser1996]

The logout functionality can be implemented by providing an endpoint that invalidates the current access token, effectively logging the user out.

Here's an example implementation in FastAPI:

from fastapi import APIRouter, Depends, Header
from app.configurations.oauth2 import oauth2_scheme

routes = APIRouter(prefix="/user", tags=["Authentication"])

@routes.post("/logout")
def user_logout(Authorization: str = Header(None)):
    oauth2_scheme.revoke_token(Authorization)
    return {"message": "Token revoked"}

In this example, a /user/logout endpoint is created that takes in an Authorization header, which contains the access token. The revoke_token method from your oauth2_scheme is called to invalidate the token. This function should be implemented to actually store the revoked tokens and invalidate them in future requests.

It's also important to note that logging out in an OAuth2-based system only invalidates the current access token, not the refresh token. To fully log out the user, you'll need to invalidate both tokens.