7

I am using the Django rest framework JSON Web token API that is found here on github (https://github.com/GetBlimp/django-rest-framework-jwt/tree/master/).

I can successfully create tokens and use them to call protected REST APis. However, there are certain cases where I would like to delete a specific token before its expiry time. So I thought to do this with a view like:

class Logout(APIView):
    permission_classes = (IsAuthenticated, )
    authentication_classes = (JSONWebTokenAuthentication, )

    def post(self, request):
        # simply delete the token to force a login        
        request.auth.delete()  # This will not work
        return Response(status=status.HTTP_200_OK)

The request.auth is simply a string object. So, this is of course, not going to work but I was not sure how I can clear the underlying token.

EDIT

Reading more about this, it seems that I do not need to do anything as nothing is ever stored on the server side with JWT. So just closing the application and regenerating the token on the next login is enough. Is that correct?

Ébe Isaac
  • 11,563
  • 17
  • 64
  • 97
Luca
  • 10,458
  • 24
  • 107
  • 234

4 Answers4

10

The biggest disadvantage of JWT is that because the server does not save the session state, it is not possible to abolish a token or change the token's permissions during use. That is, once the JWT is signed, it will remain in effect until it expires, unless the server deploys additional logic. So, you cannot invalidate the token even you create a new token or refresh it. Simply way to logout is remove the token from the client.

Rhys Pang
  • 213
  • 3
  • 10
7

Yes, it's correct to say that JWT tokens are not stored in the database. What you want, though, is to invalidate a token based on user activity, which doesn't seem to be possible ATM.

So, you can do what you suggested in your question, or redirect the user to some token refreshing endpoint, or even manually create a new token.

OM Bharatiya
  • 1,840
  • 14
  • 23
lucasnadalutti
  • 5,818
  • 1
  • 28
  • 48
1

Add this in Admin.py

class OutstandingTokenAdmin(token_blacklist.admin.OutstandingTokenAdmin):
    def has_delete_permission(self, *args, **kwargs):
        return True # or whatever logic you want

admin.site.unregister(token_blacklist.models.OutstandingToken)
admin.site.register(token_blacklist.models.OutstandingToken, OutstandingTokenAdmin)
Ersain
  • 1,466
  • 1
  • 9
  • 20
K Kumar
  • 71
  • 1
  • 10
  • 1
    When you just copy and paste a piece of code and hope to get points. https://github.com/jazzband/djangorestframework-simplejwt/issues/266#issuecomment-820745103 – Cristianjs19 Mar 13 '23 at 21:42
  • its not about point it's about help a , programmer will be frustrated when code gets some error so, it's a small help i want to contribute. Please Don't use this platform for criticism. Try your best – K Kumar Apr 11 '23 at 08:47
  • 1
    There are millions of answers that points to another answer in this platform even, or to a tutorial or whatever. Is not a bad practise this, but if one didn't come up with the answer, it's very kind to point out who did. Sorry if I was kind rude expressing. – Cristianjs19 Apr 19 '23 at 02:39
  • 1
    no problem bro lets help each other – K Kumar Apr 19 '23 at 07:15
0
from rest_framework_simplejwt.token_blacklist.admin import OutstandingTokenAdmin
from rest_framework_simplejwt.token_blacklist.models import OutstandingToken

class OutstandingTokenAdmin(OutstandingTokenAdmin):
    def has_delete_permission(self, *args, **kwargs):
        return True # or whatever logic you want
    
    def get_actions(self, request):
        actions = super(OutstandingTokenAdmin, self).get_actions(request)
        if 'delete_selected' in actions:
            del actions['delete_selected']
        return actions

admin.site.unregister(OutstandingToken)
admin.site.register(OutstandingToken, OutstandingTokenAdmin)
bbenne10
  • 1,447
  • 14
  • 23
Cosme Alves
  • 1