8

I have generated Flask-JWT token for user authentication, but on logout i want to invalidate token. Now it's allowing to access route after logout.

@app.route('/logout', methods=['POST'])
@jwt_required
def logout():
    user = current_user
    user.authenticated = False
    db.session.commit()
    logout_user()
    return jsonify({'success': True})
Renjith Thankachan
  • 4,178
  • 1
  • 30
  • 47
Mayur Patil
  • 95
  • 1
  • 2
  • 9

4 Answers4

7

Check flask-jwt-extended. It has support for blacklisting tokens built in to the extension (and is still actively supported, unlike flask jwt which has been abandoned).

https://flask-jwt-extended.readthedocs.io/en/stable/blacklist_and_token_revoking/

JoshuaSmeda
  • 39
  • 7
vimalloc
  • 3,869
  • 4
  • 32
  • 45
  • i used flask_jwt_extended for my jwt validation manage and i want redirect to url login after logout. have you anyidea to do this? – Manjitha Teshara Dec 10 '19 at 10:43
  • `@app.route('/logout') def logout(): signInform = LoginForm() resp = jsonify({'logout': True}) resp = make_response(render_template('login.html', title = 'Login', form =signInform)) unset_jwt_cookies(resp) #redirect(url_for('login')) return resp, 200` – Manjitha Teshara Dec 10 '19 at 10:44
5

As it has already been answered blacklist is one of the basic ways to invalidate JWT tokens. However, it should be noted that the blacklisted tokens should be kept in DB or anywhere else until their expiry date unless you need to keep all tokens for some reason.

Also, it's important to make the time of validity of JWT token as short as possible so that in majority of the cases they will be quickly invalidated by the flask-jwt itself. For example, it might make sense to make expiry time for a token - 30 minutes like a session time-out for some web-sites (definitely not days and months etc).

Nurjan
  • 5,889
  • 5
  • 34
  • 54
4

JWT token system works in a way that you put USER identity (or related) data and token expiry param in generated token itself which is signed with a non-shared (secret) key.If you want to invalidate the token you need to blacklist the token in a table & check on views/routes or delete the token from client so that client needs to regenerate the token again.

NOTE: putting any constraints in the payloads itself is not a good idea, if you don't want the blacklisting method, use other token generating schemes like Hawk where the generated token is saved in DB/other storage solutions & on invalidate/logout it is deleted.

if you want to log out a user from all devices
1. keep a user-specific secret key in DB and use the secret key to create JWT token
2. Assign a new secret key for the user, which will in effect invalidate all JWT tokens send to user/clients.
3. This can be useful when the user changed his/her password

Renjith Thankachan
  • 4,178
  • 1
  • 30
  • 47
1

One option is to store jwt_token in User model when generating the token.

class User(db.Model):
    ...
    ...
    jwt_token = db.Column(db.String(128), nullable=True)

and while verifying the incoming request, compare incoming token with stored jwt_token. they should be same (with other verifications offcourse)

For logout, simply set jwt_token field to None. and it won't match with incoming token anymore

shivampip
  • 2,004
  • 19
  • 19
  • 4
    This might not work if a user may log in on multiple devices. Logging on a new device would update the token in db and therefore access on the first device would be revoked. – Sam Jan 16 '22 at 23:48