How to logout and destory token in PyJWT Django?

Question

I have make a token in PyJWT like this:

import jwt
import datetime

payload = {
    "id": 1,
    "exp": datetime.datetime.utcnow() + datetime.timedelta(minutes=1000),
    "iat": datetime.datetime.utcnow()
}
token = jwt.encode(payload, 'secret', algorithm='HS256')

And sent to front and also retrive my payload like this:

payload = jwt.decode(token, 'secret', algorithms=['HS256'])

And now i want to destroy token in server and logout. How to do this?

score 0 · Accepted Answer · answered Jun 12 '22 at 11:02

0

So i found the solution. JWT tokens are not destroyable. And best way for us to do is make a table in our database like blacklist and add dead tokens ito it when call logout method.
And then when try to check user token validation just check that table and if the token exist, you should not accept user and return User Not Authenticated.

Be successful

answered Jun 12 '22 at 11:02

reza_khalafi

6,230
7
56
82

1

One of main advantages of JWT is that you've able to authenticate user without accessing Database. You just need to check if signing is correct. But checking for dead tokens in DB eliminates this feature. Because of it lifetime ot token should be extremely short (about few minutes). And it should be reissued any time using `refresh token`. However I understand that you have to change whole auth architecure to add refresh tokens and that may be impossible in your case – rzlvmp Jun 12 '22 at 11:37
[here](https://stackoverflow.com/questions/27726066/jwt-refresh-token-flow) is a good question about JWT – rzlvmp Jun 12 '22 at 11:37

score 0 · Answer 2 · edited Jul 25 '23 at 20:23

0

Change secret key from settings.

Note that this will effectively log out ALL your users. No JWTs issued with the old key will be valid.

edited Jul 25 '23 at 20:23

Andreas Lundgren

12,043
3
22
44

answered Jul 15 '23 at 13:20

Mohammad AlQudah

47
1
6

How to logout and destory token in PyJWT Django?

2 Answers2

Linked