Moppler
commented
3 years ago Also consider adding in some form of session management. If you create a session with the token, then associate it with that token, you will have a mechanism for tracking user logins. You could also implement a mechanism for the user to invalidate a specific session on a specific device / ip.
The out of the box TokenAuthentication from Django Rest Framework https://www.django-rest-framework.org/api-guide/authentication/#tokenauthentication never expires. This needs to be extended so that the token expires after a period of time.
There are examples of how to do this here: https://stackoverflow.com/questions/14567586/token-authentication-for-restful-api-should-the-token-be-periodically-changed