Add middleware to verify that the current token is from the newest login.
Add a signal handler for user_logged_out which sets user.last_login to current time. This will invalidate all previous tokens because none of them would match the user's last login.
The middleware will check if the value at issued_at key in JWT is the same as the user.last_login and will throw an error if both are not same. The last_login is updated at the time the JWT payload is created (during token generation). After logout, the user.last_login will be set to the time of logout which will invalidate all previous tokens.
Changes:
user_logged_outwhich setsuser.last_loginto current time. This will invalidate all previous tokens because none of them would match the user's last login.The middleware will check if the value at
issued_atkey in JWT is the same as theuser.last_loginand will throw an error if both are not same. Thelast_loginis updated at the time the JWT payload is created (during token generation). After logout, theuser.last_loginwill be set to the time of logout which will invalidate all previous tokens.