Add middleware to verify that the current token is from the newest login.
Add a signal handler for user_logged_out which sets user.last_login to current time. This will invalidate all previous tokens because none of them would match the user's last login.
The middleware will check if the value at issued_at key in JWT is the same as the user.last_login and will throw an error if both are not same. The last_login is updated at the time the JWT payload is created (during token generation). After logout, the user.last_login will be set to the time of logout which will invalidate all previous tokens.
Changes:
user_logged_out
which setsuser.last_login
to current time. This will invalidate all previous tokens because none of them would match the user's last login.The middleware will check if the value at
issued_at
key in JWT is the same as theuser.last_login
and will throw an error if both are not same. Thelast_login
is updated at the time the JWT payload is created (during token generation). After logout, theuser.last_login
will be set to the time of logout which will invalidate all previous tokens.