search

iMerica / dj-rest-auth

Authentication for Django Rest Framework
https://dj-rest-auth.readthedocs.io/en/latest/index.html
MIT License
1.66k stars 310 forks source link

Handle login logout when Refresh token expires #515

Open rahul37865 opened 1 year ago

rahul37865 commented 1 year ago

I am using DRF with dj-rest-auth JWT HttpOnly Cookie. I found some strange behavior To Logout we have to provide valid access token, only then it will logout and delete the httpOnly cookie from client. If we do not provide valid access token Its still logout but doesn't delete httponly cookie from client. This becomes critical when refresh token expires now we do not have valid access and refresh token so we cant logout with valid token hence httponly cookie remain there in the client browser (can't delete it from client becoz its httpOnly). As we have invalid token, when i make login request again it throws 401 unauthorized error until i manually remove all cookies from the client. Its now a loop neither i can login nor i can logout until I remove the cookie manually from client. The same can be tested using Postman. settings.py

REST_AUTH = {
    'TOKEN_MODEL': None,
    'PASSWORD_RESET_USE_SITES_DOMAIN': True,
    'OLD_PASSWORD_FIELD_ENABLED': True,
    'LOGOUT_ON_PASSWORD_CHANGE': False,
    'USE_JWT': True,
    'JWT_AUTH_COOKIE': 'access',
    'JWT_AUTH_REFRESH_COOKIE': 'refresh',
    'JWT_AUTH_REFRESH_COOKIE_PATH':'/',
    'JWT_AUTH_SECURE':False,
    'JWT_AUTH_HTTPONLY':True,
    'JWT_AUTH_SAMESITE':'Lax',
    'JWT_AUTH_RETURN_EXPIRATION':True,

    # Custom Registration to Add First and Last Name Field
    'REGISTER_SERIALIZER': 'accounts.serializers.CustomRegisterSerializer',

    # Custom Login to Remove Username
    'LOGIN_SERIALIZER': 'accounts.serializers.CustomLoginSerializer',

    # Custom User Detail to Remove Username and add is_staff
    'USER_DETAILS_SERIALIZER': 'accounts.serializers.CustomUserDetailsSerializer',
}

SIMPLE_JWT = {
    "ACCESS_TOKEN_LIFETIME": timedelta(minutes=1),
    "REFRESH_TOKEN_LIFETIME": timedelta(minutes=2),      # To check what will happen when refresh token expires
    "ROTATE_REFRESH_TOKENS": False,
    "BLACKLIST_AFTER_ROTATION": False,
    "UPDATE_LAST_LOGIN": True,
}
residentcode commented 1 year ago

yeah, I also wonder how do I refresh token if the refresh_token removed from response (http-only)