How to set the jwt token expiration correctly?

muonu commented 3 months ago

In the code I see that it is being set in

https://github.com/iMerica/dj-rest-auth/blob/069cd112acd2b31e5c0b37e607c1f927d2235a84/dj_rest_auth/jwt_auth.py#L15

    access_token_expiration = (timezone.now() + jwt_settings.ACCESS_TOKEN_LIFETIME)
    cookie_secure = api_settings.JWT_AUTH_SECURE
    from rest_framework_simplejwt.settings import api_settings as jwt_settings
    refresh_token_expiration = (timezone.now() + jwt_settings.REFRESH_TOKEN_LIFETIME)

and https://github.com/iMerica/dj-rest-auth/blob/069cd112acd2b31e5c0b37e607c1f927d2235a84/dj_rest_auth/views.py#L84

access_token_expiration = (timezone.now() + jwt_settings.ACCESS_TOKEN_LIFETIME)
refresh_token_expiration = (timezone.now() + jwt_settings.REFRESH_TOKEN_LIFETIME)

but setting (din't find it in docs, but tried anyways)

REST_AUTH = {
'ACCESS_TOKEN_LIFETIME': timedelta(hours=2),
 'REFRESH_TOKEN_LIFETIME': timedelta(days=2),
}

does NOT work, and access expiration still defaults to 5 minutes.

What worked is setting simple_jwt settings:

SIMPLE_JWT = {
     "ACCESS_TOKEN_LIFETIME": timedelta(minutes=50),
     "REFRESH_TOKEN_LIFETIME": timedelta(days=1),
}

I didn't find a reference, or maybe I missed it, suggesting using simplejwt settings for items not exposed in this package. Or maybe there was some reasoning.

ashwanthbalakrishnan5 commented 2 months ago

Hi @muonu, Just see two line above that. https://github.com/iMerica/dj-rest-auth/blob/069cd112acd2b31e5c0b37e607c1f927d2235a84/dj_rest_auth/jwt_auth.py#L13-L15

muonu commented 2 months ago

thanks! I overlooked it. so basically what worked for me is the way to do it, i.e. defining simple_jwt settings:

SIMPLE_JWT = {
     "ACCESS_TOKEN_LIFETIME": timedelta(minutes=50),
     "REFRESH_TOKEN_LIFETIME": timedelta(days=1),
}

iMerica / dj-rest-auth

How to set the jwt token expiration correctly? #611