search

jpadilla / django-rest-framework-jwt

JSON Web Token Authentication support for Django REST Framework
http://jpadilla.github.io/django-rest-framework-jwt/
MIT License
3.19k stars 649 forks source link

invalidate token #385

Open davidrdz93 opened 6 years ago

davidrdz93 commented 6 years ago

with DRF authtoken it is possible to make a 'logout' in this way;

class Logout(APIView):  
    queryset = User.objects.all()  
    def get(self, request, format=None):  
        # simply delete the token to force a login  
        request.user.auth_token.delete()  
        return Response(status=status.HTTP_200_OK)

As you see here we have a delete() method.

I can map this view and create an endpoint in order to have a logout call from frontend client! then for login again I can recreate a new token for that user..

How can I make this thing using django-rest-framework-jwt ??

Alex3917 commented 6 years ago

On your user model add a field:

jwt_secret = models.UUIDField(default=uuid.uuid4)

Then create a function that returns this field:

def jwt_get_secret_key(user_model):
    return user_model.jwt_secret

And use a string with the path to that function in the JWT_GET_USER_SECRET_KEY variable.

Then in the logout view, just save a new UUID as the jwt_secret value on the user instance.

uber1geek commented 6 years ago

@Alex3917 This sounds interesting, Can you please elaborate a bit on this?

Alex3917 commented 6 years ago

@uber1geek Conceptually what you want is a UUIDField on the user model, and then every time the user does something that should log them out of the site (clicking Logout, changing their password, etc.) you then generate a new UUID and save it to that field on the user model.

Then as part of the auth process, the jwt_secret field is added to the token, and the JWT in the token is compared with the JWT on the user model. If they aren't the same, then we know the user has done something to log them out of the site (or otherwise invalidate the token) in between when the token was issued and when it's being checked, so the token should be treated as invalid and the user needs to re-authenticate.

Checking the secret key is now part of the authentication process, so once you set the values above the only thing you need to worry about is saving a new UUID for the user when they do something that should log them out of the site. (And write tests to make sure it's working correctly.)

ray525 commented 6 years ago

@Alex3917 if a user login on two different browsers, how can we handle this situation ? if we logout on one browser, then another browser need to relogin again, am i right ?

tjquinn1 commented 6 years ago

@ray525 I know this is old but no one answered your question. You are right, this method will logout out all sessions.

RahmaMzoughi commented 5 years ago

any solution for the problem invoked by @ray525 ?

Alex3917 commented 5 years ago

@RahmaMzoughi @ray525 I don't have a good solution for that. You could obviously just delete the token from localstorage, although that wouldn't eliminate the ability for someone who already had the token from using it.

I could see this being an issue where someone uses a public computer as their desktop computer, and then uses their phone as their private computer. But I don't run a site where this is an issue.

sant527 commented 4 years ago

@ray525 I know this is old but no one answered your question. You are right, this method will logout out all sessions.

I am also looking for a solution. I want both provisions.

1) Sometimes the user can logout from all logins (i.e change jwt_secret per user) 2) only logout from a particular session