TOKEN_MODEL not compatible with JWT

[jeremyandrews]

The TOKEN_MODEL variable was introduced in #189. This is used in utils.login_user and utils.logout_user.

The call tosettings.TOKEN_MODEL.objects.filter(user=request.user).delete() doesn't work with JWT, as it doesn't define a model as tokens are stored client side, not in the database: https://github.com/GetBlimp/django-rest-framework-jwt/blob/master/rest_framework_jwt/models.py

(The call to settings.TOKEN_MODEL.objects.get_or_create() doesn't affect JWT, as it's never called when using JWT.)

For example, attempts to log out a user generates the following error:

  File "/path/to/djoser/djoser/utils.py", line 23, in logout_user
    settings.TOKEN_MODEL.objects.filter(user=request.user).delete()
AttributeError: type object 'Token' has no attribute 'objects'

[pszpetkowski]

Hi @jeremyandrews The TOKEN_MODEL setting is not really supposed to be compatible with JWT, because as you have noted JWT is a stateless authentication method. These login/logout utils and the TOKEN_MODEL setting exist to support various tokens, which use database as a storage.

I can agree on that the naming of these utils is misleading and this is something that we'll improve in 2018.

[jeremyandrews]

JWT can support user logout (by introducing a per-user JWT secret which gets changed on logout). But even without LOGOUT_ON_PASSWORD_CHANGE enabled, you still run into this when deleting a user and as far as I can see there's no way to disable it: https://github.com/sunscrapers/djoser/blob/master/djoser/views.py#L89

[jeremyandrews]

For reference, here's what I was referring to regarding support for logout with JWT: https://tag1consulting.com/blog/building-api-django-20-part-i#j-w-t-logout

[pszpetkowski]

Hi @jeremyandrews

Sorry it took me so long to respond. You are right about the bug with LOGOUT_ON_PASSWORD_CHANGE and deleting the user, so I'll do my best to take care of that as soon as possible

In case of JWT logout - thank you for the URL, interesting read. For what it's worth I like the idea, but at the same time I strongly believe that it is not in djoser's scope since it implicates changes on the user model. We could introduce another model, which would relate to user model and store the JWT secret, but it's not desired in all configurations, so I guess that this is something that would need to be handled outside djoser.

[jeremyandrews]

Thanks for the feedback and response. It's easy enough to work around both issues when using JWT together with Djoser.

[detectedstealth]

Ran into the same issue when trying to delete a user. And ETA when this would be updated to handle JWT?

[krash84]

+1

[Emnalyeriar]

I just experienced the same problem when trying to delete currently logged user. Sending DELETE request to /users/me/ produces this error:

File "/usr/local/lib/python3.7/site-packages/djoser/utils.py", line 26, in logout_user
    settings.TOKEN_MODEL.objects.filter(user=request.user).delete()
AttributeError: type object 'Token' has no attribute 'objects'

I solved it by setting the TOKEN_MODEL to None as described here https://djoser.readthedocs.io/en/latest/settings.html#token-model