How to logout and destory token in PyJWT Django?

About

Asked 30/5, 2022 at 12:56 Answered 15/7, 2023 at 13:20

I have make a token in PyJWT like this:

import jwt
import datetime

payload = {
    "id": 1,
    "exp": datetime.datetime.utcnow() + datetime.timedelta(minutes=1000),
    "iat": datetime.datetime.utcnow()
}
token = jwt.encode(payload, 'secret', algorithm='HS256')

And sent to front and also retrive my payload like this:

payload = jwt.decode(token, 'secret', algorithms=['HS256'])

And now i want to destroy token in server and logout. How to do this?

Tremain answered 30/5, 2022 at 12:56 Comment(0)

So i found the solution. JWT tokens are not destroyable. And best way for us to do is make a table in our database like blacklist and add dead tokens ito it when call logout method.
And then when try to check user token validation just check that table and if the token exist, you should not accept user and return User Not Authenticated.

Be successful

Tremain answered 12/6, 2022 at 11:2 Comment(2)

One of main advantages of JWT is that you've able to authenticate user without accessing Database. You just need to check if signing is correct. But checking for dead tokens in DB eliminates this feature. Because of it lifetime ot token should be extremely short (about few minutes). And it should be reissued any time using refresh token. However I understand that you have to change whole auth architecure to add refresh tokens and that may be impossible in your case – Subjectify 12/6, 2022 at 11:37

here is a good question about JWT – Subjectify 12/6, 2022 at 11:37

Change secret key from settings.

Note that this will effectively log out ALL your users. No JWTs issued with the old key will be valid.

Carnatic answered 15/7, 2023 at 13:20 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags