Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to delete a django JWT token?

Tags:

python

rest

django

jwt

I am using the Django rest framework JSON Web token API that is found here on github (https://github.com/GetBlimp/django-rest-framework-jwt/tree/master/).

I can successfully create tokens and use them to call protected REST APis. However, there are certain cases where I would like to delete a specific token before its expiry time. So I thought to do this with a view like:

class Logout(APIView):
    permission_classes = (IsAuthenticated, )
    authentication_classes = (JSONWebTokenAuthentication, )

    def post(self, request):
        # simply delete the token to force a login        
        request.auth.delete()  # This will not work
        return Response(status=status.HTTP_200_OK)

The request.auth is simply a string object. So, this is of course, not going to work but I was not sure how I can clear the underlying token.

EDIT

Reading more about this, it seems that I do not need to do anything as nothing is ever stored on the server side with JWT. So just closing the application and regenerating the token on the next login is enough. Is that correct?

like image 362
Luca Avatar asked Nov 15 '16 08:11

Luca

People also ask

What happens if someone steals your JWT token?

One of the most important steps is to ask your clients to change their passwords immediately if there's an instance where the JWT token is stolen. Changing the password of an account will prevent attackers from exploiting the account and would eventually help in avoiding a data breach.

Can you modify JWT token?

No middleman can modify a JWT once it's sent. It's important to note that a JWT guarantees data ownership but not encryption. The JSON data you store into a JWT can be seen by anyone that intercepts the token because it's just serialized, not encrypted.

1 Answers

The biggest disadvantage of JWT is that because the server does not save the session state, it is not possible to abolish a token or change the token's permissions during use. That is, once the JWT is signed, it will remain in effect until it expires, unless the server deploys additional logic. So, you cannot invalidate the token even you create a new token or refresh it. Simply way to logout is remove the token from the client.

like image 103
Rhys Pang Avatar answered Oct 06 '22 18:10

Rhys Pang
Sign in to Comment

Related questions

How to get data labels on a Seaborn pointplot?
Split Pandas Series into DataFrame by delimiter
Wait for class to exist before continuing with selenium in Firefox
pyspark row number dataframe
Selecting top n elements from each group in pandas groupby
how to sort dataframe based on particular (string)columns using python pandas?
Accessing Username and Password in django request header returns None
Scrapy 1.1.0 - no active project
True + True = 2. Elegantly perform boolean arithmetic?
Python Spyder initializing Hello World Kivi app once?
What status code should a PATCH request with no changes return?
Is the continue statement necessary in a Python while loop?
Copying a list using a[:] or copy() in python is shallow? [duplicate]
Error in Spark while declaring a UDF
Plot confusion matrix sklearn with multiple labels
How to divide the sum with the size in a pandas groupby
Python- Is there a function or formula to find the complementary colour of a rgb code?
Imported Enum class is not comparing equal to itself
Can we return after raise statement
How to Transpose each element in a 3D np array

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!