Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

On logout invalidate flask-JWT

I have generated Flask-JWT token for user authentication, but on logout i want to invalidate token. Now it's allowing to access route after logout.

@app.route('/logout', methods=['POST'])
@jwt_required
def logout():
    user = current_user
    user.authenticated = False
    db.session.commit()
    logout_user()
    return jsonify({'success': True})
like image 700
Mayur Patil Avatar asked Jun 08 '17 10:06

Mayur Patil


People also ask

How to perform authentication with JWT in flask?

Next try to fetch the list of users. To do that, change the endpoint to /user and then in the headers section, add a field as x-access-token and add the JWT token in the value and click on Send. You will get the list of users as JSON. So, this is how you can perform authentication with JWT in Flask.

Is it possible to invalidate a JWT token?

Actually, JWT serves a different purpose than a session and it is not possible to forcefully delete or invalidate an existing token. Expiring a token? Yes, the tokens can be expired. No, you cannot do it on demand. When signing a user payload for a JWT you are allowed to pass an expiration time to it.

What to do when logging out of JWT authentication?

Okay, so usually, when using JWT authentication, the client side stores the token somewhere and attaches it to every request that needs authentication. So, the first thing to do when logging out is just to delete the token you stored on the client (e.i. browser local storage).

Where is the JWT refresh token stored?

The refresh token will be stored in a database. For authenticated requests, the client can use the JWT but when the token expires (or is about to expire), let the client make a request with the refresh token in exchange for a new JWT. This way you would only have to hit the database when a user logs in or asks for a new JWT.


3 Answers

Check flask-jwt-extended. It has support for blacklisting tokens built in to the extension (and is still actively supported, unlike flask jwt which has been abandoned).

https://flask-jwt-extended.readthedocs.io/en/stable/blacklist_and_token_revoking/

like image 194
vimalloc Avatar answered Oct 23 '22 15:10

vimalloc


As it has already been answered blacklist is one of the basic ways to invalidate JWT tokens. However, it should be noted that the blacklisted tokens should be kept in DB or anywhere else until their expiry date unless you need to keep all tokens for some reason.

Also, it's important to make the time of validity of JWT token as short as possible so that in majority of the cases they will be quickly invalidated by the flask-jwt itself. For example, it might make sense to make expiry time for a token - 30 minutes like a session time-out for some web-sites (definitely not days and months etc).

like image 20
Nurjan Avatar answered Oct 23 '22 14:10

Nurjan


JWT token system works in a way that you put USER identity (or related) data and token expiry param in generated token itself which is signed with a non-shared (secret) key.If you want to invalidate the token you need to blacklist the token in a table & check on views/routes or delete the token from client so that client needs to regenerate the token again.

NOTE: putting any constraints in the payloads itself is not a good idea, if you don't want the blacklisting method, use other token generating schemes like Hawk where the generated token is saved in DB/other storage solutions & on invalidate/logout it is deleted.

if you want to log out a user from all devices
1. keep a user-specific secret key in DB and use the secret key to create JWT token
2. Assign a new secret key for the user, which will in effect invalidate all JWT tokens send to user/clients.
3. This can be useful when the user changed his/her password

like image 4
Renjith Thankachan Avatar answered Oct 23 '22 14:10

Renjith Thankachan