Menu
I have generated Flask-JWT token for user authentication, but on logout i want to invalidate token. Now it's allowing to access route after logout.
@app.route('/logout', methods=['POST'])
@jwt_required
def logout():
user = current_user
user.authenticated = False
db.session.commit()
logout_user()
return jsonify({'success': True})
700
Next try to fetch the list of users. To do that, change the endpoint to /user and then in the headers section, add a field as x-access-token and add the JWT token in the value and click on Send. You will get the list of users as JSON. So, this is how you can perform authentication with JWT in Flask.
Actually, JWT serves a different purpose than a session and it is not possible to forcefully delete or invalidate an existing token. Expiring a token? Yes, the tokens can be expired. No, you cannot do it on demand. When signing a user payload for a JWT you are allowed to pass an expiration time to it.
Okay, so usually, when using JWT authentication, the client side stores the token somewhere and attaches it to every request that needs authentication. So, the first thing to do when logging out is just to delete the token you stored on the client (e.i. browser local storage).
The refresh token will be stored in a database. For authenticated requests, the client can use the JWT but when the token expires (or is about to expire), let the client make a request with the refresh token in exchange for a new JWT. This way you would only have to hit the database when a user logs in or asks for a new JWT.
Check flask-jwt-extended. It has support for blacklisting tokens built in to the extension (and is still actively supported, unlike flask jwt which has been abandoned).
https://flask-jwt-extended.readthedocs.io/en/stable/blacklist_and_token_revoking/
194
As it has already been answered blacklist is one of the basic ways to invalidate JWT tokens. However, it should be noted that the blacklisted tokens should be kept in DB or anywhere else until their expiry date unless you need to keep all tokens for some reason.
Also, it's important to make the time of validity of JWT token as short as possible so that in majority of the cases they will be quickly invalidated by the flask-jwt itself. For example, it might make sense to make expiry time for a token - 30 minutes like a session time-out for some web-sites (definitely not days and months etc).
20
JWT token system works in a way that you put USER identity (or related) data and token expiry param in generated token itself which is signed with a non-shared (secret) key.If you want to invalidate the token you need to blacklist the token in a table & check on views/routes or delete the token from client so that client needs to regenerate the token again.
NOTE: putting any constraints in the payloads itself is not a good idea, if you don't want the blacklisting method, use other token generating schemes like Hawk where the generated token is saved in DB/other storage solutions & on invalidate/logout it is deleted.
if you want to log out a user from all devices
1. keep auser-specific secretkey in DB and use thesecretkey to create JWT token
2. Assigna new secret keyfor the user, which will in effect invalidate all JWT tokens send to user/clients.
3. This can be useful when the user changed his/her password
4
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
