bavaza
Reputation: 11037
Revoking tokens using Django rest-framework-jwt
I'm thinking of allowing a user to revoke previously issued tokens (yes, even though they are set to expire in 15 minutes), but did not find any way to do so using DRF-jwt.
Right now, I'm considering several options:
- Hope someone on SO will show me how to do this out-of-the-box ;-)
- Use the jti field as a counter, and, upon revocation, require jti > last jti.
- Add user-level salt to the signing procedure, and change it upon revocation
- Store live tokens in some Redis DB
Is any of the above the way to go?
Upvotes: 4
Views: 3809
Answers (1)
Raz
Reputation: 7923
We did it this way in our project:
Add jwt_issue_dt to User model.
Add original_iat to payload. So token refresh won't modify this field.
Compare original_iat from payload and user.jwt_issue_dt:
from calendar import timegm
from rest_framework_jwt.authentication import JSONWebTokenAuthentication
class CustomJSONWebTokenAuthentication(JSONWebTokenAuthentication):
def authenticate_credentials(self, payload):
user = super(CustomJSONWebTokenAuthentication, self).authenticate_credentials(payload)
iat_timestamp = timegm(user.jwt_issue_dt.utctimetuple())
if iat_timestamp != payload['iat']:
raise exceptions.AuthenticationFailed('Invalid payload')
return user
To revoke a token you just need to update the field user.jwt_issue_dt.
Upvotes: 4
Related Questions
- How to revoke refresh token on password reset?
- How to delete a django JWT token?
- Delete expired tokens from database (Django + JWT)
- Revoke refresh token
- expire JWT token if new JWT token id generated
- Django rest framework JWT , delete the jwt token
- Django Password Reset using Rest API
- Django REST JWT Refresh
- drf django rest auth how to expire or delete token?
- django-rest-auth reset password uid and token