Django rest framework JWT , delete the jwt token

Question

How to expire django rest framework JWT token manually ? Because it does not store the token in the database. Is there any correct way to expire the token ?

I am thinking to continue with middleware where token will be stored per user. At every login request we will update the token in the db for a user. At every request, we will fetch the token from request and comapre with the stored token and if doesnt match then we'll return the forbidden. I dont know its a correct way or not !!

Answer 1

You can't expire JWT token, the token is self contained and can only be expired after amount of time that's stored in its payload. What you can do is to use both refresh and access token, and set little amount of time for access token. With that being said you FE should update access token when it's expired. You should store your refresh token in database, and when you need to delete access token, you can stop user from updating it using refresh token.

EDIT: If you want to store token in database, you probably don't wanna use JWT and stateless authorization at all. Instead stick with session based authorization. When you want to expire token - you can just delete session from DB.

UPDATE 2: What people usually do in this situation is having a fast-access DB (like redis) that has very few items. Instead of storing jwt token in the database we create a table that contains blocked tokens (I assume the amount of deleted tokens would be much less than amount of alive ones). BUT, now you sacrifice stateless authorization in favor of checking if a token is in the database every time you authorize a user.