Martin
Reputation: 27
In Flask JWT Extended, when revoking both access and refresh Tokens, shouldn't I also revoke access of the last non-fresh token?
After reading the documentation, it was clear to me that the client should send two request to the /logout endpoint, as it says in this example using Redis as the hosted blocklist:
@app.route("/logout", methods=["DELETE"])
@jwt_required(verify_type=False)
def logout():
token = get_jwt()
jti = token["jti"]
ttype = token["type"]
jwt_redis_blocklist.set(jti, "", ex=ACCESS_EXPIRES)
# Returns "Access token revoked" or "Refresh token revoked"
return jsonify(msg=f"{ttype.capitalize()} token successfully revoked")
But then I realized: What about the last non-fresh token? The last token created by the refresh-token?
I'm aware that the validity of that token should not be long, but I assume that in a safe system it should also be blocklisted.
So, should I make a third DELETE request?
Thanks.
Upvotes: 0
Views: 138
Answers (0)
Related Questions
- Flask JWT Extended missing csrf access token
- How to POST the refresh token to Flask JWT Extended?
- Working with flask-jwt-extended and flask-restx for Headers and Cookie Token
- Using Refresh Tokens as the Only External Access Token Given to the Client
- Revoke refresh token
- throwing error for flask jwt extended refresh token
- flask-jwt-extended current_user identity = None when creating non-fresh access token from refresh token