Invalid Vial-JWT Logout
I created a Flask-JWT token to authenticate a user, but I want to invalidate the token on logout. It now allows access to the route after logging out.
@app.route('/logout', methods=['POST'])
@jwt_required
def logout():
user = current_user
user.authenticated = False
db.session.commit()
logout_user()
return jsonify({'success': True})
source to share
As stated, blacklisting is one of the main ways to revoke JWT tokens. However, it should be noted that blacklisted tokens must be stored in the DB or elsewhere until they expire unless you need all tokens for whatever reason.
In addition, it is important to keep the validity time of the JWT token as short as possible so that in most cases they would quickly invalidate themselves flask-jwt
. For example, it makes sense to make the token expiration time 30 minutes, like the session timeout for some websites (definitely not days and months, etc.).
source to share
JWT
works in such a way that you put the user id (or related) data and token token in the generated token itself, which is signed with a non-public (secret) key. If you want to invalidate the token you need to capitalize the token in the table and check on views / routes or remove the token from the client so that the client regenerates the token again.
NOTE. Putting any restrictions in the payloads is not a good idea, if you don't want to use the blacklisting method, use other token generation schemes like Hawk where the generated token is stored in the DB / other storage solutions and invalid / logout is removed.
source to share
Check checkbox-jwt-extended. It supports blacklist markers built into the extension (and is still actively supported, unlike flask jwt, which was abandoned).
http://flask-jwt-extended.readthedocs.io/en/latest/blacklist_and_token_revoking.html
source to share