I am using rest_framework_simplejwt for authentication in my django app. For logout, I want to expire the refresh token.
class LogoutView(APIView):
permission_classes = (IsAuthenticated,)
def post(self, request, *args, **kwargs):
try:
refresh_token = request.data.get('refresh', None)
token = RefreshToken(refresh_token)
token.set_exp(lifetime=timedelta(seconds=0))
return Response(status=status.HTTP_205_RESET_CONTENT)
except Exception as e:
print(e)
return Response(status=status.HTTP_400_BAD_REQUEST)
This works as expected. When I do token.check_exp(), it says ‘Expired’. However, I can still use it to generate new tokens here:
from rest_framework_simplejwt.views import TokenObtainPairView, TokenRefreshView
urlpatterns = [
path('token/refresh/', TokenRefreshView.as_view(), name='token_refresh'),
]
Why is that?
However, this all works as expected if i blacklist the token instead of expiring it.