如何删除 django JWT 令牌?

2022-01-10 00:00:00 python django rest jwt

问题描述

我正在使用 Django REST 框架 JSON Web 令牌 API,它位于 github (https://github.com/GetBlimp/django-rest-framework-jwt/tree/master/).

I am using the Django rest framework JSON Web token API that is found here on github (https://github.com/GetBlimp/django-rest-framework-jwt/tree/master/).

我可以成功创建令牌并使用它们来调用受保护的 REST API.但是,在某些情况下,我想在特定令牌到期之前删除它.所以我想用这样的视图来做到这一点:

I can successfully create tokens and use them to call protected REST APis. However, there are certain cases where I would like to delete a specific token before its expiry time. So I thought to do this with a view like:

class Logout(APIView):
    permission_classes = (IsAuthenticated, )
    authentication_classes = (JSONWebTokenAuthentication, )

    def post(self, request):
        # simply delete the token to force a login        
        request.auth.delete()  # This will not work
        return Response(status=status.HTTP_200_OK)

request.auth 只是一个字符串对象.所以,这当然是行不通的,但我不确定如何清除底层令牌.

The request.auth is simply a string object. So, this is of course, not going to work but I was not sure how I can clear the underlying token.

编辑

阅读更多相关信息,我似乎不需要做任何事情,因为 JWT 不会在服务器端存储任何内容.因此,只需关闭应用程序并在下次登录时重新生成令牌就足够了.对吗?

Reading more about this, it seems that I do not need to do anything as nothing is ever stored on the server side with JWT. So just closing the application and regenerating the token on the next login is enough. Is that correct?


解决方案

是的,JWT 令牌不存储在数据库中的说法是正确的.但是,您想要的是根据用户活动使令牌无效 这似乎是不可能的ATM.

Yes, it's correct to say that JWT tokens are not stored in the database. What you want, though, is to invalidate a token based on user activity, which doesn't seem to be possible ATM.

因此,您可以按照问题中的建议进行操作,或者将用户重定向到某些 令牌刷新端点,甚至 手动创建新令牌.

So, you can do what you suggested in your question, or redirect the user to some token refreshing endpoint, or even manually create a new token.

相关文章