how to implement logout and refresh token #7119
-
|
I am new to backend development I searched a lot for how to Implement logout but didn't find the way |
Beta Was this translation helpful? Give feedback.
Replies: 5 comments
-
|
When you use JWT, Logout have to be implement in front-end and fast-api has nothing to do with it. |
Beta Was this translation helpful? Give feedback.
-
|
so is it okay if u logged out u can still use ur token? |
Beta Was this translation helpful? Give feedback.
-
|
Yeah, with the suggested way from @Yeganloo the token would be still valid. if you want to make a real logout you have to create a token blacklist and check in your auth dependency if the token has been revoked. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the help @Yeganloo and @SebastianLuebke ! 🍰 Another option is, if you want to allow users to logout every session, part of your user data could include some "seed" (some random data), that is used to hash and verify the token. You would have to get the data for the user from the unverified token, then verify it with the user seed, and then continue if verification passes. Then to logout every session you could change that user's seed data, that would make any previously emitted token invalid.
|
Beta Was this translation helpful? Give feedback.
-
|
Assuming the original need was handled, this will be automatically closed now. But feel free to add more comments or create new issues or PRs. |
Beta Was this translation helpful? Give feedback.
Thanks for the help @Yeganloo and @SebastianLuebke ! 🍰
Another option is, if you want to allow users to logout every session, part of your user data could include some "seed" (some random data), that is used to hash and verify the token. You would have to get the data for the user from the unverified token, then verify it with the user seed, and then continue if verification passes.
Then to logout every session you could change that user's seed data, that would make any previously emitted token invalid.