The classic issue of browser cache and back navigation button.
How can I make all necessary actions in backend that client can successfully log out? I have implemented simplejwt token to http cookies, and then blacklisting refresh token after logout.
Is there something else that I must add on backend side, or is it matter of frontend (React) from here?
api_views.py:
from django.shortcuts import render
from rest_framework.generics import RetrieveUpdateAPIView, CreateAPIView
from rest_framework.permissions import IsAuthenticated
from rest_framework.request import Request
from .serializers import AihealueSerializer, KetjuSerializer, VastausSerializer, NotesSerializer, CustomUserSerializer, RegisterUserSerializer, LoginUserSerializer
from rest_framework.views import APIView
from rest_framework_simplejwt.tokens import RefreshToken
from rest_framework.response import Response
from rest_framework import status
from rest_framework_simplejwt.views import TokenRefreshView
from rest_framework_simplejwt.exceptions import InvalidToken
from .models import Aihealue, Ketju, Vastaus, Notes
from rest_framework.permissions import IsAuthenticated, AllowAny, BasePermission, IsAdminUser
from .permissions import IsAdminOrSuperuser # Tuotu erillisestä permissions-tiedostosta
from rest_framework import status, viewsets, permissions
# API Controllerit
class UserInfoView(RetrieveUpdateAPIView):
permission_classes = (IsAuthenticated,)
serializer_class = CustomUserSerializer
def get_object(self):
return self.request.user
class UserRegistrationView(CreateAPIView):
serializer_class = RegisterUserSerializer
class LoginView(APIView):
def post(self, request):
serializer = LoginUserSerializer(data=request.data)
if serializer.is_valid():
user = serializer.validated_data
refresh = RefreshToken.for_user(user)
access_token = str(refresh.access_token)
response = Response({
"user": CustomUserSerializer(user).data},
status=status.HTTP_200_OK)
response.set_cookie(key="access_token",
value=access_token,
httponly=True,
secure=True,
samesite="None")
response.set_cookie(key="refresh_token",
value=str(refresh),
httponly=True,
secure=True,
samesite="None")
return response
return Response( serializer.errors, status=status.HTTP_400_BAD_REQUEST)
class LogoutView(APIView):
def post(self, request):
refresh_token = request.COOKIES.get("refresh_token")
if refresh_token:
try:
refresh = RefreshToken(refresh_token)
refresh.blacklist()
except Exception as e:
return Response({"error":"Error invalidating token:" + str(e) }, status=status.HTTP_400_BAD_REQUEST)
response = Response({"message": "Successfully logged out!"}, status=status.HTTP_200_OK)
response.delete_cookie("access_token")
response.delete_cookie("refresh_token")
return response
class CookieTokenRefreshView(TokenRefreshView):
def post(self, request):
refresh_token = request.COOKIES.get("refresh_token")
if not refresh_token:
return Response({"error":"Refresh token not provided"}, status= status.HTTP_401_UNAUTHORIZED)
try:
refresh = RefreshToken(refresh_token)
access_token = str(refresh.access_token)
response = Response({"message": "Access token token refreshed successfully"}, status=status.HTTP_200_OK)
response.set_cookie(key="access_token",
value=access_token,
httponly=True,
secure=True,
samesite="None")
return response
except InvalidToken:
return Response({"error":"Invalid token"}, status=status.HTTP_401_UNAUTHORIZED)
settings.py:
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework_simplejwt.authentication.JWTAuthentication', #jos ei tarvita csrf tokenia
'codesitemainapp.authentication.CookieJWTAuthentication'
)
}
SIMPLE_JWT = {
"ACCESS_TOKEN_LIFETIME": timedelta(minutes=15),
"REFRESH_TOKEN_LIFETIME": timedelta(days=1),
"ROTATE_REFRESH_TOKENS": False,
"BLACKLIST_AFTER_ROTATION": False,
}
CORS_ALLOW_ALL_ORIGINS = True
CORS_ALLOW_CREDENTIALS = True
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1744696177a4588503.html
评论列表(0条)