dj-rest-auth
dj-rest-auth copied to clipboard
Refresh token was not included in request data.
By default, if you're using JWT and Token Blacklist, the Logout view tries to find the Refresh token in the request body. However, if I am using HttpOnly cookie, my Refresh token wouldn't be in the request body.
It can be fixed by changing:
if 'rest_framework_simplejwt.token_blacklist' in settings.INSTALLED_APPS:
# add refresh token to blacklist
try:
token = RefreshToken(request.get['refresh'])
to
if 'rest_framework_simplejwt.token_blacklist' in settings.INSTALLED_APPS:
# add refresh token to blacklist
try:
token = RefreshToken(request.COOKIES['refresh_token'])
But it is quite cumbersome to define my own view for one line of change. Please consider making this change to the codebase.
Slightly related: #191 you can find some middleware via the code mentioned there that will do that. I agree that it should be added, though.
You should further be using the JWT_AUTH_REFRESH_COOKIE
setting to decide which cookie to grab:
if 'rest_framework_simplejwt.token_blacklist' in settings.INSTALLED_APPS:
# add refresh token to blacklist
try:
refresh_cookie = getattr(settings, 'JWT_AUTH_REFRESH_COOKIE', 'refresh_token')
token = RefreshToken(request.COOKIES[refresh_cookie])
Could you please write where I should put this code?pleaaaas=)