flask-jwt-extended icon indicating copy to clipboard operation
flask-jwt-extended copied to clipboard

Published 20 hours ago verified publisher icon vimalloc

Implicit Refreshing With Cookies example has a bug

Open bokolob opened this issue 3 years ago • 1 comments

There is a possible conflict between logout and token prolongation. In the actual example, a new access cookie could be set after the logout request.

bokolob avatar Oct 21 '21 14:10 bokolob

That's interesting. Thanks for catching that. It should be really easy to add an extra guard for that, I'll take a look at updating some stuff in the example to prevent that when I have some time. Two options to fix this off the top of my head:

  • We should be able to look at the cookies being set on the response, and not refresh the jwt if there is already an unset cookie present.
  • We can look at the request and do not do implicit refreshing if it's the logout endpoint that is being hit.

vimalloc avatar Oct 30 '21 15:10 vimalloc