ContextQMD
Back to Djangorestframework Simplejwt

Blacklist app

docs/blacklist_app.rst

5.5.12.6 KB
Original Source

.. _blacklist_app:

Blacklist app

Simple JWT includes an app that provides token blacklist functionality. To use this app, include it in your list of installed apps in settings.py:

.. code-block:: python

Django project settings.py

...

INSTALLED_APPS = ( ... 'rest_framework_simplejwt.token_blacklist', ... )

Also, make sure to run python manage.py migrate to run the app's migrations.

If the blacklist app is detected in INSTALLED_APPS, Simple JWT will add any generated refresh or sliding tokens to a list of outstanding tokens. It will also check that any refresh or sliding token does not appear in a blacklist of tokens before it considers it as valid.

The Simple JWT blacklist app implements its outstanding and blacklisted token lists using two models: OutstandingToken and BlacklistedToken. Model admins are defined for both of these models. To add a token to the blacklist, find its corresponding OutstandingToken record in the admin and use the admin again to create a BlacklistedToken record that points to the OutstandingToken record.

Alternatively, you can blacklist a token by creating a BlacklistMixin subclass instance and calling the instance's blacklist method:

.. code-block:: python

from rest_framework_simplejwt.tokens import RefreshToken

token = RefreshToken(base64_encoded_token_string) token.blacklist()

This will create unique outstanding token and blacklist records for the token's "jti" claim or whichever claim is specified by the JTI_CLAIM setting.

In a urls.py file, you can also include a route for TokenBlacklistView:

.. code-block:: python

from rest_framework_simplejwt.views import TokenBlacklistView

urlpatterns = [ ... path('api/token/blacklist/', TokenBlacklistView.as_view(), name='token_blacklist'), ... ]

It allows API users to blacklist tokens sending them to /api/token/blacklist/, for example using curl:

.. code-block:: bash

curl
-X POST
-H "Content-Type: application/json"
-d '{"refresh":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl90eXBlIjoicmVmcmVzaCIsImV4cCI6MTY1MDI5NTEwOCwiaWF0IjoxNjUwMjA4NzA4LCJqdGkiOiJhYTY3ZDUxNzkwMGY0MTEyYTY5NTE0MTNmNWQ4NDk4NCIsInVzZXJfaWQiOjF9.tcj1_OcO1BRDfFyw4miHD7mqFdWKxmP7BJDRmxwCzrg"}'
http://localhost:8000/api/token/blacklist/

The blacklist app also provides a management command, flushexpiredtokens, which will delete any tokens from the outstanding list and blacklist that have expired. You should set up a cron job on your server or hosting platform which runs this command daily.