Djangorestframework-simplejwt: Refresh token rotation not storing the valid one on Outstanding token table

Created on 8 Jun 2018  路  7Comments  路  Source: jazzband/djangorestframework-simplejwt

Hi!

When _'ROTATE_REFRESH_TOKENS': True_, and _'BLACKLIST_AFTER_ROTATION': True_, the old refresh token is stored on the _Blacklist_ table, but the new one delivered is not stored on the _outstanding_ token table.

Is that the desired behaviour? Because by that way the new delivered refreshtoken cannot be manually blacklisted since we don't have it anywhere

Thank you for the lib!!

Most helpful comment

Hi @Andrew-Chen-Wang - when refresh.blacklist() is called it creates new outstanding token if it doesn't exist yet, and blacklists it immediately. While that is correct, the outstanding token gets created only at the moment it gets blacklisted as well.

Ideally a newly issued refresh token (if rotation is enabled) should be placed in the list of outstanding tokens immediately.

All 7 comments

Also noticed this. It should not be like this.

Any updates here?
bug or feature?

I fixed it by myself. I am not sure that it will be fixed soon... As the PR is a half of the year old

I fixed it by myself. I am not sure that it will be fixed soon... As the PR is a half of the year old

Could you provide a patch? I suppose it will speed up issue resolving

Hi,

i've also came across this issue and before I try to make pull request can active devs please check if this is the right way to address this issue.

class TokenRefreshPatchedSerializer(serializers.Serializer):
    # Patched TokenRefresh serializer so it
    # stores the new refresh token to the list of Outstanding tokens
    refresh = serializers.CharField()

    def validate(self, attrs):
        refresh = RefreshToken(attrs['refresh'])

        data = {'access': str(refresh.access_token)}

        if api_settings.ROTATE_REFRESH_TOKENS:
            blacklisted_token = None
            if api_settings.BLACKLIST_AFTER_ROTATION:
                try:
                    # Attempt to blacklist the given refresh token
                    blacklisted_token = refresh.blacklist()
                except AttributeError:
                    # If blacklist app not installed, `blacklist` method will
                    # not be present
                    pass

            refresh.set_jti()
            refresh.set_exp()

            # PATCHED - Create Outstanding Token in the db
            if blacklisted_token:
                OutstandingToken.objects.create(
                    user=blacklisted_token.user,
                    jti=refresh.payload['jti'],
                    token=str(refresh),
                    created_at=refresh.current_time,
                    expires_at=datetime_from_epoch(refresh['exp']),
                )

            data['refresh'] = str(refresh)

        return data

So basically in the RefreshSerializer add the needed condition checking and store the new refresh token in the database.

I'm not aware of a PR for this. Additionally, refresh.blacklist() seems to already do this???

@boris-savic Can you put that patch inside the try/except? In that case, you wouldn't need the if blacklisted_token if you just put it underneath the setting of that name. But really... it seems like it's already done.

I've lost a bit of time to properly debug this issue since aps are coming around, so do you mind putting a couple of print statements here: https://github.com/SimpleJWT/django-rest-framework-simplejwt/blob/80c6e7e2f4a40c9bfb8e9b5bc2c6ce895575f157/rest_framework_simplejwt/tokens.py#L194

Just test out if the method is even invoked. I'd advise putting an assertion to make sure the token is found after the OutstandingToken.object.get_or_create.

Hi @Andrew-Chen-Wang - when refresh.blacklist() is called it creates new outstanding token if it doesn't exist yet, and blacklists it immediately. While that is correct, the outstanding token gets created only at the moment it gets blacklisted as well.

Ideally a newly issued refresh token (if rotation is enabled) should be placed in the list of outstanding tokens immediately.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

ajaiau0 picture ajaiau0  路  8Comments

mbl-sme picture mbl-sme  路  3Comments

parmeshbhande picture parmeshbhande  路  6Comments

robd003 picture robd003  路  6Comments

mosi-kha picture mosi-kha  路  6Comments