Is your feature request related to a problem? Please describe.
Mentorship system uses JWT tokens for authentication. Tokens have an expiry period of 1 week after which new token is needed. This is done either by login or refresh. However I found out that the backend has no /logout endpoint. When a user logs out in the front end, the app just lets go of the token and user data. One can generate any number of tokens because tokens don't expire except from timeout. It's possible for someone to harvest an existing token and misuse it. I think this would've been a more serious issue had we made a web front end, but this should be investigated.

Describe the solution you'd like
Create a /logout endpoint which is triggered when user logs out in mobile app.
Describe alternatives you've considered
Use a managed auth service like firebase. But that would be like re-inventing the wheel at this stage.
Additional context
Reference
https://stackoverflow.com/questions/36294359/is-logout-useless-on-a-rest-api
https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen
No idea of how this can be done, but if anyone wants to try 🤷🏾♀️ you go ahead!
hello @isabelcosta! I want to give this issue a try because nobody seems interested. There are so many things I don't know yet. so I don't know if I can solve this problem. But if i want to give up, I'll tell you right away!
Oh, and I'm trying to add logout endpoint in backend system instead of mobile app. Is this the right direction for this issue?
Hey @hongsungin92 there is no problem if you don't know exactly how to solve this issue, research is part of your work. I don't know either how to this :P
One of the things that come to my mind is invalidating the user access token, so if you logout from mobile app, the app exits, but if you would use the token that was being used... on the backend, it would still be valid to return user data. So we want an endpoint that will make sure, that once called in the frontend (mobile app), no one can use the access token that the user was using (this token that still was valid from the expiry date perspective, but should be invalidated).
I will assign this issue to you, feel free to share your thoughts/research/progress here or on our Zulip so that others can also help you ;)
okay thank you @isabelcosta ! I will research and share the progess
First of all, I've made up logout endpoint!
referring to https://flask-jwt-extended.readthedocs.io/en/stable/blacklist_and_token_revoking/
if use the logout endpoint,
all of access tokens and refresh tokens of user will be invalidated(revoked) on the backend.
so no one can use the access tokens and the refresh tokens if user logout
(on backend)
but I haven't solved that "once called in the frontend (mobile app), no one can use the access token that the user was using" yet
(I don't know much about mobile apps(frontend). so I don't know the meaning "called in the fronted" )
is it the right direction for me to work on? shall I send PR? @isabelcosta
Have a nice weekend!
@epicadk can you please look check this issue. It is somewhat related to JWT and you know better about the topic :smile:
Wouldn't make sense to store the access tokens because then the api wouldn't remain stateless. We can store the refresh tokens in the database however that would require additional storage as compared to the alternative that is using the user's hashed password to sign the tokens and the if refresh tokens is compromised have the user change their password.
I also agrees with the points mentioned above.
@isabelcosta consider reopening if needed.