Is it possible to revoke user token?

[fiskoner]

Hi! I have read all previous threads about this problem, but solutions there didn't help me.
My problem is: i try to delete user token or blacklist it, but user still can use his token to access my endpoints. All i need is an endpoint where i can provide user_id and my api will revoke all tokens for this user, so he won't be able to access any endpoint with old token, like logging user out

[Andrew-Chen-Wang]

Are you trying to use an API? SimpleJWT IIRC doesn't have an API, but several models that can assist you, which isn't blocked by any kind of assertions or rules in the package's code. Lots of threads are more or less worried about the UI part of it, but it seems like you want to do this programmatically.

If you're trying to block certain users, such as if the is_active flag is already set to False in your user object, that's already taken care of (and in the next release, if my classes give me any time to actually work, then you can customize these authentication rules #279). If you're looking to simply blacklist tokens, then you should use the blacklist app. This way, further usage of a certain token can be flagged.

Blacklisting a token doesn't actually do much in this app, but is something I'll be looking into, so your best bet might just be #279 for now and make a custom Django ORM query to the blacklist app.

---

In case you're confused of this token concept:

The point of stateless token authentication is that we're not saving the client's token in the server. There isn't a "revoke" token method since the token is always valid within its given, cryptographically signed time period. When decrypting the token, we just make sure it's valid and within the time frame allowed for authorization into server endpoints.

Quick question: are you using React or something? If you are, you can check out SimpleJWT's template repo for React. If you're programming on mobile, I'm planning on re-publicizing my mobile app template repository for token authentication again. This might help you understand why "revoking" a token is not necessarily what is allowed.

Sorry if this was confusing; terrible comm skills; lemme know about anything that I can clear up.

[Andrew-Chen-Wang]

Closing as there's a lack of response.