Dark Mode

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Logout Refresh/Access Token #152

Answered by igorbenav
kunkoala asked this question in Q&A
Logout Refresh/Access Token #152
Jan 13, 2025 * 2 comments
Answered by igorbenav Return to top
Discussion options

kunkoala
Jan 13, 2025

Hi all,

first of all massive credit and big thanks to author @igorbenav for creating this fastAPI-boilerplate, as I could learn so much from your code!

If you don't mind I have a small question regarding the logout feature with the blacklisting of refresh tokens.

In the log-out function, it accepts the access_token as input from the oauth2_scheme, which they grab from the authorization header if I'm not wrong. So here, this line of code blacklisted the access token instead of the refresh token. Is it supposed to be like that so that the logout will only apply for that one device? Why decide on blacklisting the access token instead of the refresh token?

@router.post("/logout")
async def logout(
response: Response, access_token: str = Depends(oauth2_scheme), db: AsyncSession = Depends(async_get_db)
) -> dict[str, str]:
try:
await blacklist_token(token=access_token, db=db)
response.delete_cookie(key="refresh_token")

return {"message": "Logged out successfully"}

except JWTError:
raise UnauthorizedException("Invalid token.")

Thank you beforehand! Answers will be really appreciated for my learning and understanding :)
You must be logged in to vote

Hey, @kunkoala, hope you're well!

You're correct, this is a bug. This actually happened because I started the template with just an access token (it was a bit longer lived than it currently is), so to logout I just needed to blacklist it. Once I changed to using an access and refresh, I forgot to change this part. Would you like to fix it?

Great catch btw!

View full answer

Replies: 2 comments

Comment options

igorbenav
Jan 13, 2025
Maintainer

Hey, @kunkoala, hope you're well!

You're correct, this is a bug. This actually happened because I started the template with just an access token (it was a bit longer lived than it currently is), so to logout I just needed to blacklist it. Once I changed to using an access and refresh, I forgot to change this part. Would you like to fix it?

Great catch btw!
You must be logged in to vote
0 replies
Answer selected by kunkoala
Comment options

kunkoala
Jan 13, 2025
Author

Thanks for the explanation! @igorbenav

I thought like somehow it is intended in order for access-tokens to be blacklisted only for that specific device. I'm still learning a lot about how JWT Tokens work in general, thanks for clearing my doubts :)

Sure! I will do a pull request in the future.
You must be logged in to vote
0 replies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
bug Something isn't working
2 participants