from datetime import datetime from datetime import timedelta from datetime import timezone from flask import Flask from flask import jsonify from flask_sqlalchemy import SQLAlchemy from flask_jwt_extended import create_access_token from flask_jwt_extended import get_jwt from flask_jwt_extended import jwt_required from flask_jwt_extended import JWTManager app = Flask(__name__) ACCESS_EXPIRES = timedelta(hours=1) app.config["JWT_SECRET_KEY"] = "super-secret" # Change this! app.config["JWT_ACCESS_TOKEN_EXPIRES"] = ACCESS_EXPIRES jwt = JWTManager(app) # We are using an in memory database here as an example. Make sure to use a # database with persistent storage in production! app.config["SQLALCHEMY_DATABASE_URI"] = "sqlite://" app.config["SQLALCHEMY_TRACK_MODIFICATIONS"] = False db = SQLAlchemy(app) # This could be expanded to fit the needs of your application. For example, # it could track who revoked a JWT, when a token expires, notes for why a # JWT was revoked, an endpoint to un-revoked a JWT, etc. # Making jti an index can significantly speed up the search when there are # tens of thousands of records. Remember this query will happen for every # (protected) request, # If your database supports a UUID type, this can be used for the jti column # as well class TokenBlocklist(db.Model): id = db.Column(db.Integer, primary_key=True) jti = db.Column(db.String(36), nullable=False, index=True) created_at = db.Column(db.DateTime, nullable=False) # Callback function to check if a JWT exists in the database blocklist @jwt.token_in_blocklist_loader def check_if_token_revoked(jwt_header, jwt_payload: dict) -> bool: jti = jwt_payload["jti"] token = db.session.query(TokenBlocklist.id).filter_by(jti=jti).scalar() return token is not None @app.route("/login", methods=["POST"]) def login(): access_token = create_access_token(identity="example_user") return jsonify(access_token=access_token) # Endpoint for revoking the current users access token. Saved the unique # identifier (jti) for the JWT into our database. @app.route("/logout", methods=["DELETE"]) @jwt_required() def modify_token(): jti = get_jwt()["jti"] now = datetime.now(timezone.utc) db.session.add(TokenBlocklist(jti=jti, created_at=now)) db.session.commit() return jsonify(msg="JWT revoked") # A blocklisted access token will not be able to access this any more @app.route("/protected", methods=["GET"]) @jwt_required() def protected(): return jsonify(hello="world") if __name__ == "__main__": db.create_all() app.run()