Skip to main content

Permanent token authentication for django-rest-framework-jwt

This project has been archived.

The maintainers of this project have marked this project as archived. No new releases are expected.

Project description

:warning: This fork is not currently maintained and will be archived then removed in the future.

drf-jwt-devices

PyPI version

Permanent token feature for Django Rest Framework JWT

By default JWT tokens have short lifetime because of security reasons, but sometimes you may want to keep a user logged in without the need to refresh the auth token every few minutes. For this case, you should consider using permanent token authentication.

Installation

To use, add jwt_devices to your INSTALLED_APPS, and then migrate the project.

Configuration

To enable permanent token authentication, update Django REST framework's default authentication classes list:

REST_FRAMEWORK = {
    "DEFAULT_AUTHENTICATION_CLASSES": [
        "jwt_devices.authentication.PermanentTokenAuthentication"
    ]
}

Next, add a few URLs to your URL patterns, and register the DeviceViewSet:

from jwt_devices import views
from rest_framework.routers import DefaultRouter

router = DefaultRouter()
router.register(r'devices', views.DeviceViewSet)

urlpatterns = [
    # ...
    url(r'^device-refresh-token/$', views.device_refresh_token),
    url(r'^device-logout/$', views.device_logout),
] + router.urls

Using the API views

Login & logout view

When using the regular JWT login or the device logout view, use the X-Device-Model header to pass the device model (otherwise, the user agent will be used as the name). After a successful login, the permanent token and the ID of the created device will be returned, for example:

{
  "token": "ads344fdgfd5454yJ0eAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VynRlYW1AYXJhYmVsLmxh",
  "permanent_token": "gfd5454yJ0eAiOiJKV1QiLCJhbGciOiJ",
  "device_id": 1
}

The device_id is used to log out the device, so it should be saved on the front-end side (e.g., in local storage).

To log out a device, make a DELETE request to rest_framework_jwt.views.device_logout, passing the device's ID in the Device-Id header to identify the device.

Refresh JWT token using permanent token

To refresh the JWT token, pass the Permanent-Token header along with the request to identify the device. On success, the response will return a new JWT token (the same as it does after login).

If the permanent token has expired, the device will be logged out, and you will need to log in again to obtain a new permanent token. To customize the expiration time and expiration accuracy, set the following settings in your REST_FRAMEWORK configuration in settings.py.

PermittedHeadersMiddleware

Because the content of a permanent token is very sensitive, it should only be sent when necessary. To avoid accidentally sending the permanent token with every request, the jwt_devices.middleware.PermittedHeadersMiddleware can be used. This middleware checks for the Permanent-Token header and ensures it is only sent to the jwt_devices.views.DeviceRefreshJSONWebToken view. Otherwise, it returns a 400 Bad Request.

To use jwt_devices.middleware.PermittedHeadersMiddleware in your application, add jwt_devices.middleware.jwt_devices.middleware.PermittedHeadersMiddleware to your MIDDLEWARE (or MIDDLEWARE_CLASSES if you're on Django <1.10) in the Django settings.

Settings

  • JWT_PERMANENT_TOKEN_AUTH – enable/disable permanent token authentication (default: True)
  • JWT_PERMANENT_TOKEN_EXPIRATION_DELTA – how long the permanent token remains valid
    (default: datetime.timedelta(days=7))
  • JWT_PERMANENT_TOKEN_EXPIRATION_ACCURACY – the accuracy of updating the permanent token’s last request time to reduce database queries (default: datetime.timedelta(minutes=30))

Support

  • Django 1.8 - 1.11
  • Django Rest Framework 3.1 - 3.8
  • Python 3.4 - 3.6

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

drf_jwt_devices-1.2.3.tar.gz (12.3 kB view details)

Uploaded Source

Built Distribution

drf_jwt_devices-1.2.3-py2.py3-none-any.whl (12.7 kB view details)

Uploaded Python 2Python 3

File details

Details for the file drf_jwt_devices-1.2.3.tar.gz.

File metadata

  • Download URL: drf_jwt_devices-1.2.3.tar.gz
  • Upload date:
  • Size: 12.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.12.4

File hashes

Hashes for drf_jwt_devices-1.2.3.tar.gz
Algorithm Hash digest
SHA256 4b0b3df43b33b4df99f789cfee2833f6f77361e164bf5c8a3cc5053c404e64ce
MD5 597e5fa24560a7b9650973b7c509d77d
BLAKE2b-256 ae968e01fdfdae312f57b45a8ca1a5259a76437f67416293c9fe5940f185bb83

See more details on using hashes here.

File details

Details for the file drf_jwt_devices-1.2.3-py2.py3-none-any.whl.

File metadata

File hashes

Hashes for drf_jwt_devices-1.2.3-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 74f824589b17d4de77a6921882fa2dd23c7804e705caefd327e5f0421aad2c8c
MD5 034d3464a2d9e862f06f73e5f2431d0b
BLAKE2b-256 5b85ab67572f84973ba8d8906ef3bb800361bd6f5255e846f9e1986307db6f77

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page