用户更改密码后如何在 Django 中重置 JWT 令牌？

Question

My problem is that I want to refresh or expire the JWT token when someone resets his or her password. My project is in Django rest framework so all I need is an example on how that will happen. I need to be able to make all other tokens invalid

warmest regards.

Answer 1

By default, if you don't update session auth then the user is logged out. If you want to update the session auth here is code

from django.contrib.auth import update_session_auth_hash

#after you change password for User- user
update_session_auth_hash(request, user)

Answer 2

You need to override default token generation procedure.

def jwt_create_payload(user):
    """
    Create JWT claims token.

    To be more standards-compliant please refer to the official JWT standards
    specification: https://tools.ietf.org/html/rfc7519#section-4.1
    """

    issued_at_time = datetime.utcnow()
    expiration_time = issued_at_time + api_settings.JWT_EXPIRATION_DELTA

    payload = {
        'user_id': user.pk,
        'username': '%s-%s' % (user.username + user.password),
        'iat': unix_epoch(issued_at_time),
        'exp': expiration_time
    }

    # It's common practice to have user object attached to profile objects.
    # If you have some other implementation feel free to create your own
    # `jwt_create_payload` method with custom payload.
    if hasattr(user, 'profile'):
        payload['user_profile_id'] = user.profile.pk if user.profile else None,

    # Include original issued at time for a brand new token
    # to allow token refresh
    if api_settings.JWT_ALLOW_REFRESH:
        payload['orig_iat'] = unix_epoch(issued_at_time)

    if api_settings.JWT_AUDIENCE is not None:
        payload['aud'] = api_settings.JWT_AUDIENCE

    if api_settings.JWT_ISSUER is not None:
        payload['iss'] = api_settings.JWT_ISSUER

    return payload

Update JWT_PAYLOAD_HANDLER params in your settings according to new jwt_create_payload function. When you will change your password, your token will become invalid.