cardosofelipe/eventspace
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add token revocation mechanism and support for logout APIs

Browse Source 
This commit introduces a system to revoke tokens by storing their `jti` in a new `RevokedToken` model. It includes APIs for logging out (revoking a current token) and logging out from all devices (revoking all tokens). Additionally, token validation now checks revocation status during the decode process.
This commit is contained in:
Felipe Cardoso
2025-02-28 17:45:33 +01:00
parent aa77752981
commit 8814dc931f
8 changed files with 270 additions and 208 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
backend/app/models/__init__.py
View File

@@ -29,7 +29,7 @@ from .gift import (
from .email_template import EmailTemplate, TemplateType
from .notification_log import NotificationLog, NotificationType, NotificationStatus
from .activity_log import ActivityLog, ActivityType
from .token import RevokedToken
# Make sure all models are imported above this line
__all__ = [
'Base', 'TimestampMixin', 'UUIDMixin',
@@ -40,4 +40,5 @@ __all__ = [
'EmailTemplate', 'TemplateType',
'NotificationLog', 'NotificationType', 'NotificationStatus',
'ActivityLog', 'ActivityType',
'RevokedToken',
]

15
backend/app/models/token.py
View File

@@ -0,0 +1,15 @@
from sqlalchemy import Column, String, ForeignKey
from sqlalchemy.dialects.postgresql import UUID
from sqlalchemy.orm import relationship
from app.models.base import Base, TimestampMixin, UUIDMixin
class RevokedToken(UUIDMixin, TimestampMixin, Base):
"""Model to store revoked JWT tokens via their jti (JWT ID)."""
__tablename__ = "revoked_tokens"
jti = Column(String(length=50), nullable=False, unique=True, index=True)
token_type = Column(String(length=20), nullable=False)
user_id = Column(UUID(as_uuid=True), ForeignKey("users.id", ondelete="CASCADE"))
user = relationship("User", back_populates="revoked_tokens")

1
backend/app/models/user.py
View File

@@ -25,6 +25,7 @@ class User(Base, UUIDMixin, TimestampMixin):
foreign_keys="EventManager.user_id"
)
guest_profiles = relationship("Guest", back_populates="user", foreign_keys="Guest.user_id")
revoked_tokens = relationship("RevokedToken", back_populates="user", cascade="all, delete")
def __repr__(self):
return f"<User {self.email}>"