How to logout using Flask Python?

Question

I got a second-hand API project on Flask python, which I never worked with before, and I got to hand it in so soon.

In the code I encountered a problem which is logging out. I have no idea how to log out after being logged in. The only solution in my mind was to delete the JWT that was given along while logging in, but had no idea how to do that.

Any idea how to solve this issue? Even new ideas are more than welcome.

app = Flask(__name__)
CORS(app)
# cors = CORS(app, resource={r'*': {'origins': 'http://localhost:4200'}})
bcrypt = Bcrypt(app)
app.config["JWT_SECRET_KEY"] = "super-secret"  # Change this!
jwt = JWTManager(app)

Base.metadata.create_all(engine)
session = Session()


@app.route('/')
def get_status():
    return 'API is working!'


@app.route('/login', methods=['POST'])
def post_login():
    email = request.form.get('email')
    password = request.form.get('password')

    user_object = session.query(User).filter(User.email == email).first()

    if user_object is not None and bcrypt.check_password_hash(user_object.password, password):
        # transforming into JSON-serializable objects
        schema = UserSchema(many=False, only=('email', 'role'))
        user = schema.dump(user_object)

        # serializing as JSON
        session.close()
        access_token = create_access_token(identity=user)

        return jsonify(access_token=access_token)
    else:
        return 'Invalid email or password', 401


@app.route("/logout", methods=["DELETE"])
@jwt_required()
def logout():
    # TODO: here!
    return jsonify(msg="Access token revoked")


@app.route('/register', methods=['POST'])
@jwt_required()
def register_user():
    email = request.form.get('email')
    password = request.form.get('password')
    role = request.form.get('role')
    user_uuid = uuid_library.uuid1()

    password_hash = bcrypt.generate_password_hash(password).decode('utf-8')

    user = User(user_uuid, email, password_hash, role, "HTTP post request")

    user_object = session.query(User) \
        .filter(User.email == email) \
        .first()

    if user_object is None:
        # persist exam
        session.add(user)
        session.commit()
        session.close()
        return jsonify('User has been registered'), 201
    else:
        session.close()
        return 'User with this email already exists', 400


@app.route('/user/<email>', methods=['DELETE'])
@jwt_required()
def delete_user(email):
    user_object = session.query(User) \
        .filter(User.email == email) \
        .first()

    if user_object is not None:
        session.delete(user_object)
        session.commit()
        session.close()

        return jsonify('User has been deleted'), 200
    else:
        session.close()
        return 'User does not exists', 400


@app.route('/users', methods=['GET'])
@jwt_required()
def get_all_users():
    current_user = get_jwt_identity()
    if current_user['role'] == 'admin':
        user_objects = session.query(User).all()

        schema = UserSchema(many=True)
        users = schema.dump(user_objects)

        session.close()
        return jsonify(users)
    else:
        return 'Not authorized', 401


if __name__ == '__main__':
    app.run(debug=True)

Answer 1

You have to blacklist the token. For blacklisting you have to create a table in your database and store the blacklisted tokens and check on views.You can store the token in client side.