django rest framework - token authentication logout

Question

I have implemented the Token Authentication according to the django rest framework Docs.

Form what I read, the Token Authentication of DRF is quite simple - one token per user, the token doesn't expire and is valid for use always (am I right?).

I understand that there are better practices out there, but for now the DRF token authentication is fine for me.

my question is- what is the best practice for logout with the normal DRF token authentication?

I mean, when the user logs out, should I delete the token from the client side? and then on login get the token again? should I delete the token and generate a new one?

Anyone with experience with this?

Answer 1

WHOLE IDEA OF TOKEN AUTHENTICATION:

Normally in authentication services, there is a lifetime associated with a token. After a specific time, the token will get expired. Here, we get an access token which has an expiry time sent along with it by the server. Now the client needs to send this token everytime in the request header so that the server can identify who the user is. Either we can keep track of when it expires or we can just keep using it until we get an INVALID_TOKEN error. In that case we would have to again get the token from the server.

The lifetime of the access_token is independent of the login session of a user who grants access to a client. OAuth2,lets say, has no concept of a user login or logout, or a session. The token is just used to identify the user if he is who he says he is.

The token is unique for a user and client. You may save it to cookies to enable something like remember me but on the server you don't need to delete it. Whenever the token expires, the client need to send a request to the server to obtain the token again.

Token Expiry in DRF Token Authetication:

Currently, DRF Token authentication does not support this functionality. You would have to implement it yourself or use a third party package which provides this functionality. It should check for token expiry and raise an exception if the token has expired.

To implement it yourself, you can subclass from the DRF Token Authentication class and add your logic.
You can even use a third-party package django-rest-framework-expiring-tokens.

Some References:
1. Token Authentication for RESTful API: should the token be periodically changed?
2. How to Logout of an Application Where I Used OAuth2 To Login With Google?

Answer 2

It sounds like SessionAuthentication is what you are really looking. You can start(login) a session via BasicAuthentication or TokenAuthentication. Then use sessionid as your "token" for the rest of api calls. The "token" expires when you logout or exceed certain timing.

If you run into csrftoken issue using session authentication, this could be a very helpful.

Answer 3

Here's a simple view that I'm using to log out:

from rest_framework import status
from rest_framework.response import Response
from rest_framework.views import APIView

class Logout(APIView):
    def get(self, request, format=None):
        # simply delete the token to force a login
        request.user.auth_token.delete()
        return Response(status=status.HTTP_200_OK)

Then add it to your urls.py:

urlpatterns = [
    ...
    url(r'^logout/', Logout.as_view()),
]