I am making an app in flask.
@app.route("/home")
@login_required
@auth_required("token")
def home():
return "You are logged in", current_user.email
@app.route("/manual_logout")
@login_required
@auth_required("token")
def manual_logout():
if request.method == "GET":
logout_user()
return "method GET logged you out"
if request.method == "POST":
logout_user()
return "method POST logged you out"
I am logging in using the flask's /login endpoint . It is returning an authentication token. After logging in I call the home API, It successfully shows You are logged in and current user's email.
When i logout either using /manual_logout or /logout, The authentication token is still valid and I can still see the current users email.
I don't know what i am doing wrong.
For the record - Flask doesn't have a /login - I assume you are using Flask-Login and Flask-Security (always good to put in which versions as well).
However - you are correct - auth_tokens aren't revoked on logout - logout_user really just handles invalidating the session cookie. Use of auth_token for authorization is meant more for scripting etc - you really shouldn't use that for a browser-based application.
In Flask-Security-Too - you can set the TTL of an auth token, and by default, if you change your password, existing sessions and auth_tokens will be revoked.