Logout Refresh/Access Token

[kunkoala]

Hi all,

first of all massive credit and big thanks to author @igorbenav for creating this fastAPI-boilerplate, as I could learn so much from your code!

If you don't mind I have a small question regarding the logout feature with the blacklisting of refresh tokens.

In the log-out function, it accepts the access_token as input from the oauth2_scheme, which they grab from the authorization header if I'm not wrong. So here, this line of code blacklisted the access token instead of the refresh token. Is it supposed to be like that so that the logout will only apply for that one device? Why decide on blacklisting the access token instead of the refresh token?

@router.post("/logout")
async def logout(
    response: Response, access_token: str = Depends(oauth2_scheme), db: AsyncSession = Depends(async_get_db)
) -> dict[str, str]:
    try:
        await blacklist_token(token=access_token, db=db)
        response.delete_cookie(key="refresh_token")

        return {"message": "Logged out successfully"}

    except JWTError:
        raise UnauthorizedException("Invalid token.")

Thank you beforehand! Answers will be really appreciated for my learning and understanding :)

[igorbenav]

Hey, @kunkoala, hope you're well!

You're correct, this is a bug. This actually happened because I started the template with just an access token (it was a bit longer lived than it currently is), so to logout I just needed to blacklist it. Once I changed to using an access and refresh, I forgot to change this part. Would you like to fix it?

Great catch btw!

[kunkoala]

Thanks for the explanation! @igorbenav

I thought like somehow it is intended in order for access-tokens to be blacklisted only for that specific device. I'm still learning a lot about how JWT Tokens work in general, thanks for clearing my doubts :)

Sure! I will do a pull request in the future.