Link

What is Blacklist?

Blacklist is used to revoke a specific token so that it can be no longer access your endpoints.

Blacklisting works by providing blacklist. This blacklist’s method to check revoked called when token tries to access endpoint. If the blacklist’s method says that the token is revoked, we will reject request.

basically we provides InMemoryBlacklist and RedisBlacklist. or you can create your own blacklist by inherit BlacklistABC

Blacklist and Token Revoking

Table of contents

  1. What is Blacklist?
  2. Configuration
  3. Protect Views
  4. Revoke Tokens
  5. Built-In Blacklist Class
    1. InMemoryBlacklist
    2. RedisBlacklist
  6. Creating Your Own Blacklist Class
  7. Full Example Code

Configuration

First, you should enable use_blacklist option

with JWT.initialize(app) as manager:
    manager.config.use_blacklist = True

Then, provide instanciable blacklist class (not instance). if not provided, extension will use InMemoryBlacklist by default

with JWT.initialize(app) as manager:
    manager.config.blacklist_class = RedisBlacklist

Find more about configuration

Protect Views

There is nothing to configure to check revoked tokens. decorator automatically rejects revoked token if use_blacklist is True

Revoke Tokens

If you want to revoke specific token, just use revoke method of passedd token object.

@app.route("/protected", methods=["GET"])
@jwt_optional
async def protected(request, token):
    await token.revoke()

Built-In Blacklist Class

InMemoryBlacklist

Do not use in production environment!

This blacklist uses python list as a token storage. revoked token’s jti will be contained.

RedisBlacklist

This blacklist uses redis as a token storage. When token revoked, this blacklist stores token’s jti with expiration.

To use RedisBlacklist, you shoudl connection info to JWT.config.blacklist_init_kwargs

with JWT.initialize(app) as manager:
    manager.config.blacklist_init_kwargs = {
        "connection_info": {
            "address": "redis://:@{my_redis_host}:{my_redis_port}",
            "minsize": 5,
            "maxsize": 10,
        }
    }

Creating Your Own Blacklist Class

DON’T PANIC!

Creating your own blacklist is very easy. Just inherit BlacklistABC and implements register and is_blacklisted

class FooBarBlacklist(BlacklistABC):
    def __init__(self):
        pass

    async def register(self, token: Token):
        pass

    async def is_blacklisted(self, token: Token):
        pass

Full Example Code

import uuid

from sanic import Sanic
from sanic.response import json
from sanic.request import Request

from sanic_jwt_extended import JWT, jwt_required
from sanic_jwt_extended.tokens import Token

app = Sanic(__name__)


with JWT.initialize(app) as manager:
    manager.config.secret_key = "secret"
    manager.config.use_blacklist = True


@app.route("/login", methods=["POST"])
async def login(request: Request):
    username = request.json.get("username", "user")

    access_token = JWT.create_access_token(identity=username)

    return json(
        dict(access_token=access_token), status=200
    )


@app.route("/logout", methods=["POST"])
@refresh_jwt_required
async def logout(request: Request, token: Token):

    JWT.revoke(token)

    return json(
        dict(msg="Goodbye"), status=200
    )


@app.route("/protected", methods=["GET"])
@jwt_required
async def protected(request: Request, token: Token):
    return json(dict(identity=token.identity, type=token.type, raw_data=token.raw_data, exp=str(token.exp)))


if __name__ == "__main__":
    app.run()