Refresh JWT tokens and logout with blacklist

Author: Matheus Galvao

app/middleware/auth_middleware.py

@@ -2,6 +2,7 @@
 from flask import request, jsonify, session, Blueprint
 import jwt
 from config.auth_config import AuthMethod, AuthConfig
+from services.auth_service import blacklisted_tokens
 
 class AuthMiddleware:
     def __init__(self, auth_config: AuthConfig):
@@ -43,6 +44,9 @@ def _handle_jwt(self):
             return jsonify({"error": "JWT token is required"}), 401
 
         token = auth_header.split(' ')[1]
+        if token in blacklisted_tokens:
+            return jsonify({"error": "You have been logged out. Please log in again."}), 401
+        
         try:
             jwt.decode(
                 token, 

app/routes/auth.py

@@ -2,7 +2,7 @@
 import jwt
 import datetime
 from config.auth_config import AuthMethod, AuthConfig
-from services.auth_service import generate_jwt_token, is_username_taken, add_user, signup_user, login_user, logout_user
+from services.auth_service import generate_jwt_token, is_username_taken, add_user, signup_user, login_user, logout_user, blacklist_token, validate_refresh_token, refresh_tokens
 
 auth_bp = Blueprint("auth", __name__)
 auth_config = None
@@ -11,17 +11,6 @@ def init_auth_routes(config: AuthConfig):
     global auth_config
     auth_config = config
 
-def generate_jwt_token(username):
-    return jwt.encode(
-        {
-            "sub": username,
-            "iat": datetime.datetime.utcnow(),
-            "exp": datetime.datetime.utcnow() + datetime.timedelta(days=1)
-        },
-        auth_config.jwt_secret,
-        algorithm="HS256"
-    )
-
 @auth_bp.route("/signup", methods=["POST"])
 def signup():
     if auth_config.auth_method == AuthMethod.API_KEY:
@@ -38,14 +27,42 @@ def login():
     data = request.get_json()
     return login_user(data)
 
+@auth_bp.route("/refresh", methods=["POST"])
+def refresh_token():
+    data = request.get_json()
+    refresh_token = data.get("refresh_token")
+    username = validate_refresh_token(refresh_token)
+    if not username:
+        return jsonify({"error": "Invalid refresh token"}), 401
+    
+    access_token, new_refresh_token = generate_jwt_token(username)
+    
+    # Remove old refresh token and store new one
+    if refresh_token in refresh_tokens:
+        del refresh_tokens[refresh_token]
+    
+    return jsonify({
+        "access_token": access_token,
+        "refresh_token": new_refresh_token
+    }), 200
+
 @auth_bp.route("/logout", methods=["POST"])
 def logout():
     if auth_config.auth_method == AuthMethod.API_KEY:
         return jsonify({"error": "Logout not available with API key authentication"}), 400
 
     elif auth_config.auth_method == AuthMethod.JWT:
-        # JWT is stateless, so we can't really "logout"
-        # In a real application, you might want to blacklist the token
+        auth_header = request.headers.get('Authorization')
+        if auth_header and auth_header.startswith('Bearer '):
+            token = auth_header.split(' ')[1]
+            blacklist_token(token)
+        
+        # Invalidate refresh token
+        data = request.get_json()
+        refresh_token = data.get("refresh_token")
+        if refresh_token in refresh_tokens:
+            del refresh_tokens[refresh_token]
+        
         return jsonify({"message": "Logout successful"})
 
     elif auth_config.auth_method == AuthMethod.SESSION:

app/services/auth_service.py

@@ -1,5 +1,6 @@
 import jwt
 import datetime
+import secrets
 from config.auth_config import AuthConfig, AuthMethod
 from models.user import User
 from flask import session, jsonify
@@ -10,20 +11,37 @@
 # List to store User objects
 users = []
 
+# In-memory store for refresh tokens and blacklisted tokens
+refresh_tokens = {}
+blacklisted_tokens = set()
+
 def init_auth_service(config: AuthConfig):
     global auth_config
     auth_config = config
 
+def generate_refresh_token(username):
+    refresh_token = secrets.token_hex(32)
+    refresh_tokens[refresh_token] = username
+    return refresh_token
+
+def validate_refresh_token(refresh_token):
+    return refresh_tokens.get(refresh_token)
+
+def blacklist_token(token):
+    blacklisted_tokens.add(token)
+
 def generate_jwt_token(username):
-    return jwt.encode(
+    access_token = jwt.encode(
         {
             "sub": username,
             "iat": datetime.datetime.utcnow(),
-            "exp": datetime.datetime.utcnow() + datetime.timedelta(days=1)
+            "exp": datetime.datetime.utcnow() + datetime.timedelta(minutes=15)  # Shorter expiry for access token
         },
         auth_config.jwt_secret,
         algorithm="HS256"
     )
+    refresh_token = generate_refresh_token(username)
+    return access_token, refresh_token
 
 # Function to check if a username already exists
 def is_username_taken(username):
@@ -53,10 +71,11 @@ def login_user(data):
         return jsonify({"error": "Username and password are required"}), 400
 
     if auth_config.auth_method == AuthMethod.JWT:
-        token = generate_jwt_token(data["username"])
+        access_token, refresh_token = generate_jwt_token(data["username"])
         return jsonify({
             "message": "Login successful",
-            "token": token if isinstance(token, str) else token.decode('utf-8')
+            "access_token": access_token,
+            "refresh_token": refresh_token
         })
 
     elif auth_config.auth_method == AuthMethod.SESSION:

test/auth_api_collection.json

@@ -277,17 +277,25 @@
 							"script": {
 								"exec": [
 									"var jsonData = pm.response.json();",
-									"if (jsonData.token) {",
-									"    pm.environment.set('jwt_token', jsonData.token);",
+									"if (jsonData.access_token) {",
+									"    pm.environment.set('jwt_token', jsonData.access_token);",
 									"    console.log('JWT token saved to environment');",
 									"}",
+									"if (jsonData.refresh_token) {",
+									"    pm.environment.set('refresh_token', jsonData.refresh_token);",
+									"    console.log('Refresh token saved to environment');",
+									"}",
 									"",
 									"pm.test('Status code is 200', function() {",
 									"    pm.response.to.have.status(200);",
 									"});",
 									"",
-									"pm.test('Response has token', function() {",
-									"    pm.expect(jsonData.token).to.exist;",
+									"pm.test('Response has access token', function() {",
+									"    pm.expect(jsonData.access_token).to.exist;",
+									"});",
+									"",
+									"pm.test('Response has refresh token', function() {",
+									"    pm.expect(jsonData.refresh_token).to.exist;",
 									"});"
 								],
 								"type": "text/javascript"
@@ -317,7 +325,51 @@
 					}
 				},
 				{
-					"name": "5. Get Todos with JWT",
+					"name": "5. Refresh Token While Logged In",
+					"event": [
+						{
+							"listen": "test",
+							"script": {
+								"exec": [
+									"var jsonData = pm.response.json();",
+									"pm.test('Status code is 200', function() {",
+									"    pm.response.to.have.status(200);",
+									"});",
+									"",
+									"pm.test('Response has new access token', function() {",
+									"    pm.expect(jsonData.access_token).to.exist;",
+									"    pm.environment.set('jwt_token', jsonData.access_token);",
+									"    console.log('New access token saved to environment');",
+									"});"
+								],
+								"type": "text/javascript"
+							}
+						}
+					],
+					"request": {
+						"method": "POST",
+						"header": [
+							{
+								"key": "Content-Type",
+								"value": "application/json",
+								"type": "text"
+							}
+						],
+						"body": {
+							"mode": "raw",
+							"raw": "{\n    \"refresh_token\": \"{{refresh_token}}\"\n}"
+						},
+						"url": {
+							"raw": "http://localhost:8000/auth/refresh",
+							"protocol": "http",
+							"host": ["localhost"],
+							"port": "8000",
+							"path": ["auth", "refresh"]
+						}
+					}
+				},
+				{
+					"name": "6. Get Todos with JWT",
 					"event": [
 						{
 							"listen": "test",
@@ -350,14 +402,22 @@
 					}
 				},
 				{
-					"name": "6. Logout with JWT",
+					"name": "7. Logout with JWT",
 					"event": [
 						{
 							"listen": "test",
 							"script": {
 								"exec": [
+									"// Save the current token as blacklisted_token for later tests",
+									"pm.environment.set('blacklisted_token', pm.environment.get('jwt_token'));",
+									"",
 									"pm.test('Status code is 200', function() {",
 									"    pm.response.to.have.status(200);",
+									"});",
+									"",
+									"pm.test('Logout successful message', function() {",
+									"    var jsonData = pm.response.json();",
+									"    pm.expect(jsonData.message).to.equal('Logout successful');",
 									"});"
 								],
 								"type": "text/javascript"
@@ -366,6 +426,22 @@
 					],
 					"request": {
 						"method": "POST",
+						"header": [
+							{
+								"key": "Content-Type",
+								"value": "application/json",
+								"type": "text"
+							},
+							{
+								"key": "Authorization",
+								"value": "Bearer {{jwt_token}}",
+								"type": "text"
+							}
+						],
+						"body": {
+							"mode": "raw",
+							"raw": "{\n    \"refresh_token\": \"{{refresh_token}}\"\n}"
+						},
 						"url": {
 							"raw": "http://localhost:8000/auth/logout",
 							"protocol": "http",
@@ -376,7 +452,7 @@
 					}
 				},
 				{
-					"name": "7. Try to Get Todos with Invalid JWT (Should Fail)",
+					"name": "8. Try to Get Todos with Invalid JWT (Should Fail)",
 					"event": [
 						{
 							"listen": "test",
@@ -388,7 +464,7 @@
 									"",
 									"pm.test('Error message is correct', function() {",
 									"    var jsonData = pm.response.json();",
-									"    pm.expect(jsonData.error).to.contain('Invalid JWT token');",
+									"    pm.expect(jsonData.error).to.include('Invalid JWT token');",
 									"});"
 								],
 								"type": "text/javascript"
@@ -414,7 +490,87 @@
 					}
 				},
 				{
-					"name": "8. Get API Documentation with JWT",
+					"name": "9. Try to Refresh with Invalidated Token (Should Fail)",
+					"event": [
+						{
+							"listen": "test",
+							"script": {
+								"exec": [
+									"pm.test('Status code is 401', function() {",
+									"    pm.response.to.have.status(401);",
+									"});",
+									"",
+									"pm.test('Error message is correct', function() {",
+									"    var jsonData = pm.response.json();",
+									"    pm.expect(jsonData.error).to.equal('Invalid refresh token');",
+									"});"
+								],
+								"type": "text/javascript"
+							}
+						}
+					],
+					"request": {
+						"method": "POST",
+						"header": [
+							{
+								"key": "Content-Type",
+								"value": "application/json",
+								"type": "text"
+							}
+						],
+						"body": {
+							"mode": "raw",
+							"raw": "{\n    \"refresh_token\": \"{{refresh_token}}\"\n}"
+						},
+						"url": {
+							"raw": "http://localhost:8000/auth/refresh",
+							"protocol": "http",
+							"host": ["localhost"],
+							"port": "8000",
+							"path": ["auth", "refresh"]
+						}
+					}
+				},
+				{
+					"name": "10. Try to Use Blacklisted Token (Should Fail)",
+					"event": [
+						{
+							"listen": "test",
+							"script": {
+								"exec": [
+									"pm.test('Status code is 401', function() {",
+									"    pm.response.to.have.status(401);",
+									"});",
+									"",
+									"pm.test('Error message is correct', function() {",
+									"    var jsonData = pm.response.json();",
+									"    pm.expect(jsonData.error).to.equal('You have been logged out. Please log in again.');",
+									"});"
+								],
+								"type": "text/javascript"
+							}
+						}
+					],
+					"request": {
+						"method": "GET",
+						"header": [
+							{
+								"key": "Authorization",
+								"value": "Bearer {{blacklisted_token}}",
+								"type": "text"
+							}
+						],
+						"url": {
+							"raw": "http://localhost:8000/todos",
+							"protocol": "http",
+							"host": ["localhost"],
+							"port": "8000",
+							"path": ["todos"]
+						}
+					}
+				},
+				{
+					"name": "11. Get API Documentation with JWT",
 					"event": [
 						{
 							"listen": "test",