fix(backend): implemented jwt token invalidation so users cannot use it after expiry

2026-03-22 15:12:08 +01:00 · 2025-10-23 19:04:48 +02:00
parent 4f6d46ba7e
commit 584c090b80
7 changed files with 271 additions and 1 deletions
--- a/7project/backend/app/api/auth.py
+++ b/7project/backend/app/api/auth.py
@@ -24,6 +24,23 @@ async def delete_me(
    await user_manager.delete(user)

 # Keep existing paths as-is under /auth/* and /users/*
+from fastapi import Request, Response
+from app.core.security import revoke_token, extract_bearer_token
+
+
+@router.post(
+    "/auth/jwt/logout",
+    status_code=status.HTTP_204_NO_CONTENT,
+    tags=["auth"],
+    summary="Log out and revoke current token",
+)
+async def custom_logout(request: Request) -> Response:
+    """Revoke the current bearer token so it cannot be used anymore."""
+    token = extract_bearer_token(request)
+    if token:
+        revoke_token(token)
+    return Response(status_code=status.HTTP_204_NO_CONTENT)
+
 router.include_router(
    fastapi_users.get_auth_router(auth_backend), prefix="/auth/jwt", tags=["auth"]
 )