Register, Login and Logout in Django Rest Framework using JWT
In this tutorial we will learn how to use JWT (JSON Web Tokens) to create register, login and logout views in Django Rest framework (DRF).
We will use two tokens in this tutorial Refresh Token and Access Token. The client side server will store both the tokens and use them to send a request to an API endpoint which requires authentication of the user. When the user sends the login request with his credentials they get in return the two above mentioned two tokens which they need to store in their session. Now to access any end point which requires user authentication they need to send their access token in the request header, but then whats the use of Refresh token?
As the name suggests Refresh Token is like a refresh button which is used to refresh the Access Token, we will discuss it in detail when we will create User Logout view but for the time being just know that Access Token is very short lived and gets expired after certain time and to get the new token user needs to request it using refresh token.
Let’s first install the required packages —
pip install djangorestframework
pip install djangorestframework-simplejwtNow let’s set up the settings.py file now and make the following changes in it
Now let’s start by first extending the User model to create tokens.
In this user model we created a function tokens to assign the user with Refresh and Access Tokens.
Now let’s create the serializers for Register, Login and Logout.
Let’s try to understand these serializers in detail starting from RegisterSerializer.
In RegisterSerializer we set the password field to write only so that the user can’t see that in the request sent, then we accept fields - email, username and password to register the user. We then create a validate method to validate the username and then the final create method to create the user with the provided details.
In LoginSerializer we again set the password field to write only so that the user cant see that in the request sent. Then we need a method get_tokens which in returns call the method tokens from User model to get the tokens for the user that’s trying to send the login request to our API. After that we create a method to check whether the user provided correct username and password and if yes then return him the details with the Access and Refresh Tokens.
After the user gets tokens he can send request to any API endpoint that requires user authentication by adding access token in headers and in case the token expires we request a new token by using refresh token which we will see when we will create urls file.
Coming to the logout view which is a bit tricky we need to understand that we need to keep the JWT stateless, in simple words the authentication details are stored on client side and not on server side so we need to somehow blacklist those details/tokens so that the user can’t use them again after logging out.
To do that we use a Simple JWT blacklist option that blacklists the refresh token so that it can not be used again. Now you may be wondering that why only refresh tokens when the actual token we use for authentication is access token? The answer to that is as I already said the beginning that access token is very short lived in fact every time you need to send request to an endpoint you will need to get the new access token. So whats the better way to blacklist the refresh token itself so that the user cant request for new access token in other words user successfully logged out booyaaahhh!!!!.
Now all the heavy work is almost done we just need to create the views and urls and we are done. So let’s create views first —
Just link the serializers to the respective views, call the methods and we are done with views as all the heavy lifting was already done in serializers file.
Now lets assign these views to the urls.
We link the views to their respective urls but notice the token_refresh url, as I mentioned earlier about the refresh token, Simple JWT provide a predefined TokenRefreshView which we can directly use and all the heavy lifting is already done for us!! isn’t DRF just simply awesome 😜.
Now its time to finally test our API so just run our own home sweet home localserver 127.0.0.1, oh wait there’s command for that too in django 😜 just run
python manage.py runserverOpen your postman and lets check our endpoints.
So our task is complete here, you can now import this app in any of your projects which requires Login, Logout and Registration of the user.
