With USE_JWT and blacklist app, logout fail with JWT_HTTP_ONLY

[mbegoc]

On line https://github.com/iMerica/dj-rest-auth/blob/master/dj_rest_auth/views.py#L181 the code look for the refresh token into the data, but with HTTP_ONLY, the token can be found only in cookies.

Is it by design (no need to blacklist the refresh cookie in this case) or should the code look into both data and cookies?

[Routhinator]

EDIT - Realized when I looked at this I missed that this was this library's source 🤦

That's the idea behind HttpOnly cookies, the app doesn't handle them, the server and the browser do - and they are sent on each request to the server automatically.

In the Django request object, there is a COOKIES property - the code needs to look there if JWT_HTTP_ONLY is on:

request.COOKIES['token']

A simple edit to the APIView to have an if condition there should do the trick, I'll test that.

[Routhinator]

I've opened a PR to address this one @iMerica

[Routhinator]

Fix has merged to master, pending release.

[Aniket-Singla]

Can this be closed? I see its released.