Remove token last used field in the token store

This would be a nice feature to have, but it can lead lead to (very
rare) race conditions. simplekv has no way to support atomic retreive
and replace. We could revoke a key after grabbing the key to update,
then overwrite the revoke status. This also makes storing an effecient
mapping of jtis that exist to an identity hard.

Currently, I'm thinking if a user wants this, they should add it as part
of their application logic, something like

@app.route('foobar')
@jwt_refresh_token_required
def refresh:
    udate_token_last_used(jti)  # Need a way for users to get the jti
    access_token = create_access_token()
    return ...

Author: vimalloc

flask_jwt_extended/blacklist.py

@@ -34,10 +34,6 @@ def wrapper(*args, **kwargs):
     return wrapper
 
 
-def _utc_datetime_to_ts(dt):
-    return calendar.timegm(dt.utctimetuple())
-
-
 def _ts_to_utc_datetime(ts):
     return datetime.datetime.utcfromtimestamp(ts)
 
@@ -159,7 +155,6 @@ def store_token(token, revoked):
     """
     data_to_store = json.dumps({
         'token': token,
-        'last_used': _utc_datetime_to_ts(datetime.datetime.utcnow()),
         'revoked': revoked
     }).encode('utf-8')
 

tests/test_blacklist.py

@@ -378,7 +378,7 @@ def test_get_stored_token(self):
         self.assertEqual(status_code, 200)
         self.assertIn('token', data)
         self.assertIn('revoked', data)
-        self.assertIn('last_used', data)
+        self.assertEqual(len(data), 2)
 
         response = self.client.get('/auth/token/404notokenfound')
         status_code = response.status_code