Helper function to logout when using cookies to store jwt

Author: vimalloc

flask_jwt_extended/utils.py

@@ -378,3 +378,24 @@ def set_refresh_cookies(response, encoded_refresh_token):
                             secure=get_cookie_secure(),
                             httponly=False,
                             path='/')
+
+
+def unset_jwt_cookies(response):
+    """
+    Takes a flask response object, and configures it to unset (delete) the JWT
+    cookies. Basically, this is a logout helper method if using cookies to store
+    the JWT
+    """
+    response.set_cookie(get_refresh_cookie_name(),
+                        value='',
+                        expires=0,
+                        secure=get_cookie_secure(),
+                        httponly=True,
+                        path=get_refresh_cookie_path())
+    response.set_cookie(get_access_cookie_name(),
+                        value='',
+                        expires=0,
+                        secure=get_cookie_secure(),
+                        httponly=True,
+                        path=get_access_cookie_path())
+    return response

tests/test_protected_endpoints.py

@@ -7,7 +7,7 @@
 import jwt
 
 from flask_jwt_extended.utils import _encode_access_token, get_jwt_claims, \
-    get_jwt_identity, set_refresh_cookies, set_access_cookies
+    get_jwt_identity, set_refresh_cookies, set_access_cookies, unset_jwt_cookies
 from flask_jwt_extended import JWTManager, create_refresh_token, \
     jwt_refresh_token_required, create_access_token, fresh_jwt_required, \
     jwt_required
@@ -344,6 +344,12 @@ def login():
             set_refresh_cookies(resp, refresh_token)
             return resp, 200
 
+        @self.app.route('/auth/logout', methods=['POST'])
+        def logout():
+            resp = jsonify({'logout': True})
+            unset_jwt_cookies(resp)
+            return resp, 200
+
         @self.app.route('/auth/refresh', methods=['POST'])
         @jwt_refresh_token_required
         def refresh():
@@ -443,6 +449,13 @@ def test_headers(self):
         self.assertIn('x_csrf_refresh_token', refresh_csrf)
         self.assertIn('Path=/', refresh_csrf)
 
+        # Try logout headers
+        resp = self.client.post('/auth/logout')
+        refresh_cookie = resp.headers[1][1]
+        access_cookie = resp.headers[2][1]
+        self.assertIn('Expires=Thu, 01-Jan-1970', refresh_cookie)
+        self.assertIn('Expires=Thu, 01-Jan-1970', access_cookie)
+
     def test_endpoints_with_cookies(self):
         self.app.config['JWT_COOKIE_CSRF_PROTECT'] = False