django rest framework - token authentication logout

Ofek Agmon picture Ofek Agmon · Jun 9, 2015 · Viewed 26.6k times · Source

I have implemented the Token Authentication according to the django rest framework Docs.

Form what I read, the Token Authentication of DRF is quite simple - one token per user, the token doesn't expire and is valid for use always (am I right?).

I understand that there are better practices out there, but for now the DRF token authentication is fine for me.

my question is- what is the best practice for logout with the normal DRF token authentication?

I mean, when the user logs out, should I delete the token from the client side? and then on login get the token again? should I delete the token and generate a new one?

Anyone with experience with this?

Answer

Cloud Artisans picture Cloud Artisans · Mar 6, 2016

Here's a simple view that I'm using to log out:

from rest_framework import status
from rest_framework.response import Response
from rest_framework.views import APIView

class Logout(APIView):
    def get(self, request, format=None):
        # simply delete the token to force a login
        request.user.auth_token.delete()
        return Response(status=status.HTTP_200_OK)

Then add it to your urls.py:

urlpatterns = [
    ...
    url(r'^logout/', Logout.as_view()),
]