#541 Check for refresh cookie when JWT_AUTH_HTTPONLY is True (#572)

* #541 Check for refresh cookie when JWT_AUTH_HTTPONLY is True * #541 Address test failures.
iMerica · Nov 26, 2023 · ae093a4 · ae093a4
1 parent c6b6530
commit ae093a4
Showing 1 changed file with 14 additions and 4 deletions.
diff --git a/dj_rest_auth/views.py b/dj_rest_auth/views.py
@@ -178,11 +178,21 @@ def logout(self, request):
             if 'rest_framework_simplejwt.token_blacklist' in settings.INSTALLED_APPS:
                 # add refresh token to blacklist
                 try:
-                    token = RefreshToken(request.data['refresh'])
+                    token: RefreshToken = RefreshToken(None)
+                    if api_settings.JWT_AUTH_HTTPONLY:
+                        try:
+                            token = RefreshToken(request.COOKIES[api_settings.JWT_AUTH_REFRESH_COOKIE])
+                        except KeyError:
+                            response.data = {'detail': _('Refresh token was not included in cookie data.')}
+                            response.status_code =status.HTTP_401_UNAUTHORIZED
+                    else:
+                        try:
+                            token = RefreshToken(request.data['refresh'])
+                        except KeyError:
+                            response.data = {'detail': _('Refresh token was not included in request data.')}
+                            response.status_code =status.HTTP_401_UNAUTHORIZED
+
                     token.blacklist()
-                except KeyError:
-                    response.data = {'detail': _('Refresh token was not included in request data.')}
-                    response.status_code =status.HTTP_401_UNAUTHORIZED
                 except (TokenError, AttributeError, TypeError) as error:
                     if hasattr(error, 'args'):
                         if 'Token is blacklisted' in error.args or 'Token is invalid or expired' in error.args: