Refresh Token never expires

[HenrikZabel]

settings.py

...
NINJA_JWT = {
    "ACCESS_TOKEN_LIFETIME": timedelta(seconds=30),
    "REFRESH_TOKEN_LIFETIME": timedelta(minutes=1),
}
...

I set the lifetime really low to test if the token expires. The access token is not usable after 30 seconds but the refresh token is usable as long as I want it to. Why is that?

When I request my api like that

curl \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{"refresh":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX3BrIjoxLCJ0b2tlbl90eXBlIjoicmVmcmVzaCIsImNvbGRfc3R1ZmYiOiLimIMiLCJleHAiOjIzNDU2NywianRpIjoiZGUxMmY0ZTY3MDY4NDI3ODg5ZjE1YWMyNzcwZGEwNTEifQ.aEoAYkSJjoWH1boshQAaTkf8G3yn0kapko6HFRt7Rh4"}' \
  http://localhost:8000/api/token/refresh/

And following is the response:

{
  "refresh": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX3BrIjoxLCJ0b2tlbl90eXBlIjoicmVmcmVzaCIsImNvbGRfc3R1ZmYiOiLimIMiLCJleHAiOjIzNDU2NywianRpIjoiZGUxMmY0ZTY3MDY4NDI3ODg5ZjE1YWMyNzcwZGEwNTEifQ.aEoAYkSJjoWH1boshQAaTkf8G3yn0kapko6HFRt7Rh4",
  "access": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiZXhwIjoxNzExNDg5MjE0LCJpYXQiOjE3MTE0ODU4NTQsImp0aSI6IjIyNzEwYTI1YzBiNTRiNTJhNzI0NWM5M2ZjNjFjMDMzIiwidXNlcl9pZCI6ImMzODM1OWE5LTIyOTgtNDY5NC04MzVjLTJmZWIzOGRjNjQ4MCJ9.MDTzwh3LRTpKzueqJDbwEh82uDtuJ1MqUD6KJpJ47-c"
}

The response differs from what I can read here, which says the response looks like that:

{"access":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX3BrIjoxLCJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiY29sZF9zdHVmZiI6IuKYgyIsImV4cCI6MTIzNTY3LCJqdGkiOiJjNzE4ZTVkNjgzZWQ0NTQyYTU0NWJkM2VmMGI0ZGQ0ZSJ9.ekxRxgb9OKmHkfy-zs1Ro_xs1eMLXiR17dIDBVxeT-w"}

Am I doing something wrong or is this unintentional?

[eadwinCode]

@HenrikZabel Sorry for my late response... I am looking into this right away

[eadwinCode]

@HenrikZabel I tried with your config and everything works fine. refresh token expires after 1 minute. About the response, you got the correct response. I will update the docs too to reflect the right response

[HenrikZabel]

@eadwinCode That's strange. I still have the same problem. How did you test this? I just called the refresh api point, but it always worked (no matter if the refresh token expired or not)

[eadwinCode]

I copied your settings to a test project and it works. Can I see your ninja jwt setup?

[HenrikZabel]

Sure:

NINJA_JWT = {
    "ACCESS_TOKEN_LIFETIME": timedelta(seconds=30),
    "REFRESH_TOKEN_LIFETIME": timedelta(minutes=1),
}

[eadwinCode]

I mean Controller registration and all. You have share the NinjaJWT before

[HenrikZabel]

# api.py
from ninja_extra import NinjaExtraAPI
from ninja_jwt.controller import NinjaJWTDefaultController

from calendar_.api import router as week_router
from user.api import router as user_router

api = NinjaExtraAPI()
api.register_controllers(NinjaJWTDefaultController)


api.add_router("/calendar/", week_router)
api.add_router("/user/", user_router)

# other api.py
…
@router.post("/task", response={200: Response, 403: Response}, auth=JWTAuth())
…

[eadwinCode]

Your routers, are they from ninja.router package or ninja_extra.router package

[HenrikZabel]

from ninja import Router

The weird thing is - the package is working in general. I can create and get the tokens. But I cannot change the lifetime of them. Do you think this could be related to this?

[eadwinCode]

Anyways I have tried with router from both ninja and ninja_extra. And refresh token still gets expired

[HenrikZabel]

Does it maybe clash with other installed libraries? But this should not be the case, right?

[eadwinCode]

from ninja import Router

The weird thing is - the package is working in general. I can create and get the tokens. But I cannot change the lifetime of them. Do you think this could be related to this?

I would suggest you try this https://github.com/jazzband/djangorestframework-simplejwt in your project to see if you have the same issue. This is not a permanent solution but we both need to understand where the problem is coming from. Whether is from your computer time or something. I need something to be able to debug and solve this issue for you.

[thomascenni]

Hello,
I have exactly the same problem, the refresh token never expires.
I have in my settings.py:

# Django Ninja JWT settings
SIMPLE_JWT = {
    "ACCESS_TOKEN_LIFETIME": timedelta(seconds=5),
    "REFRESH_TOKEN_LIFETIME": timedelta(seconds=10),
}

and I can verify that the settings are taken into consideration because if I:

from ninja_jwt.settings import api_settings
print("ACCESS_TOKEN_LIFETIME", api_settings.ACCESS_TOKEN_LIFETIME)
print("REFRESH_TOKEN_LIFETIME", api_settings.REFRESH_TOKEN_LIFETIME)

I obtain:

ACCESS_TOKEN_LIFETIME 0:00:05
REFRESH_TOKEN_LIFETIME 0:00:10

The access token expires correctly in 5 seconds, the refresh token doesn't expire.
@eadwinCode can you try to debug what happens ?
Thanks a lot!

[eadwinCode]

Alright I will look into this again

[eadwinCode]

@thomascenni I have tried it several times and can not reproduce it. What operating system are you using?

[thomascenni]

I am on MacOS/Python 3.13; did you try with "REFRESH_TOKEN_LIFETIME": timedelta(seconds=10) and it expires ?

[eadwinCode]

[eadwinCode]

I think this library has not been tested for python3.13
@HenrikZabel Are you also on python3.13?

[thomascenni]

I think this library has not been tested for python3.13 @HenrikZabel Are you also on python3.13?

Sorry I made a mistake, I am on

Python 3.12.6 (main, Sep 6 2024, 19:03:47) [Clang 15.0.0 (clang-1500.3.9.4)] on darwin
on my local machine, and

python:3.12.4-slim-bullseye
in the Docker image of my app.
The requirements are Python >= 3.6.

[HenrikZabel]

I think this library has not been tested for python3.13 @HenrikZabel Are you also on python3.13?

I am on version 3.12.2.