Token verification is passing after token rotation

[regzon]

After token refreshing (with refresh token rotation enabled) old refresh token is still passing validation.

Blacklist app is in INSTALLED APPS

Settings:
SIMPLE_JWT = { 'ROTATE_REFRESH_TOKENS': True, 'BLACKLIST_AFTER_ROTATION': True, }

[sshishov]

Please retest this issue as for me it is not passed.
Rotation only happens when you call refresh API with provided refresh token.
I noticed that old RefreshToken is not blacklisted if new pair is generated using ordinary login what is also the omission in my understanding

[adriangzz]

I'm facing the same issue. When I use the verify API provided I still get a 200 OK status with the previous, now blacklisted refresh token.

[saadmk11]

You need to add 'rest_framework_simplejwt.token_blacklist', app in the INSTALLED_APPS in the django settings file to use this feature.

https://django-rest-framework-simplejwt.readthedocs.io/en/latest/blacklist_app.html?highlight=blacklist#blacklist-app

[Andrew-Chen-Wang]

I believe this issue is not simply just the token blacklist app itself, but also the fact that the functionality is not actually implemented. I've seen a lot of issues lately regarding the blacklist app, and it seems like the functionality may just be broken.

Once my midterms are over, I'll take a look at this again.