jazzband · jdg-journeyfront · Jan 8, 2025 · Jan 8, 2025 · vgrozdanic · Jan 11, 2025
diff --git a/rest_framework_simplejwt/tokens.py b/rest_framework_simplejwt/tokens.py
@@ -3,6 +3,7 @@
 from uuid import uuid4
 
 from django.conf import settings
+from django.contrib.auth import get_user_model
 from django.contrib.auth.models import AbstractBaseUser
 from django.utils.module_loading import import_string
 from django.utils.translation import gettext_lazy as _
@@ -266,12 +267,17 @@ def blacklist(self) -> BlacklistedToken:
             jti = self.payload[api_settings.JTI_CLAIM]
             exp = self.payload["exp"]
             user_id = self.payload.get(api_settings.USER_ID_CLAIM)
+            User = get_user_model()
+            try:
+                user = User.objects.get(**{api_settings.USER_ID_FIELD: user_id})
+            except User.DoesNotExist:
+                user = None
 
             # Ensure outstanding token exists with given jti
             token, _ = OutstandingToken.objects.get_or_create(
                 jti=jti,
                 defaults={
-                    "user_id": user_id,
+                    "user": user,
                     "created_at": self.current_time,
                     "token": str(self),
                     "expires_at": datetime_from_epoch(exp),

diff --git a/tests/test_token_blacklist.py b/tests/test_token_blacklist.py
@@ -160,6 +160,26 @@ def test_outstanding_token_and_blacklisted_token_user(self):
         outstanding_token = OutstandingToken.objects.get(token=token)
         self.assertEqual(outstanding_token.user, self.user)
 
+    @override_api_settings(USER_ID_FIELD="email", USER_ID_CLAIM="email")
+    def test_outstanding_token_and_blacklisted_token_created_at_with_modified_user_id_field(
+        self,
+    ):
+        token = RefreshToken.for_user(self.user)
+
+        token.blacklist()
+        outstanding_token = OutstandingToken.objects.get(token=token)
+        self.assertEqual(outstanding_token.created_at, token.current_time)
+
+    @override_api_settings(USER_ID_FIELD="email", USER_ID_CLAIM="email")
+    def test_outstanding_token_and_blacklisted_token_user_with_modifed_user_id_field(
+        self,
+    ):
+        token = RefreshToken.for_user(self.user)
+
+        token.blacklist()
+        outstanding_token = OutstandingToken.objects.get(token=token)
+        self.assertEqual(outstanding_token.user, self.user)
+
 
 class TestTokenBlacklistFlushExpiredTokens(TestCase):
     def setUp(self):