token_auth set session cookie ? about django-graphql-jwt HOT 6 CLOSED

In my opinion, ObtainJSONWebToken is a login process, the user sends his credentials and authenticates.

Perhaps it would be advisable to update it using the "Customizing" option and that each developer decides.

from django-graphql-jwt.

Thanks @tguillemot, that's a good question.

The reason to include the login is to send the user_logged_in signal and update the last_login user field.

I totally agree with you, ObtainJSONWebToken should not save the user session, login() must disappear and may be replaced by the signal.

from django.contrib.auth.signals import user_logged_in

user_logged_in.send(sender=user.__class__, request=info.context, user=user)

What do you think about sending this signal?

from django-graphql-jwt.

I had a look on how Django Rest Framework JWT solves that.
It seems that they prefer not updating last_login as explained on that issue.
As they said, by generating a JWT you fetch the user but do not update it.
I agree with that.

Do you have a case where last_login is useful for JWT ?

from django-graphql-jwt.

In my opinion, ObtainJSONWebToken is a login process, the user sends his credentials and authenticates.

We can see things like that indeed.

Perhaps it would be advisable to update it using the "Customizing" option and that each developer decides.

I do not have a strong feeling on that.
For me, it is not big deal if last_login is updated or not.
So, you can update last_login by default (or not) and if someone has a big problem with that one day he will open an issue anyway 😄.

Thanks for your answers and discussions !!!

from django-graphql-jwt.

Thanks, it was a pleasure talking to you :)

from django-graphql-jwt.

@mongkok last_login field is used as salt for generation tokens for links when email changes and password resets

from django-graphql-jwt.