Django Rest Framework jwt allows obtaining new token from notionally invalidated token
An issue was discovered in drf-jwt It allows attackers with access to a notionally invalidated token to obtain a new, working token via the refresh endpoint, because the block list protection mechanism is incompatible with the token-refresh feature. NOTE: drf-jwt is a fork of jpadilla/django-rest-framework-jwt, which is unmaintained.