refactor(serializers): Correct validation order in TokenRefreshSerializer

mahdirahimi1999 · mahdirahimi1999 · commit d1412c481bc8 · 2025-08-14T16:00:53.000+03:30
diff --git a/rest_framework_simplejwt/serializers.py b/rest_framework_simplejwt/serializers.py
@@ -114,23 +114,6 @@ def validate(self, attrs: dict[str, Any]) -> dict[str, str]:
 
         data = {"access": str(refresh.access_token)}
 
-        if api_settings.ROTATE_REFRESH_TOKENS:
-            if api_settings.BLACKLIST_AFTER_ROTATION:
-                try:
-                    # Attempt to blacklist the given refresh token
-                    refresh.blacklist()
-                except AttributeError:
-                    # If blacklist app not installed, `blacklist` method will
-                    # not be present
-                    pass
-
-            refresh.set_jti()
-            refresh.set_exp()
-            refresh.set_iat()
-            refresh.outstand()
-
-            data["refresh"] = str(refresh)
-
         # We handle user-related validation in a single, efficient block.
         user_id = refresh.payload.get(api_settings.USER_ID_CLAIM, None)
         if user_id:
@@ -170,6 +153,23 @@ def validate(self, attrs: dict[str, Any]) -> dict[str, str]:
                         code="password_changed",
                     )
 
+        if api_settings.ROTATE_REFRESH_TOKENS:
+            if api_settings.BLACKLIST_AFTER_ROTATION:
+                try:
+                    # Attempt to blacklist the given refresh token
+                    refresh.blacklist()
+                except AttributeError:
+                    # If blacklist app not installed, `blacklist` method will
+                    # not be present
+                    pass
+
+            refresh.set_jti()
+            refresh.set_exp()
+            refresh.set_iat()
+            refresh.outstand()
+
+            data["refresh"] = str(refresh)
+
         return data
 
 
