Search code examples
laravellaravel-passport

Why Auth::check() returns true after logout ? Passport

So I made Authentication using passport, everything worked fine until I logged user out. My paths are protected via auth:api guard so after logging out I can't access any functions, however my frontend is rendered via react based on Auth:check() value and it stays true after logging out. Therefore I am able to get into admin dashboard without any permissions, which is a bug and I can't find a solution to fix it.

This is my log out function:

public function logout()
{
    if (Auth::check()) {
        DB::table('oauth_access_tokens')
            ->where('user_id', Auth::user()->id)
            ->update([
                'revoked' => true
            ]);

        return response(['check' => Auth::check()]); // I get true after logging out
    }

    return response(['check' => Auth::check()]);
}

This is my login and register functions:

public function register(Request $request){
    $validatedData = $request->validate([
        'name' => 'required|max:55|unique:users',
        'password' => 'required'
    ]);
    $validatedData['password'] = bcrypt($request->password);
    $user = User::create($validatedData);
    $accessToken = $user->createToken('authToken')->accessToken;

    return response()

    }

public function login(Request $request)
{
    $loginData = $request->validate([
        'name' => 'required',
        'password' => 'required'
    ]);

    $a = auth()->attempt($loginData, true);
    if(!$a) {
        return response(['message'=>'Invalid credentials');
    }
    $accessToken = auth()->user()->createToken('authToken')->accessToken;
    return response()->json($accessToken);
}

What have I missed?

Solution

  • The reason that Auth::check() returns true is the user is set on the auth service. You are only revoking the access token, meaning that the user will be logged out from the next request.

    You can solve this one of two ways

    1) Assume that the any call to the logout route will result in the user being logged out, irrespective of the logic performed. For example, you could make the call and then clear the access token in your frontend (or perform whatever other logout logic).

    2) You can call Auth::logout() in your code, which will set the current user on the authentication service to null resulting in Auth::check() returning false.