6

I am using laravel sanctum SPA authentication in my Vue project.Everything is working well but even after logout

Auth::logout()

I am still able to get datas from api route inside middleware

Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
    return $request->user();
});

I should not be able to get datas after logout.It should show 401 unauthenticated but its not the case. How to solve this problem.I have been stuck here for 3 days.I followed laravel documentation and other tutorial as well but every one logged out same like I did.

Pemba Tamang
  • 166
  • 1
  • 3
  • 14
  • is `sanctum` the default guard? – lagbox Aug 05 '20 at 16:49
  • Above route is written in api.php so default guard is api @lagbox – Pemba Tamang Aug 05 '20 at 17:17
  • 1
    the default guard is set in the configuration `auth.php` ... when using the auth functions if you don't pass a guard in it will use the default ... if the default isn't `sanctum` then you are **potentially** calling `logout` on a different guard – lagbox Aug 05 '20 at 18:17
  • Ok then you mean i should pass sanctum guard in logout? – Pemba Tamang Aug 06 '20 at 01:56
  • Did you solved your problem? I have the same issue, everything works well with postman, but vue keeps me logged even if I revoke the token through postman – Solidus Mar 07 '21 at 23:16

4 Answers4

12

Kindly use Auth::guard('web')->logout(); instead of Auth::logout(). look into SPA Log out issue

ashish.negi
  • 502
  • 3
  • 7
0

To Logout, a user simply do this in you logout function to delete all the user tokens

public function logout(Request $request) {
auth()->user()->tokens()->delete();
}

Or user this to remove only the active token

$request->user()->currentAccessToken()->delete();
0

What worked for me now is : auth('sanctum')->user()->tokens()->delete();

Rose Riyadh
  • 518
  • 6
  • 16
-1

In order to logout the specific user, You need to specify the user.

// Revoke a specific user token
Auth::user()->tokens()->where('id', $id)->delete();

// Get user who requested the logout
$user = request()->user(); //or Auth::user()
// Revoke current user token
$user->tokens()->where('id', $user->currentAccessToken()->id)->delete()