loading...

Discussion on: PKCE authenticaton for Nuxt SPA with Laravel as backend

Collapse
stefant123 profile image
StefanT123 Author

How do you revoke the token?

Collapse
franfoukal profile image
franfoukal

Yes, not only using

Auth::user()->token()->revoke(); 

but also like indicates the docs:
Laravel - revoking tokens

This is not working for me because uses the laravel_session cookie data to persist login and return a new access_token without ask for credentials again, redirecting to the callback page directly.
Laravel destroy the session after a while or when the browser is closed but it's a problem when I want to change user to login because I have to wait or close everything.

Maybe the problem is the session based login, but there is no much info about it.

I would like to know if it has happened to you and if anyone could solve it.
Sorry about my english, is not my mother tongue. And thanks again!

Thread Thread
stefant123 profile image
StefanT123 Author

Maybe you should try to revoke the token and clear the users session, maybe that will do it. But I don't know if this is the right way to logout some user...

Thread Thread
franfoukal profile image
franfoukal

After several trials, I came up with a solution (not an elegant one I guess) that works.
It's a mix from logout from the API guard (api.php routes with auth:api middleware), revoking the token:

public function logoutAPI(){

        Auth::user()->token()->revoke();
        $tokenId = Auth::user()->token()->id;

        $tokenRepository = app('Laravel\Passport\TokenRepository');
        $refreshTokenRepository = app('Laravel\Passport\RefreshTokenRepository');
        $tokenRepository->revokeAccessToken($tokenId);
        $refreshTokenRepository->revokeRefreshTokensByAccessTokenId($tokenId);

        return response()->json([
            'msg' => 'You have been succesfully logged out'
        ],200);
    }

And in the web guard (web.php routes), kill the session:

    public function logoutSession(Request $request){
        Auth::guard('web')->logout();
        Session::flush();
        //the frontend sends a logout_uri query string to redirect
        return response()->redirectTo($request->query('logout_uri'));
    }

In the frontend I send an axios post request to the logoutAPI route and then call the logoutSession route. Here is the code using the @nuxtjs/auth-next module.

        logout(){
            this.$axios.get('/api/logout')
            .then(response => {
                this.$auth.reset(); //deletes tokens in nuxt app
                this.$auth.logout(); //redirects to logoutSession 
                this.$axios.setHeader('Authorization', null); 
            })
            .catch(error => console.log(error.response));
        }

This way, every time I logout from the app and login again, the credentials are required and doesn't persists.

Thanks for your replies, I hope this helps someone!