Level 75
Lookup invalidate usage.
Oct 12, 2023
5
Level 1
JWT logout method in laravel
Is it advisable to create a logout method in the backend when using JWT with eloquent? I say this because what I have been implementing is removing the token on the frontend to log out but we do not consume anything in Laravel to log out.
Should we implement something like this?
public function logout () {
$user = Auth::user()->token();
$user->revoke();
}
This is the login controller:
public function login(LoginRequest $request): JsonResponse
{
try {
$validated = $request->validated();
$captcha=$this->userService->ReCaptcha($validated['captcha']);
if ($captcha){
unset($validated['captcha']);
if (Auth::attempt($validated)) {
$user = Auth::user();
if ($user->email_verified_at == null) {
return response()->json([
'status' => false,
'message' => 'email validation still pending'
], 400);
} else {
$column_name = "USER_ID";
$column_value = $user->id;
$table = "USER_AUTHENTICATION";
$user_auth = $this->genericRepository->getRow($table, $column_name, $column_value);
if (!empty($user_auth)) {
$token = $user->createToken('user_token', [$user_auth->AUTH_LEVEL])->accessToken;
$timestamp = now()->addDays(1);
$expires_at = date('M d, Y H:i A', strtotime($timestamp));
return response()->json([
'status' => true,
'message' => 'Login successful',
'access_token' => $token,
'token_type' => 'bearer',
'expires_at' => $expires_at,
]);
} else {
return $this->errorService->databaseReadError();
}
}
} else {
return $this->errorService->invalidCredentials();
}
}else{
return $this->errorService->badCaptcha();
}
} catch (Exception $e) {
return response()->json([
'status' => false,
'message' => $e->getMessage()
], 500);
}
}
Level 80
@julianov You don’t “log out” with token-based authentication. And I wouldn’t pick JWTs for authenticating users.
The claims (payload) of a JWT are plaintext, so you shouldn’t be storing sensitive information in them; and you cannot revoke them once issued because the only thing that makes a JWT “valid” is its signature. JWTs are only good for authorising individual requests, and should have as short a lifetime as possible.
Laravel already has two solid token-based authentication solutions in Passport (OAuth) and Sanctum. You should use those instead of re-inventing the wheel and trying to roll your own authentication.
Level 1
Thanks but I use Passport and in passport 's documentation there is a section of revoking tokens:
https://laravel.com/docs/10.x/passport#revoking-tokens
Why there is that section of revoking tokens and purge tokens?
Level 75
@julianov read this paragraph in docs
Laravel Passport provides a full OAuth2 server implementation for your Laravel application in a matter of minutes. Passport is built on top of the League OAuth2 server that is maintained by Andy Millington and Simon Hamp.
And go to the link given.
Sorry, this:
This documentation assumes you are already familiar with OAuth2. If you do not know anything about OAuth2, consider familiarizing yourself with the general terminology and features of OAuth2 before continuing.
Edit:
To much detail for a discussion here. Basically you can have a token, but that token has to be verified also. Kind of like key and secret on some API's.
Whereas some API's just use the key (not as secure).
But look over the Sanctum chapter as well. I like the key | secret myself. But it's not as good for real heavy traffic without load balancing.
Level 80
@julianov Well if you’re using Passport then you definitely don’t need a login route, given that you should be obtaining OAuth tokens using the /oauth/token endpoints provided by Passport.
Please or to participate in this conversation.