Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Laracast13's avatar

auth with jetstream

Hello Using Laravel breeze, role check middleware


php artisan make:middleware CheckRole
 
app/Http/Kernel.php
 
'roles'  => 'App\Http\Middleware\CheckRole',

middleware


    public function handle(Request $request, Closure $next,  ...$roles)
    {
		$allowAccess = false;
		if(auth()->check())
		{
			foreach($roles as $role) {
				if($request->user()->user_role === $role) {
					$allowAccess = true;
				} 
			}	  
		}
		if(!$allowAccess) {  			 
		 	auth()->logout();
			 return redirect()->route('home');			 
		}
		return $next($request);	


    }

In route using middleware for role check


Route::middleware(['auth', 'roles:Admin' ])->group(function(){

This works , but getting problem when using jetstream It look not working auth()->check(); $request->user() ; auth()->logout(); when using jetstream

Route


Route::middleware(['auth:sanctum', 'verified', 'roles:Admin' ])->group(function(){

getting error. Method Illuminate\Auth\RequestGuard::logout does not exist. p.s. I'm accessing as Admin but it can not check with auth()->check(); $request->user() , which is first condition

0 likes
6 replies
bobbybouwmann's avatar

The logout method is not available on stateless authentication methods. For example, an API is using a token for authentication. You can't log out there, because the token determines if you're authorized or not.

With sanctum, it's the same thing. It's token-based, so you can't log out the user. Instead, you can decide to remove the tokens of a user. But that only works if you actually have a user. So that would look like this

// Check roles above here

if(!$allowAccess) {  			 
	if (auth()->check()) {
		// Revoke all tokens...
		auth()->user()->tokens()->delete();
 		
		// OR
		// Revoke the token that was used to authenticate the current request...
		$request->user()->currentAccessToken()->delete();
	}

	return redirect()->route('home');			 
}

return $next($request);

Note that this is sanctum specific!

Documentation: https://laravel.com/docs/9.x/sanctum#revoking-tokens

Laracast13's avatar

@bobbybouwmann Hello

What if I use like this, it look works for me

		if(!$allowAccess) {  			 
			 auth('web')->logout();
			 abort(403, 'Unauthorized action');		 
		}
		return $next($request);
bobbybouwmann's avatar

@www888 Yeah, that works. But you're using sanctum, right? Or are you using web authentication?

It doesn't make sense if you use an API route with sanctum to log out the user with the web driver.

bobbybouwmann's avatar

@www888 You can't logout from sanctum. You need to delete the tokens instead, like I showed in my first reply.

Laracast13's avatar

@bobbybouwmann

When using auth('web')->logout(); it wotks

but when using $request->user()->currentAccessToken()->delete(); getting error Call to a member function currentAccessToken() on null

Please or to participate in this conversation.