Laravel 11 - Sanctum SPA session logout all devices is not working

We're trying to implement Sanctum SPA authentication (session based, not api tokens), when a user changes their password, we can't seem to log them out of other devices using Auth::logoutOtherDevices($password); and we get:

error: Method Illuminate\Auth\RequestGuard::logoutOtherDevices does not exist. in /fooapp/vendor/laravel/framework/src/Illuminate/Macroable/Traits/Macroable.php line 115

The current setup is as follows:

1. web.php

Route::middleware(['auth:sanctum'])->group(function () {
    Route::put('auth/passwordUpdate', [AuthController::class, 'passwordUpdate']);
});

2. AuthController.php

<?php

namespace App\Http\Controllers;

use App\Models\User;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Auth;

class AuthController extends BaseController {
    public function passwordUpdate(Request $request) {
        $user = User::where('username', $this->user()->username)->first();

        if (! Hash::check($request->get('password'), $user->password)) {
            return response()->error('Incorrect password provided.');
        }

        try {
            $user->password = Hash::make($request->get('passwordNew'));
            $user->save();

            // Logout user from other devices if they have any active sessions there
            // *** Not working with sanctum at the moment and errors out as seen above
            Auth::logoutOtherDevices($request->get('passwordNew'));
        } catch (\Exception $e) {
            return $this->dbRollbackLogAndReturnError($e, $customErrorMessage);
        }

        return response()->success('You have updated your password successfully.');
    }
}

3. sanctum.php

<?php

use Laravel\Sanctum\Sanctum;

return [
    ...
    guard' => ['web'],
    ...
    'middleware' => [
        'authenticate_session' => Laravel\Sanctum\Http\Middleware\AuthenticateSession::class,
        'encrypt_cookies' => Illuminate\Cookie\Middleware\EncryptCookies::class,
        'validate_csrf_token' => Illuminate\Foundation\Http\Middleware\ValidateCsrfToken::class,
    ],
];

4. app.php

<?php

use Illuminate\Foundation\Application;
use Illuminate\Foundation\Configuration\Middleware;
use Illuminate\Foundation\Configuration\Exceptions;

return Application::configure(basePath: dirname(__DIR__))
    ->withProviders([
        ...
    ])
    ->withRouting(
        web: __DIR__.'/../routes/web.php',
        api: __DIR__.'/../routes/api.php',
        commands: __DIR__.'/../routes/console.php',
        channels: __DIR__.'/../routes/channels.php',
        health: '/up',
    )
    ->withMiddleware(function (Middleware $middleware) {
      $middleware->statefulApi(); // sanctum
    })
    ->withExceptions(function (Exceptions $exceptions) {
        ...
    })->create();

Note: We're aware of this youtube video https://www.youtube.com/watch?v=iwq5YrNND0k from over 5 years ago, but we're looking for the correct Laravel 11 way to solve the issue without copying the core files and overriding them, since they can get out of sync with newer laravel versions.

Any idea how to get Auth::logoutOtherDevices($password); to work as intended without throwing an error when using Sanctum SPA session based authentication in Laravel 11?

LaryAI

1 year ago

Best Answer

Level 58

The issue you're encountering is due to the fact that Auth::logoutOtherDevices($password) is not available when using Sanctum's session-based authentication. This method is part of the Illuminate\Auth\SessionGuard, which is used by the default web guard, but not by Sanctum's RequestGuard.

To achieve the desired functionality of logging out from other devices when a password is changed, you can manually handle this by invalidating all other sessions for the user. Here's a step-by-step solution:

Use the Session facade to manage sessions:

You can manually delete all sessions for the user except the current one. This requires storing session IDs in the database and associating them with users.
Create a migration for sessions table:

If you haven't already, ensure you have a sessions table. You can create it using the following command:
```
php artisan session:table
php artisan migrate
```

Update the passwordUpdate method in AuthController:

Modify the method to manually delete other sessions for the user:

use Illuminate\Http\Request;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Session;

public function passwordUpdate(Request $request) {
    $user = Auth::user();

    if (! Hash::check($request->get('password'), $user->password)) {
        return response()->json(['error' => 'Incorrect password provided.'], 400);
    }

    try {
        $user->password = Hash::make($request->get('passwordNew'));
        $user->save();

        // Get the current session ID
        $currentSessionId = Session::getId();

        // Delete all other sessions for the user
        DB::table('sessions')
            ->where('user_id', $user->id)
            ->where('id', '!=', $currentSessionId)
            ->delete();

    } catch (\Exception $e) {
        return response()->json(['error' => 'An error occurred while updating the password.'], 500);
    }

    return response()->json(['success' => 'You have updated your password successfully.']);
}

Ensure session driver is set to database:

Make sure your SESSION_DRIVER in .env is set to database:
```
SESSION_DRIVER=database
```
Update the Session model if necessary:

If you have a custom Session model, ensure it has a user_id column and is properly associated with the User model.

By following these steps, you should be able to log out users from other devices when they change their password, even when using Sanctum's session-based authentication.

1 like

Please or to participate in this conversation.