Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

anonymox's avatar

laravel passport revoke and prune event listener is not doing anything

I've added this two event listeners to my : EventServiceProvider

    /**
     * The event listener mappings for the application.
     *
     * @var array
     */
    protected $listen = [
        'Laravel\Passport\Events\AccessTokenCreated' => [
            'App\Listeners\RevokeOldTokens',
        ],
    
        'Laravel\Passport\Events\RefreshTokenCreated' => [
            'App\Listeners\PruneOldTokens',
        ],
    ];

And in my AuthServiceProvider I have :

     public function boot()
        {
            $this->registerPolicies();
    
            Passport::routes();
            passport::$revokeOtherTokens;
            passport::$pruneRevokedTokens;
            Passport::tokensExpireIn(Carbon::now()->addDays(1));
            Passport::refreshTokensExpireIn(Carbon::now()->addDays(2));
    
        }

I want passport to revoke all other user access tokens and then prune them if they are revoked. but nothing is happening and every time I request an access token from postman I get a new access Token while there are several access tokens in the database.

0 likes
4 replies
anonymox's avatar
anonymox
OP
9 years ago
Best Answer
Level 1

I've Solved My problem This way : Step1 - In EventServiceProvider should change the path to the Access Token createdn and also refresh token created :

 protected $listen = [
        'Laravel\Passport\Events\AccessTokenCreated' => [
            'App\Listeners\RevokeOldTokens',
        ],

        'Laravel\Passport\Events\RefreshTokenCreated' => [
            'App\Listeners\PruneOldTokens',
        ],
    ];

Step2- generate this two listeners events :

php artisan event:generate

Step3- Modify AccessTokenCreated & RefreshTokenCreated event handle methods :

namespace App\Listeners;

use Laravel\Passport\Events\AccessTokenCreated;
use Illuminate\Queue\InteractsWithQueue;
use Illuminate\Contracts\Queue\ShouldQueue;
use DB;

class RevokeOldTokens
{
    /**
     * Create the event listener.
     *
     * @return void
     */
    public function __construct()
    {
        //
    }

    /**
     * Handle the event.
     *
     * @param  AccessTokenCreated  $event
     * @return void
     */
    public function handle(AccessTokenCreated $event)
    {


        DB::table('oauth_access_tokens')
            ->where('id', '<>', $event->tokenId)
            ->where('user_id', $event->userId)
            ->where('client_id', $event->clientId)
            ->update(['revoked' => true]);


    }
}

<?php

namespace App\Listeners;

use Laravel\Passport\Events\RefreshTokenCreated;
use Illuminate\Queue\InteractsWithQueue;
use Illuminate\Contracts\Queue\ShouldQueue;
use DB;

class PruneOldTokens
{
    /**
     * Create the event listener.
     *
     * @return void
     */
    public function __construct()
    {
        //
    }

    /**
     * Handle the event.
     *
     * @param  RefreshTokenCreated  $event
     * @return void
     */
    public function handle(RefreshTokenCreated $event)
    {

        DB::table('oauth_refresh_tokens')
            ->where('id', '<>', $event->refreshTokenId)
            ->where('access_token_id', '<>', $event->accessTokenId)
            ->update(['revoked' => true]);

    }
}

After This steps if I send any request to my project it will check for tokens and if there is another token it will revoke it and make it unathorized.

3 likes
besrabasant's avatar

This works... But when refreshing an access token using the refresh token, a new access token is created and also a new refresh token is created. Eventually, while revoking the old access token, the old, not expired, refresh token is also gets revoked.

But the refresh token must be revoked only when the refresh token has expired.

1 like
pierrocknroll's avatar

@anonymox Your PruneOldTokens code can't work... Your application has multiple users and with your example, all the refresh tokens of all the users will be revoked when one refresh token is created...

1 like

Please or to participate in this conversation.