sustained
2 months ago

Passport token is still valid after revocation (even deletion)?

Posted 2 months ago by sustained

I have a test that:

  • creates a user
  • hits the login endpoint to get a token
  • hits the logout endpoint to revoke a token (tried deleting too)
  • hits the user endpoint to make sure the token was revoked (this part fails)

I don't understand what the problem is. I'm getting a 200 and the user data is being returned even after revoking (and/or deleting) the token.

This is the relevant part of the AuthController:

    public function logout(Request $request)
    {
        try {
            $request->user()->token()->revoke();
            $request->user()->token()->delete();

            return response()->json([
                'type' => 'logout_success',
                'message' => 'User logged out.'
            ]);
        } catch (Exception $e) {
            return $this->respondWithGenericError($e);
        }
    }

And the relevant part of the test:

<?php
class AuthTest extends TestCase
{
    use RefreshDatabase;

    protected function setUp() : void
    {
        parent::setUp();

        \Artisan::call('migrate');
        \Artisan::call('passport:install');
    }

    public function test_that_tokens_are_revoked_upon_logout()
    {
        $user = factory(\App\User::class)->create();

        $response = $this
            ->postJson('/api/auth/login', [
                'email' => $user->email,
                'password' => 'password' // NOTE: Is default password set by User factory.
            ])
            ->assertJsonStructure([
                'access_token',
                'expires_at',
                'token_type'
            ]);

        $this
            ->actingAs($user)
            ->getJson('/api/auth/logout', [
                'Authorization' => 'Bearer ' . $response->json()['access_token']
            ])
            ->assertJsonFragment(['type' => 'logout_success']);

        // FIXME: Why do we get a 200?
        $this
            ->actingAs($user)
            ->getJson('/api/auth/user', [
                'Authorization' => 'Bearer ' . $response->json()['access_token']
            ])
            ->assertStatus(401);

        // $this
        //     ->assertDatabaseHas('oauth_access_tokens', [
        //         'user_id' => $user->id,
        //         'revoked' => true
        //     ]);
    }
}

Please sign in or create an account to participate in this conversation.