Keep getting a 401 unauthorized error upon /logout

method:"POST"

Logout route is a get request.

@Cronix That's strange, when I looked at the Auth Routes I see this $this->post('logout', 'Auth\LoginController@logout')->name('logout');

Edit: Yeah I just tested this, It's an 401 not a 405 (method not allowed)

Logout route is a get request.

You sure about that @Cronix

The 401 suggests that the request was not authenticated. How are you typically authenticating; token or cookies?

Or, are you using an authorization middleware in the route/controller?

@tykus I believe a token and cookies?

Strange. It is a post request. I was looking at an older version of laravel and just did a artisan route:list where only Auth::routes() was defined. Edit: nevermind, this was a Laravel Spark project which alters things a bit.

@Cronix .Logout was switched to a post request in Laravel 5.3

@Cronix sorry I really should mention it's Laravel 5.5

token and cookies

Really? In that case, how are you passing the token; I don't see it in the headers or on the URI.

@tykus

headers: {
 Accept:"application/json"
 Content-Type:"application/json"
 X-CSRF-TOKEN:"Ot9jWW7YgpTI9ppm3axLkMTxKW9huRzJw8f0nTUF"
}

This works for all other requests when a user is Authenticated, it even works for logging in and registering. Just not logout

Which is also why I added this

data:{
 _token: "Ot9jWW7YgpTI9ppm3axLkMTxKW9huRzJw8f0nTUF"
}

Just to be sure since this is in the default 'out of the box' blade template for {{ csrf_field() }}

A CSRF token !== authentication token.

Can you show route and controller?

@tykus The routes are from Auth::routes(); and the controller:

<?php

namespace App\Http\Controllers\Auth;

use App\Http\Controllers\Controller;
use Illuminate\Foundation\Auth\AuthenticatesUsers;

class LoginController extends Controller {
  /*
    |--------------------------------------------------------------------------
    | Login Controller
    |--------------------------------------------------------------------------
    |
    | This controller handles authenticating users for the application and
    | redirecting them to your home screen. The controller uses a trait
    | to conveniently provide its functionality to your applications.
    |
   */

use AuthenticatesUsers;

  /**
   * Where to redirect users after login.
   *
   * @var string
   */
  protected $redirectTo = '/';

  /**
   * Create a new controller instance.
   *
   * @return void
   */
  public function __construct() {
    $this->middleware('guest')->except('logout');
  }

}

@tykus

A CSRF token !== authentication token.

What do you mean? Why then is the csrf_token being included to the form in the original blade? It's just a post with that token in it

The logout route requires an authenticated user, so this middleware should work... but perhaps it is not?

$this->middleware('guest')->except('logout');

Can you remove this controller middleware, and create a logout route with auth middleware before Auth::routes() in your routes file?

@tykus what really is strange is that the user IS logged out after I refresh the page. But of course I get this 401 before I refresh. So it's working but at the same time I'm getting this 401.

CSRF is not for authentication; it is to mitigate the threat of cross-site request forgery.

CSRF is not for authentication; it is to mitigate the threat of cross-site request forgery.

I know. I'm just duplicating the Form in the Blade template. I'm going to try one more thing. You mentioned that you don't see _token in the URI. I'll try that first and see what happens.

I think Axios takes data and parses that to JSON and that is part of the body of the request and not the URI.

The token I mentioned earlier would be a JWT or similar... nothing to do with CSRF.; you seem to be confusing the too different types of token from my responses.

I mean I could probably just hack this and force a refresh on the browser after the request is sent. Like I mentioned it logs the user out I just get a 401 error

GET http://localhost/App/ 401 (Unauthorized)

Which I think makes sense, this route is only for authenticated users only. Which is still strange that I don't just get kicked to the login page

So the logout action is actually working? I didn't understand that from earlier! What is the response of the action; the typical redirect to /? Check your browser's devtools.

Also, is GET http://localhost/App/ auth-protected?

You will need to handle the redirection differently (or not at all) depending on your app's needs because the 3xx response code will not be understood by your javascript. If you need to, you can redirect in javascript using:

window.location = '/'

But why not simply use the standard request/response cycle in that case?

So the logout action is actually working? I didn't understand that from earlier! What is the response of the action; the typical redirect to /? Check your browser's devtools.

Yeah... that was in my original post. It's working but instead of just a nice redirect I get that 401. And yes this the root /is Auth protected. Normally Laravel will boot you to /login if you try to access this.. which is does. But after logging out it just sends a 401 from a GET. So there is no response except {message:"Unauthenticated."}

In 5.5, you can override the logout method in the LoginController to set a different redirection after successfully logging out.

    /**
     * Log the user out of the application.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return \Illuminate\Http\Response
     */
    public function logout(Request $request)
    {
        $this->guard()->logout();
        $request->session()->invalidate();
        return redirect('/'); // redirect somewhere else that a guest can visit
    }

In 5.5, you can override the logout method in the LoginController to set a different redirection after successfully logging out.

Perfect! That worked. I get a response with the URL redirect the response status is OK.