search

filamentphp / filament

A collection of beautiful full-stack components for Laravel. The perfect starting point for your next app. Using Livewire, Alpine.js and Tailwind CSS.
https://filamentphp.com
MIT License
18.71k stars 2.91k forks source link

Logout button logs out from all panels, not just the current (authguard) one #9459

Closed bernhardh closed 11 months ago

bernhardh commented 11 months ago

Package

filament/filament

Package Version

v3.0.89

Laravel Version

v10.30.1

Livewire Version

v3.1.0

PHP Version

8.1.25

Problem description

When creating 2 panels, which both have their own auth guard, you can separatly login to them (which is expected), but a click on logout in one panel results in a logout in all panels.

Expected behavior

After login in panel1, I want to stay logged in in panel2

Steps to reproduce

TLDR:

Use me demo repo's branch "issue/multi-logout".

  1. Login to admin panel under http://127.0.0.1:8000/admin/login
  2. Login to partner panel under http://127.0.0.1:8000/partner/login
  3. Now you are logged in in both = OK
  4. Logout in admin panel
  5. Now you are logged out from both = BAD

Sidenotes

This issue is only when having the panel on the same domain/host. When using subdomains, it works logging out separately.

Long story

You can find everything in the dead simple repository. To sum up:

I created a fresh new project and added two panels: admin and partners with make-command. I added a new auth guard partner: 

    'guards' => [
        'web' => [
            'driver' => 'session',
            'provider' => 'users',
        ],
        'partner' => [
            'driver' => 'session',
            'provider' => 'users',
        ],
    ],

and set it as authGuard to the partner panel:

return $panel
            ->id('partner')
            ->brandName("Partner")
            ->path('partner')
            ->authGuard("partner")
            ->login()

Reproduction repository

https://github.com/bernhardh/test-filament-multi/tree/issue/multi-logout

Relevant log output

There is no logoutput.

bernhardh commented 11 months ago

See discord discussion as a ref: https://discord.com/channels/883083792112300104/1154454720354713630

github-actions[bot] commented 11 months ago

Hey @bernhardh! We're sorry to hear that you've hit this issue. 💛

However, it doesn't look like you've provided much information on how to replicate the issue. Please edit your original post with clear steps we need to take.

danharrin commented 11 months ago

It is because the session is invalidated and the token is regenerated. This invalidates all other auth state. I don't think there is anything we can do to avoid this.

zepfietje commented 11 months ago

There is actually a way around this (which I've implemented in one of my own non-Filament projects). After the session has been regenerated, we could dispatch an event to the front end which sets the new CSRF token.