Open khooz opened 4 years ago
yeah, I also encountered this issue.
here is the temporary solution for that:
use the composer stage : dev-develop
just use:
JWTAuth::attempt($credentials)
JWTAuth::invalidate();
$token = JWTAuth::refresh();
JWTAuth::invalidate();
"A token is required" Iam work with lumen 7.x
JWTAuth::invalidate();
"A token is required" Iam work with lumen 7.x
Sorry my bad, I forgot to send token
Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
yeah, I also encountered this issue. here is the temporary solution for that: use the composer stage :
dev-develop
just use:for login
JWTAuth::attempt($credentials)
for logout
JWTAuth::invalidate();
for refresh token
$token = JWTAuth::refresh();
this issue is still relevant, even on dev-develop. Any ideas for a solution?
I found something related to this with this function:
# tymon/jwt-auth/src/Blacklist.php
# ...
/**
* Get the number of minutes until the token expiry.
*
* @param \Tymon\JWTAuth\Payload $payload
* @return int
*/
protected function getMinutesUntilExpired(Payload $payload)
{
$exp = Utils::timestamp($payload['exp']);
$iat = Utils::timestamp($payload['iat']);
// get the latter of the two expiration dates and find
// the number of minutes until the expiration date,
// plus 1 minute to avoid overlap
return $exp->max($iat->addMinutes($this->refreshTTL))->addMinute()->diffInRealMinutes();
}
# ...
The base implementation is using the Illuminate/Cache/Repository.html#method_put
method for storing the Blacklisted token in the cache table, using the database
driver, of course. Now, the problem is that the:
return $exp->max($iat->addMinutes($this->refreshTTL))->addMinute()->diffInRealMinutes();
# >>> -20152.975287983
Is returning a negative value. This is expected, as per the Carbon documentation. And looking at the Illuminate\Cache\Repository::put()
method body, when the value is negative, it actually forgets the item.
Is this expected?
[Edit]
If I get the absolute value of the returned diffInRealMinutes
, it seems to work. The token is correctly added to the cache and the logout works as expected.
Subject of the issue
Hi,
As the title said, logout and invalidate does not work. The blacklisting is on but JWT does not record any token as blacklisted at all.
Your environment
Steps to reproduce
attempt
to generate a token.auth()->logout()
orauth->logout(true)
to invalidate a token.auth()->check()
on invalidated token and it returnstrue
Expected behaviour
An invalidated token should not be valid.
Actual behaviour
The invalidated token is valid. Also noting that my cache is Redis, and it stores sessions and queue jobs etc. ... but there are no JWT sets. Also no blacklist in any files governed by other storage drivers.