search

tymondesigns / jwt-auth

🔐 JSON Web Token Authentication for Laravel & Lumen
https://jwt-auth.com
MIT License
11.27k stars 1.55k forks source link

`logout` and `invalidate` simply won't work #1972

Open khooz opened 4 years ago

khooz commented 4 years ago

Subject of the issue

Hi,

As the title said, logout and invalidate does not work. The blacklisting is on but JWT does not record any token as blacklisted at all.

Your environment

Q A
Bug? maybe
New Feature? no
Framework Laravel
Framework version 6.x
Package version 1.0.0
PHP version 7.4.0

Steps to reproduce

  1. Use attempt to generate a token.
  2. Use auth()->logout() or auth->logout(true) to invalidate a token.
  3. Try auth()->check() on invalidated token and it returns true

Expected behaviour

An invalidated token should not be valid.

Actual behaviour

The invalidated token is valid. Also noting that my cache is Redis, and it stores sessions and queue jobs etc. ... but there are no JWT sets. Also no blacklist in any files governed by other storage drivers.

MarJose123 commented 4 years ago

yeah, I also encountered this issue. here is the temporary solution for that: use the composer stage : dev-develop just use:

for login

JWTAuth::attempt($credentials)

for logout

JWTAuth::invalidate();

for refresh token

$token = JWTAuth::refresh();
alfaben12 commented 4 years ago 
JWTAuth::invalidate();

"A token is required" Iam work with lumen 7.x

alfaben12 commented 4 years ago 
JWTAuth::invalidate();

"A token is required" Iam work with lumen 7.x

Sorry my bad, I forgot to send token

stale[bot] commented 3 years ago

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

mvalitov commented 3 years ago

yeah, I also encountered this issue. here is the temporary solution for that: use the composer stage : dev-develop just use:

for login

JWTAuth::attempt($credentials)

for logout

JWTAuth::invalidate();

for refresh token

$token = JWTAuth::refresh();

this issue is still relevant, even on dev-develop. Any ideas for a solution?

GoldenCodeRam commented 5 months ago

I found something related to this with this function:

# tymon/jwt-auth/src/Blacklist.php

# ...

/**
 * Get the number of minutes until the token expiry.
 *
 * @param  \Tymon\JWTAuth\Payload  $payload
 * @return int
 */
protected function getMinutesUntilExpired(Payload $payload)
{
    $exp = Utils::timestamp($payload['exp']);
    $iat = Utils::timestamp($payload['iat']);

    // get the latter of the two expiration dates and find
    // the number of minutes until the expiration date,
    // plus 1 minute to avoid overlap
    return $exp->max($iat->addMinutes($this->refreshTTL))->addMinute()->diffInRealMinutes();
}

# ...

The base implementation is using the Illuminate/Cache/Repository.html#method_put method for storing the Blacklisted token in the cache table, using the database driver, of course. Now, the problem is that the:

return $exp->max($iat->addMinutes($this->refreshTTL))->addMinute()->diffInRealMinutes();
# >>> -20152.975287983

Is returning a negative value. This is expected, as per the Carbon documentation. And looking at the Illuminate\Cache\Repository::put() method body, when the value is negative, it actually forgets the item.

Is this expected?

[Edit]

If I get the absolute value of the returned diffInRealMinutes, it seems to work. The token is correctly added to the cache and the logout works as expected.