Open mohph197 opened 6 months ago
It also breaks the logout functionality
..... the "diffInRealMinutes" Carbon method is used, I didn't find it anywhere in Carbon's actual Doc https://github.com/briannesbitt/Carbon/blob/34ccf6f6b49c915421c7886c88c0cb77f3ebbfd2/src/Carbon/Traits/Date.php#L2595
the "diffInRealMinutes" is the same as "diffInMinutes"
please how does the token invalidate works , do we store them in a table of balcklists or what?
This is my solution and it's work.
(-) 'storage' => Tymon\JWTAuth\Providers\Storage\Illuminate::class,
(+) 'storage' => App\Storage\JWTStorage::class,
App\Storage\JWTStorage.php script:
namespace App\Storage;
use Tymon\JWTAuth\Providers\Storage\Illuminate;
class JWTStorage extends Illuminate { public function add($key, $value, $minutes) { parent::add($key, $value, abs($minutes)); } }
Since blacklisting/invalidating using cache mechanism, then artisan cache:clear will erase all blacklist entries. To avoid it, we can tweak above script to targeting into another store (example 'redis_blacklist'):
use Illuminate\Contracts\Cache\Repository as CacheContract; use Tymon\JWTAuth\Providers\Storage\Illuminate;
class JWTStorageProvider extends Illuminate { protected $cache;
public function __construct(CacheContract $cache) {
$this->cache = cache()->store('redis_blacklist');
}
public function add($key, $value, $minutes) {
parent::add($key, $value, abs($minutes));
}
}
of course the solution above is better solved by jwt-auth, including changing the use of blacklist storage with config/jwt.php.
_Just simply do the best, hoping for the best and let God take the rest._
Subject of the issue
When invalidating a token, an amount of minutes is calculated to specify how much the token should stay in the Blacklist The problem is in the way it's calculated seems wrong, at least in my case it was wrong it just needs to be turned to positive before returning, and also for some reason the "diffInRealMinutes" Carbon method is used, I didn't find it anywhere in Carbon's actual Doc
Your environment
Steps to reproduce
Try logging in with the
login
, and then using therefresh
routeExpected behavior
Here the token from
login
should be invalidated by default So you should expect a new entry in thecache
table in the database (if all the configurations are exactly as the defaults of Laravel 11.x)Actual behavior
No entry is introduced, and the token is still valid (you can actually perform many consecutive calls to
refresh
with the same token)