jwt-auth icon indicating copy to clipboard operation
jwt-auth copied to clipboard
verified publisher icon tymondesigns

`logout` and `invalidate` simply won't work

Open khooz opened this issue 5 years ago • 6 comments

Subject of the issue

Hi,

As the title said, logout and invalidate does not work. The blacklisting is on but JWT does not record any token as blacklisted at all.

Your environment

Q A
Bug? maybe
New Feature? no
Framework Laravel
Framework version 6.x
Package version 1.0.0
PHP version 7.4.0

Steps to reproduce

  1. Use attempt to generate a token.
  2. Use auth()->logout() or auth->logout(true) to invalidate a token.
  3. Try auth()->check() on invalidated token and it returns true

Expected behaviour

An invalidated token should not be valid.

Actual behaviour

The invalidated token is valid. Also noting that my cache is Redis, and it stores sessions and queue jobs etc. ... but there are no JWT sets. Also no blacklist in any files governed by other storage drivers.

khooz avatar Apr 08 '20 03:04 khooz

yeah, I also encountered this issue. here is the temporary solution for that: use the composer stage : dev-develop just use:

for login

JWTAuth::attempt($credentials)

for logout

JWTAuth::invalidate();

for refresh token

$token = JWTAuth::refresh();

MarJose123 avatar Apr 13 '20 02:04 MarJose123 

JWTAuth::invalidate();

"A token is required" Iam work with lumen 7.x

alfaben12 avatar Jul 14 '20 09:07 alfaben12 

JWTAuth::invalidate();

"A token is required" Iam work with lumen 7.x

Sorry my bad, I forgot to send token

alfaben12 avatar Jul 17 '20 01:07 alfaben12

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

stale[bot] avatar Dec 25 '20 16:12 stale[bot]

yeah, I also encountered this issue. here is the temporary solution for that: use the composer stage : dev-develop just use:

for login

JWTAuth::attempt($credentials)

for logout

JWTAuth::invalidate();

for refresh token

$token = JWTAuth::refresh();

this issue is still relevant, even on dev-develop. Any ideas for a solution?

mvalitov avatar May 05 '21 22:05 mvalitov

I found something related to this with this function:

# tymon/jwt-auth/src/Blacklist.php

# ...

/**
 * Get the number of minutes until the token expiry.
 *
 * @param  \Tymon\JWTAuth\Payload  $payload
 * @return int
 */
protected function getMinutesUntilExpired(Payload $payload)
{
    $exp = Utils::timestamp($payload['exp']);
    $iat = Utils::timestamp($payload['iat']);

    // get the latter of the two expiration dates and find
    // the number of minutes until the expiration date,
    // plus 1 minute to avoid overlap
    return $exp->max($iat->addMinutes($this->refreshTTL))->addMinute()->diffInRealMinutes();
}

# ...

The base implementation is using the Illuminate/Cache/Repository.html#method_put method for storing the Blacklisted token in the cache table, using the database driver, of course. Now, the problem is that the:

return $exp->max($iat->addMinutes($this->refreshTTL))->addMinute()->diffInRealMinutes();
# >>> -20152.975287983

Is returning a negative value. This is expected, as per the Carbon documentation. And looking at the Illuminate\Cache\Repository::put() method body, when the value is negative, it actually forgets the item.

Is this expected?

[Edit]

If I get the absolute value of the returned diffInRealMinutes, it seems to work. The token is correctly added to the cache and the logout works as expected.

keymatch-clovis avatar Mar 15 '24 21:03 keymatch-clovis