From 9680bb880f876d168e413caa00654ee817f1a0d9 Mon Sep 17 00:00:00 2001 From: Max Snow Date: Tue, 16 Jul 2024 12:23:39 +1000 Subject: [PATCH 1/4] Fixes #258 whereby logout fails if the JWT already being used has expired --- src/JWTGuard.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/JWTGuard.php b/src/JWTGuard.php index 534bcb7e..21f5531a 100644 --- a/src/JWTGuard.php +++ b/src/JWTGuard.php @@ -200,7 +200,11 @@ public function login(JWTSubject $user) */ public function logout($forceForever = false) { - $this->requireToken()->invalidate($forceForever); + try { + $this->requireToken()->invalidate($forceForever); + } catch (JWTException $e) { + // Proceed with the logout as normal if we can't invalidate the token + } $this->fireLogoutEvent($this->user); From 5e2c13d8a388a063742a48932748b5e4d914819c Mon Sep 17 00:00:00 2001 From: Max Snow Date: Tue, 16 Jul 2024 14:08:16 +1000 Subject: [PATCH 2/4] Adds test case --- tests/JWTGuardTest.php | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tests/JWTGuardTest.php b/tests/JWTGuardTest.php index cd7c99ec..825f71bb 100644 --- a/tests/JWTGuardTest.php +++ b/tests/JWTGuardTest.php @@ -22,6 +22,7 @@ use Illuminate\Http\Request; use Mockery\LegacyMockInterface; use PHPOpenSourceSaver\JWTAuth\Exceptions\JWTException; +use PHPOpenSourceSaver\JWTAuth\Exceptions\TokenExpiredException; use PHPOpenSourceSaver\JWTAuth\Exceptions\UserNotDefinedException; use PHPOpenSourceSaver\JWTAuth\Factory; use PHPOpenSourceSaver\JWTAuth\JWT; @@ -353,6 +354,25 @@ public function testItShouldLogoutTheUserByInvalidatingTheToken() $this->assertNull($this->guard->getUser()); } + public function testItShouldLogoutTheUserEvenWithExpiredToken() + { + $this->jwt->shouldReceive('setRequest')->andReturn($this->jwt); + $this->jwt->shouldReceive('getToken')->once()->andReturn(true); + $this->jwt->shouldReceive('invalidate')->andThrow(TokenExpiredException::class); + $this->jwt->shouldReceive('unsetToken')->once(); + + $this->eventDispatcher->shouldReceive('dispatch') + ->never() + ->with(\Mockery::type(Authenticated::class)); + + $this->eventDispatcher->shouldReceive('dispatch') + ->once() + ->with(\Mockery::type(Logout::class)); + + $this->guard->logout(); + $this->assertNull($this->guard->getUser()); + } + public function testItShouldRefreshTheToken() { $this->jwt->shouldReceive('setRequest')->andReturn($this->jwt); From 264f036a8c4e47bad7153e2c6ff7dbe70fa6d84b Mon Sep 17 00:00:00 2001 From: Max Snow Date: Tue, 16 Jul 2024 14:13:51 +1000 Subject: [PATCH 3/4] Update the changelog --- CHANGELOG.md | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0dc47702..48befd75 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,12 +7,26 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 You can find and compare releases at the GitHub release page. ## [Unreleased] -- SetSecret regenerates config with new secret in the Lcobucci provider + +### Added + +### Removed + +## [2.6.0] 2024-07-11 + +### Added +- New `getUserId` method + +## [2.5.0] 2024-07-03 + +### Added - Refresh iat claim when refreshing a token +## [2.4.0] 2024-05-27 + ### Added - Support for lcobucci/jwt^5.0 (and dropped support for ^4.0) -- New `getUserId` method +- SetSecret regenerates config with new secret in the Lcobucci provider ## [2.3.0] 2024-05-09 From f8c36bf1532b92e0942210bbc5f7ae9a6fa11ded Mon Sep 17 00:00:00 2001 From: Max Snow Date: Tue, 16 Jul 2024 14:15:35 +1000 Subject: [PATCH 4/4] Added fix to changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 48befd75..8276a763 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ You can find and compare releases at the GitHub release page. ## [Unreleased] ### Added +- Fixes #259 - Can't logout with an expired token ### Removed