Laravel Passport and logout - how to cleanly and really logout?

[cariboufute]

Hi everyone,

I am implementing Laravel Passport in a new Single Sign-On app using the authorization code grant process. Everything went smoothly until I implemented the logout process.

I started by revoking the tokens and logging out with the web guard, as written in the docs. However, accessing the Passport guarded routes was still possible with the revoked access token. Revoking all user related tokens and regenerating request session wasn't enough either.

The only way to really logout and make the protected routes unaccessible again was to delete all session related to user_id in the database!

Here is the code.

// LoginSessionController.php

public function destroy(Request $request): void
{
      $userId = $request->user()?->id;

      Passport::authCode()
          ->where('user_id', $request->user()->id)
          ->update(['revoked' => true]);

      $tokenQuery = $request->user()->tokens()->where('revoked', false);

      Passport::refreshToken()
          ->whereIn('id', $tokenQuery->pluck('id'))
          ->update(['revoked' => true]);

      $tokenQuery->update(['revoked' => true]);

      Auth::guard('web')->logout();

      $request->session()->invalidate();
      $request->session()->regenerateToken();

      DB::table('sessions')->where('user_id', $userId)->delete();
}

Is there a less crude way to effectively logout of Passport?

Thanks!