John Davidson

php - Laravel sanctum token still working after removing it in some routes in live server?

0 comments
Message:


I'm using laravel sanctum to create API, it works fine in localhost but in live server there is an issue:



  • when access route under middleware like this:


      Route::group(['middleware'=>'auth:sanctum'], function(){

    Route::get('/test-middleware',function(){
    return "test- middleware";
    });

    });



it return json "Unauthenticated", I generate an access token successfully and pass it in postman bearer token, it allow to visit this route successfully and return:


test- middleware

the issue is:


when I remove the access token of this user from database directly or from logout function like:


auth()->user()->tokens()->delete();

it supposed return "Unauthenticated", cuz there is no token for this user, but when access this route again with the removed token, it still allow user to access:


test- middleware

although I removed this user's token from database, I checked the endpoint in different api tester and show the same output?!.


Users model:


    class User extends Authenticatable
{
use HasApiTokens, HasFactory, Notifiable;

Kernel: Http/Kernel


    protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
// \Illuminate\Session\Middleware\AuthenticateSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],

'api' => [
\Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
'throttle:api',
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
];

public/.haccess:


<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews -Indexes
</IfModule>

RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.+)$
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

# Handle Authorization Header


# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.+)/$
RewriteRule ^ %1 [L,R=301]

# Send Requests To Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
</IfModule>

sanctum: Config/sanctum:


    <?php

return [

/*
|--------------------------------------------------------------------------
| Stateful Domains
|--------------------------------------------------------------------------
|
| Requests from the following domains / hosts will receive stateful API
| authentication cookies. Typically, these should include your local
| and production domains which access your API via a frontend SPA.
|
*/

'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', sprintf(
'%s%s',
'localhost,localhost:3000,127.0.0.1,127.0.0.1:8000,::1',
env('APP_URL') ? ','.parse_url(env('APP_URL'), PHP_URL_HOST) : ''
))),

/*
|--------------------------------------------------------------------------
| Sanctum Guards
|--------------------------------------------------------------------------
|
| This array contains the authentication guards that will be checked when
| Sanctum is trying to authenticate a request. If none of these guards
| are able to authenticate the request, Sanctum will use the bearer
| token that's present on an incoming request for authentication.
|
*/

'guard' => ['web'],

/*
|--------------------------------------------------------------------------
| Expiration Minutes
|--------------------------------------------------------------------------
|
| This value controls the number of minutes until an issued token will be
| considered expired. If this value is null, personal access tokens do
| not expire. This won't tweak the lifetime of first-party sessions.
|
*/

'expiration' => null,

/*
|--------------------------------------------------------------------------
| Sanctum Middleware
|--------------------------------------------------------------------------
|
| When authenticating your first-party SPA with Sanctum you may need to
| customize some of the middleware Sanctum uses while processing the
| request. You may change the middleware listed below as required.
|
*/

'middleware' => [
'verify_csrf_token' => App\Http\Middleware\VerifyCsrfToken::class,
'encrypt_cookies' => App\Http\Middleware\EncryptCookies::class,
],

];

please any help
is there any issues in laravel sanctum in live server?!



My Answer:
It seems like there might be a caching issue or some other kind of issue causing the token to still be valid even after it has been removed from the database. Here are a few things you can try to troubleshoot and fix the issue:

1. Clear the cache: Try clearing the cache on your live server to see if that resolves the issue. You can do this by running `php artisan cache:clear` in your terminal.

2. Check session configuration: Make sure that your session configuration is set up correctly in your `config/session.php` file. Check the `driver` and `lifetime` settings to ensure they are configured properly.

3. Check token expiration: Make sure that the token expiration setting in your Sanctum configuration is set correctly. If the expiration is set to null, tokens will not expire. You can set a specific expiration time in minutes to ensure that tokens are invalidated after a certain period.

4. Check for any custom logic: Make sure that there is no custom logic in your application that is overriding the default behavior of Sanctum. Check your middleware, controllers, and any other relevant code to see if there is anything that could be causing the issue.

5. Test in a different environment: Try testing the behavior in a different environment to see if the issue persists. This can help determine if the issue is specific to your live server setup.

If none of these steps resolve the issue, you may need to further investigate and debug the problem to identify the root cause. You can also consider reaching out to the Laravel Sanctum community or support for additional assistance.

Rate this post

3 of 5 based on 4504 votes

Comments




© 2024 Hayatsk.info - Personal Blogs Platform. All Rights Reserved.
Create blog  |  Privacy Policy  |  Terms & Conditions  |  Contact Us