2

I'm trying to invalidate (or remove) a token from JWT but I can't achieve that. First I did something like this answer says Logout issue with Laravel JWT-auth authentication:

JWTAuth::invalidate(JWTAuth::getToken())):

But I get this error:

Non-static method Tymon\JWTAuth\JWT::invalidate() should not be called statically, assuming $this from incompatible context

Then I did something like this:

use Illuminate\Http\Request;
use Tymon\JWTAuth\JWTAuth;

class AuthController extends Controller
{
    protected $jwt;

    public function __construct(JWTAuth $jwt)
    {
        $this->jwt = $jwt;
    }

    public function invalidateToken(Request $request)
    {
        $this->jwt->parseToken()->invalidate();

        return response()->json(array('message' => 'log out'));
    }

    ...
}

But I can still use the token for another request and I can't remove or invalidate it.

What am I doing wrong to invalidate the token?

Edit:

I read another questions from here and issues post from the repo of JWT on github (this is the library I'm using) and I followed all the examples to invalidate or remove the token and I can't still remove or invalidate it .

Robert
  • 5,703
  • 2
  • 31
  • 32
pableiros
  • 14,932
  • 12
  • 99
  • 105
  • By it's nature you can not invalidate token. Here your options: http://stackoverflow.com/questions/21978658/invalidating-json-web-tokens – E_p Jul 28 '16 at 16:11
  • @E_p I'm using this library: https://github.com/tymondesigns/jwt-auth, I'm not using the library for `nodejs` – pableiros Jul 28 '16 at 17:00
  • Makes no difference JWT works same for any server side language. There is no mechanism to expire token An accepted answer in link I provided tells you how to deal with it. – E_p Jul 28 '16 at 18:00
  • @E_p you are right, thank you !! – pableiros Jul 28 '16 at 18:00
  • The is an interesting POV about JWT revocation: https://www.dinochiesa.net/?p=1388 – Spomky-Labs Jul 30 '16 at 07:17
  • Sorry for opening this 10 months since last activity, but I have also run into the same problem as author. By invalidate, I understand that the author of the library stores the token in some kind of blacklist table and checks the table on every access. However, I am unable to get the invalidate method to work for this library. @pableiros did you find a solution to this? – NiCk.JaY Jun 27 '18 at 13:29
  • @NiCk.JaY I never found a solution. I was wasting a lot of time looking for a solution but I ended up removing the token stored on the client when the user log out – pableiros Jun 27 '18 at 16:05
  • @pableiros Thanks. After a lot of searching, I found out it was a cache_driver issue. I've posted an answer here explaining it. – NiCk.JaY Jun 28 '18 at 09:22

3 Answers3

1

The blacklist feature works if cache_driver in your .env file is set to something other than array.

Changing it to file worked for me. However, in my particular case, I was using Entrust too, which causes issues when cache_driver is set to file or database. So, had to drop the blacklist/invalidate functionality.

Hope this helps someone.

NiCk.JaY
  • 141
  • 1
  • 8
0

This is how i think it should look like: $this->jwt->setToken($old_token)->invalidate(true);

Edgencio Da Calista
  • 505
  • 3
  • 8
-3
JWTAuth::invalidate(old token);
Baum mit Augen
  • 49,044
  • 25
  • 144
  • 182
Kmaj
  • 61
  • 3
  • 10