You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
setToken (and possibly setRequest) return the previously logged in user
JwtGuard::setToken and JwtGuard::setRequest, if used in a long-running environment (a la octane etc, or a websockets server in my case) will not reset the user, but simply overwrite the token.
This leads to a behaviour where if there exists a cached user, and you reset the token, and call
$user = auth()->setToken('eyJhb...')->user();
# taken from official docs https://laravel-jwt-auth.readthedocs.io/en/latest/auth-guard/#set-the-token-explicitly
you will get the cached user, instead of the user represented by the new token.
Your environment:
Q
A
Bug?
yes
New Feature?
no
Framework
Laravel
Framework version
10.x
Package version
2.7.§
PHP version
8.2
Steps to reproduce
In a loop, log in a user via setting the token, and then do it again with a new token, the user() method will return the original user.
Expected behaviour
setting a token should invalidate the user cache
Actual behaviour
setting a token returns the "previous" / "cached" user
The text was updated successfully, but these errors were encountered:
Yes I tested and it's serious problem. Here’s a test that demonstrates the problem:
test('user token returns correct user profile', function () {
// Create and authenticate the first user$userOne = User::factory()->create()->refresh();
$tokenOne = auth('User')->tokenById($userOne->id);
$responseOne = $this->getJson(route('users.profile'), [
'Authorization' => "Bearer {$tokenOne}",
]);
// Create and authenticate the second user$userTwo = User::factory()->create()->refresh();
$tokenTwo = auth('User')->tokenById($userTwo->id);
$responseTwo = $this->getJson(route('users.profile'), [
'Authorization' => "Bearer {$tokenTwo}",
]);
// Extract user details from the responses$userOneDetails = [
'name' => $userOne->name,
'token' => $tokenOne,
'profile' => $responseOne->json(),
];
$userTwoDetails = [
'name' => $userTwo->name,
'token' => $tokenTwo,
'profile' => $responseTwo->json(),
];
// Assert that profiles of different users are not equal$this->assertNotEquals(
$userOneDetails['profile'],
$userTwoDetails['profile'],
'The profiles for different users should not be equal.'
);
});
I think there is some misunderstanding here, if you want to log in as a user, you need to do Auth::login($user);
We have some Octane functionality in LaravelServiceProvider, I think maybe it would be wise to add logging out to that? I haven't dived deep enough into Octane to understand what it does itself clear (for example, application) versus what should the package maintainer clear.
setToken (and possibly setRequest) return the previously logged in user
JwtGuard::setToken and JwtGuard::setRequest, if used in a long-running environment (a la octane etc, or a websockets server in my case) will not reset the user, but simply overwrite the token.
This leads to a behaviour where if there exists a cached user, and you reset the token, and call
you will get the cached user, instead of the user represented by the new token.
Your environment:
Steps to reproduce
In a loop, log in a user via setting the token, and then do it again with a new token, the user() method will return the original user.
Expected behaviour
setting a token should invalidate the user cache
Actual behaviour
setting a token returns the "previous" / "cached" user
The text was updated successfully, but these errors were encountered: