Jwt-auth: Logout implementation

You can set token validity/expiry time-span in Config/jwt.php file at line # 36 (most probably)
'ttl' => 60
default is 60 minutes there, but you can extend it instead of comparing dates manually.

Also, in my opinion , yes you can do invalidate(). This will put that token (not the user) to the blacklist which means that token can not be used anymore. Every time you get a different token on authentication.

@JamshadAhmad Thanks!

I setted my 'ttl' => 60 but I need to assure that when the user click on logout, the token will be disable.

For manage the blacklist, this api use a laravel cache, right?

No, tokens are not stored in laravel cache, clearing laravel's cache does not affect tokens and sessions. My personal guess is that they are not stored in any file, they are in memory like session or may be they are stored in session object.

@JamshadAhmad Thanks for your help!

@mabilbao

@JamshadAhmad is incorrect. When a token is blacklisted, it is stored (by default) using Laravel's cache system.

They are NEVER stored in any kind of session, since jwt's are stateless.

You are correct in that, blacklisting a token is a good way to mitigate the token being used after the fact.

Thanks @tymondesigns.

I readed the API logic yesterday and I am using the laravel cache for the blacklist at this moment.

Hello, how can I log the user out?

@jonecir It has been discussed above in words, you can invalidate a token.

JWTAuth::invalidate(JWTAuth::getToken()));

Hi @JamshadAhmad thanks for your prompt response. I have a Vue component (Navbar) with two links (Login and Logout). When I click the Login link, a form is shown and when I hit the "Sign In" button I call a method and then inside it I make a call lo Laravel this way:

           axios.post('login',this.loginData)...

Now, I'm wondering how I can handle the Logout link. Can you give me an idea on how to accomplish that? Should I also make a call to Laravel using axios and then call the

JWTAuth::invalidate(JWTAuth::getToken()); ???

Thanks a lot.

Hi, sorry, I'm not familiar with Vue or axios. Maybe somebody else can guide you better in this case.
But the idea is that
1) (Just like login) You should have a route/controllerAction in Laravel to handle logout.
In that controllerAction you'll put
JWTAuth::invalidate(JWTAuth::getToken());
or
JWTAuth::invalidate($token);
2) Hit that route from front-end on logout and pass the logged in user's token.

Probably something like
axios.post('logout', user.token)...

After that destroy token from front-end completely and then show him that he is logged off from front-end as well, whatever you have to do, need to destroy data or has to redirect somewhere.

Hi @JamshadAhmad, my login function is like this:

public function login(Request $request) {
$this->validate($request, [
'email' => 'required|email|max:255',
'password' => 'required|min:6',
]);

    //grab credentials from the request
    $loginData = $request->only('email','password');
    try {
        if (!$token = JWTAuth::attempt($loginData)) {
            return ['error' => 'Login failed.'];
        }
    } catch (JWTException $e) {
        return ['error' => 'Login fatal error'];
    }

    // all good so set and return the token
    if (JWTAuth::setToken($token)) {
        return [
            'token'=>$token,
            'message' => 'Token created!'
        ];
    }
    else {
        return ['error' => 'Token could not be set!'];
    }
}

However, the "JWTAuth::setToken($token)" is not setting the Token. Any ideas?