Invalidates token when user changes their password

api/app/Http/Controllers/UserController.php

@@ -177,6 +177,12 @@ public function patchOne(Request $request, $id)
         // Extract the credentials and update if necessary
         $credentialUpdateDetails = $request->get('_user_credential', []);
         if (!empty($credentialUpdateDetails)) {
+            // Invalidate token for the user when user changes their password
+            if ($this->jwtAuth->user()->user_id == $model->user_id) {
+                $token = $this->jwtAuth->getTokenFromRequest();
+                $this->jwtAuth->invalidate($token);
+            }
+
             $credentials = UserCredential::findOrNew($id);
             /** @var UserCredential $credentials */
             $credentials->fill($credentialUpdateDetails);

api/tests/integration/UserTest.php

@@ -304,6 +304,13 @@ public function testPatchOneBySelfUserPassword()
         $this->assertResponseStatus(204);
         $this->assertResponseHasNoContent();
         $this->assertTrue(Hash::check('foobarfoobar', $updatedCredentials->password));
+
+        // Assert token is invalid
+        $jwtAuth = App::make('Tymon\JWTAuth\JWTAuth');
+        $blacklist = $jwtAuth->getBlacklist();
+        $payload = $jwtAuth->getJWTProvider()->decode($token);
+        $payload = $jwtAuth->getPayloadFactory()->setRefreshFlow(false)->make($payload);
+        $this->assertTrue($blacklist->has($payload));
     }
 
     public function testPatchOneByGuestUser()