logout and invalidate simply won't work

[khooz]

Subject of the issue

Hi,

As the title said, logout and invalidate does not work. The blacklisting is on but JWT does not record any token as blacklisted at all.

Your environment

Q	A
Bug?	maybe
New Feature?	no
Framework	Laravel
Framework version	6.x
Package version	1.0.0
PHP version	7.4.0

Steps to reproduce

1. Use attempt to generate a token.
2. Use auth()->logout() or auth->logout(true) to invalidate a token.
3. Try auth()->check() on invalidated token and it returns true

Expected behaviour

An invalidated token should not be valid.

Actual behaviour

The invalidated token is valid. Also noting that my cache is Redis, and it stores sessions and queue jobs etc. ... but there are no JWT sets. Also no blacklist in any files governed by other storage drivers.

[MarJose123]

yeah, I also encountered this issue.
here is the temporary solution for that:
use the composer stage : dev-develop
just use:

for login

JWTAuth::attempt($credentials)

for logout

JWTAuth::invalidate();

for refresh token

$token = JWTAuth::refresh();

[alfaben12]

JWTAuth::invalidate();

"A token is required" Iam work with lumen 7.x

[alfaben12]

JWTAuth::invalidate();

"A token is required" Iam work with lumen 7.x

Sorry my bad, I forgot to send token

[stale]

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[mvalitov]

yeah, I also encountered this issue.
here is the temporary solution for that:
use the composer stage : dev-develop
just use:

for login

JWTAuth::attempt($credentials)

for logout

JWTAuth::invalidate();

for refresh token

$token = JWTAuth::refresh();

this issue is still relevant, even on dev-develop. Any ideas for a solution?

[GoldenCodeRam]

I found something related to this with this function:

# tymon/jwt-auth/src/Blacklist.php

# ...

/**
 * Get the number of minutes until the token expiry.
 *
 * @param  \Tymon\JWTAuth\Payload  $payload
 * @return int
 */
protected function getMinutesUntilExpired(Payload $payload)
{
    $exp = Utils::timestamp($payload['exp']);
    $iat = Utils::timestamp($payload['iat']);

    // get the latter of the two expiration dates and find
    // the number of minutes until the expiration date,
    // plus 1 minute to avoid overlap
    return $exp->max($iat->addMinutes($this->refreshTTL))->addMinute()->diffInRealMinutes();
}

# ...

The base implementation is using the Illuminate/Cache/Repository.html#method_put method for storing the Blacklisted token in the cache table, using the database driver, of course. Now, the problem is that the:

return $exp->max($iat->addMinutes($this->refreshTTL))->addMinute()->diffInRealMinutes();
# >>> -20152.975287983

Is returning a negative value. This is expected, as per the Carbon documentation. And looking at the Illuminate\Cache\Repository::put() method body, when the value is negative, it actually forgets the item.

Is this expected?

[Edit]

If I get the absolute value of the returned diffInRealMinutes, it seems to work. The token is correctly added to the cache and the logout works as expected.