Logout seems to do nothing!
ramtinq opened this issue · comments
ramtinq commented
The Auth::guard()->logout()
seems to do nothing! It doesn't invalidate the token, the token still can be used in further requests. Passing true
to it doesn't make a difference. How does the blacklist work? Couldn't find any documentation about it.
Can you please help me on how can the user actually be logged out as soon as he still has the token? Doesn't it require a database table or session storage to create blacklist of tokens? Where do we define it?
ramtinq commented
I had to set JWT_SHOW_BLACKLIST_EXCEPTION=true
in my .env
file to prevent old tokens being accepted after logging out.