Merge pull request #259 from PHP-Open-Source-Saver/bugfix/258-logout-with-expired-token

Author: Messhias

CHANGELOG.md

@@ -7,12 +7,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 You can find and compare releases at the GitHub release page.
 
 ## [Unreleased]
-- SetSecret regenerates config with new secret in the Lcobucci provider
+
+### Added
+- Fixes #259 - Can't logout with an expired token
+
+### Removed
+
+## [2.6.0] 2024-07-11
+
+### Added
+- New `getUserId` method
+
+## [2.5.0] 2024-07-03
+
+### Added
 - Refresh iat claim when refreshing a token
 
+## [2.4.0] 2024-05-27
+
 ### Added
 - Support for lcobucci/jwt^5.0 (and dropped support for ^4.0)
-- New `getUserId` method
+- SetSecret regenerates config with new secret in the Lcobucci provider
 
 ## [2.3.0] 2024-05-09
 

src/JWTGuard.php

@@ -200,7 +200,11 @@ public function login(JWTSubject $user)
      */
     public function logout($forceForever = false)
     {
-        $this->requireToken()->invalidate($forceForever);
+        try {
+            $this->requireToken()->invalidate($forceForever);
+        } catch (JWTException $e) {
+            // Proceed with the logout as normal if we can't invalidate the token
+        }
 
         $this->fireLogoutEvent($this->user);
 

tests/JWTGuardTest.php

@@ -22,6 +22,7 @@
 use Illuminate\Http\Request;
 use Mockery\LegacyMockInterface;
 use PHPOpenSourceSaver\JWTAuth\Exceptions\JWTException;
+use PHPOpenSourceSaver\JWTAuth\Exceptions\TokenExpiredException;
 use PHPOpenSourceSaver\JWTAuth\Exceptions\UserNotDefinedException;
 use PHPOpenSourceSaver\JWTAuth\Factory;
 use PHPOpenSourceSaver\JWTAuth\JWT;
@@ -353,6 +354,25 @@ public function testItShouldLogoutTheUserByInvalidatingTheToken()
         $this->assertNull($this->guard->getUser());
     }
 
+    public function testItShouldLogoutTheUserEvenWithExpiredToken()
+    {
+        $this->jwt->shouldReceive('setRequest')->andReturn($this->jwt);
+        $this->jwt->shouldReceive('getToken')->once()->andReturn(true);
+        $this->jwt->shouldReceive('invalidate')->andThrow(TokenExpiredException::class);
+        $this->jwt->shouldReceive('unsetToken')->once();
+
+        $this->eventDispatcher->shouldReceive('dispatch')
+            ->never()
+            ->with(\Mockery::type(Authenticated::class));
+
+        $this->eventDispatcher->shouldReceive('dispatch')
+            ->once()
+            ->with(\Mockery::type(Logout::class));
+
+        $this->guard->logout();
+        $this->assertNull($this->guard->getUser());
+    }
+
     public function testItShouldRefreshTheToken()
     {
         $this->jwt->shouldReceive('setRequest')->andReturn($this->jwt);