From 02b004f3819e55756bc4d6286b6d3e6b1fbb7778 Mon Sep 17 00:00:00 2001
From: Ovidiu U <nonreal@gmail.com>
Date: Sat, 11 Apr 2026 13:29:03 +0100
Subject: [PATCH] fix: handle TransientToken in logout for session-based auth

When the SPA authenticates via cookies (not Bearer token), Sanctum returns
a TransientToken from currentAccessToken() which has no delete() method.
Detect it and invalidate the session instead.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 app/Http/Controllers/Api/AuthController.php | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/app/Http/Controllers/Api/AuthController.php b/app/Http/Controllers/Api/AuthController.php
index d387fb0..0862b2b 100644
--- a/app/Http/Controllers/Api/AuthController.php
+++ b/app/Http/Controllers/Api/AuthController.php
@@ -8,7 +8,7 @@ use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Validation\Rules\Password;
-use Laravel\Sanctum\PersonalAccessToken;
+use Laravel\Sanctum\TransientToken;
 
 class AuthController extends Controller
 {
@@ -46,9 +46,15 @@ class AuthController extends Controller
 
     public function logout(Request $request): JsonResponse
     {
-        /** @var PersonalAccessToken $token */
         $token = $request->user()->currentAccessToken();
-        $token->delete();
+
+        // TransientToken means session-based auth (no Bearer token) — invalidate session instead
+        if ($token instanceof TransientToken) {
+            $request->session()->invalidate();
+            $request->session()->regenerateToken();
+        } else {
+            $token->delete();
+        }
 
         return response()->json(['message' => 'Logged out.']);
     }