bitstream/fuel-price
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a969c1b347a158ba5e9d6c7165db7c97670f43c8
fuel-price/app/Http/Controllers/Api/AuthController.php
Ovidiu U 02b004f381 fix: handle TransientToken in logout for session-based auth 
When the SPA authenticates via cookies (not Bearer token), Sanctum returns
a TransientToken from currentAccessToken() which has no delete() method.
Detect it and invalidate the session instead.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-11 13:29:03 +01:00

67 lines
2.0 KiB
PHP
Raw Blame History

<?php
namespace App\Http\Controllers\Api;
use App\Http\Controllers\Controller;
use App\Models\User;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Illuminate\Validation\Rules\Password;
use Laravel\Sanctum\TransientToken;
class AuthController extends Controller
{
public function register(Request $request): JsonResponse
{
$data = $request->validate([
'name' => ['required', 'string', 'max:255'],
'email' => ['required', 'email', 'max:255', 'unique:users,email'],
'password' => ['required', 'confirmed', Password::defaults()],
]);
$user = User::create($data);
$token = $user->createToken('api')->plainTextToken;
return response()->json(['token' => $token, 'user' => $user], 201);
}
public function login(Request $request): JsonResponse
{
$credentials = $request->validate([
'email' => ['required', 'email'],
'password' => ['required', 'string'],
]);
if (! Auth::attempt($credentials)) {
return response()->json(['message' => 'Invalid credentials.'], 401);
}
/** @var User $user */
$user = Auth::user();
$token = $user->createToken('api')->plainTextToken;
return response()->json(['token' => $token, 'user' => $user]);
}
public function logout(Request $request): JsonResponse
{
$token = $request->user()->currentAccessToken();
// TransientToken means session-based auth (no Bearer token) — invalidate session instead
if ($token instanceof TransientToken) {
$request->session()->invalidate();
$request->session()->regenerateToken();
} else {
$token->delete();
}
return response()->json(['message' => 'Logged out.']);
}
public function me(Request $request): JsonResponse
{
return response()->json($request->user());
}
}
Reference in New Issue View Git Blame Copy Permalink