setToken (and possibly setRequest) return the previously logged in user

[carvefx]

setToken (and possibly setRequest) return the previously logged in user

JwtGuard::setToken and JwtGuard::setRequest, if used in a long-running environment (a la octane etc, or a websockets server in my case) will not reset the user, but simply overwrite the token.

This leads to a behaviour where if there exists a cached user, and you reset the token, and call

$user = auth()->setToken('eyJhb...')->user();

# taken from official docs https://laravel-jwt-auth.readthedocs.io/en/latest/auth-guard/#set-the-token-explicitly

you will get the cached user, instead of the user represented by the new token.

Your environment:

Q	A
Bug?	yes
New Feature?	no
Framework	Laravel
Framework version	10.x
Package version	2.7.§
PHP version	8.2

Steps to reproduce

In a loop, log in a user via setting the token, and then do it again with a new token, the user() method will return the original user.

Expected behaviour

setting a token should invalidate the user cache

Actual behaviour

setting a token returns the "previous" / "cached" user

[mahdimirhendi]

Description

Yes I tested and it's serious problem. Here’s a test that demonstrates the problem:

test('user token returns correct user profile', function () {
    // Create and authenticate the first user
    $userOne = User::factory()->create()->refresh();
    $tokenOne = auth('User')->tokenById($userOne->id);
    $responseOne = $this->getJson(route('users.profile'), [
        'Authorization' => "Bearer {$tokenOne}",
    ]);

    // Create and authenticate the second user
    $userTwo = User::factory()->create()->refresh();
    $tokenTwo = auth('User')->tokenById($userTwo->id);
    $responseTwo = $this->getJson(route('users.profile'), [
        'Authorization' => "Bearer {$tokenTwo}",
    ]);

    // Extract user details from the responses
    $userOneDetails = [
        'name' => $userOne->name,
        'token' => $tokenOne,
        'profile' => $responseOne->json(),
    ];

    $userTwoDetails = [
        'name' => $userTwo->name,
        'token' => $tokenTwo,
        'profile' => $responseTwo->json(),
    ];

    // Assert that profiles of different users are not equal
    $this->assertNotEquals(
        $userOneDetails['profile'],
        $userTwoDetails['profile'],
        'The profiles for different users should not be equal.'
    );
});

[Messhias]

The JWT use context to generate tokens, it's not a database token based. So if the state is the same, user will be the same.

[specialtactics]

I think there is some misunderstanding here, if you want to log in as a user, you need to do Auth::login($user);

We have some Octane functionality in LaravelServiceProvider, I think maybe it would be wise to add logging out to that? I haven't dived deep enough into Octane to understand what it does itself clear (for example, application) versus what should the package maintainer clear.

[dannyyassine-ce]

I have a workaround at the moment, and seems to be resetting the internals of the JWTAuth:

static ?User $user = null;

...

public static function getUser(): ?User
{
    if (!self::$user) {
        JWTAuth::authenticate();        <---- adding this line
        self::$user = JWTAuth::user()?->getModel();
    }

    return self::$user;
}

then make sure to reset the static property on RequestTerminated and/or RequestReceived