From 0d7059fcf6705a3e0730a4e52a40b1e749c63b19 Mon Sep 17 00:00:00 2001
From: Darko Gjorgjijoski <dg@darkog.com>
Date: Fri, 3 Apr 2026 23:53:56 +0200
Subject: [PATCH] Fix logout/re-login CSRF mismatch and stale token issues

Cherry-picked from v3.0 branch. Three fixes:
1. Refresh CSRF cookie after logout (auth.js)
2. Clear auth.token and selectedCompany from localStorage on logout (auth.js)
3. Invalidate session and regenerate CSRF token on server-side logout (web.php)

Without these, logging out and back in as a different user would fail
with CSRF token mismatch and 401 Unauthenticated errors because the
browser held stale session cookies and localStorage tokens.
---
 resources/scripts/admin/stores/auth.js | 15 ++++++++++++---
 routes/web.php                         |  3 +++
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/resources/scripts/admin/stores/auth.js b/resources/scripts/admin/stores/auth.js
index 08229eca..55321e1c 100644
--- a/resources/scripts/admin/stores/auth.js
+++ b/resources/scripts/admin/stores/auth.js
@@ -46,20 +46,29 @@ export const useAuthStore = (useWindow = false) => {
         return new Promise((resolve, reject) => {
           http
             .post('/auth/logout')
-            .then((response) => {
+            .then(async (response) => {
               const notificationStore = useNotificationStore()
               notificationStore.showNotification({
                 type: 'success',
                 message: 'Logged out successfully.',
               })
 
+              // Clear stored auth data so next login doesn't send stale tokens
+              window.Ls.remove('auth.token')
+              window.Ls.remove('selectedCompany')
+
+              // Refresh CSRF token so next login works cleanly
+              await http.get('/sanctum/csrf-cookie').catch(() => {})
+
               window.router.push('/login')
-                // resetStore.clearPinia()
               resolve(response)
             })
             .catch((err) => {
               handleError(err)
-              window.router.push('/')
+              window.Ls.remove('auth.token')
+              window.Ls.remove('selectedCompany')
+              http.get('/sanctum/csrf-cookie').catch(() => {})
+              window.router.push('/login')
               reject(err)
             })
         })
diff --git a/routes/web.php b/routes/web.php
index 2c27d156..577d9ebd 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -34,6 +34,9 @@ Route::post('login', [LoginController::class, 'login']);
 
 Route::post('auth/logout', function () {
     Auth::guard('web')->logout();
+
+    request()->session()->invalidate();
+    request()->session()->regenerateToken();
 });
 
 // Customer auth