Fix logout/re-login CSRF mismatch and stale token issues

Cherry-picked from v3.0 branch. Three fixes: 1. Refresh CSRF cookie after logout (auth.js) 2. Clear auth.token and selectedCompany from localStorage on logout (auth.js) 3. Invalidate session and regenerate CSRF token on server-side logout (web.php) Without these, logging out and back in as a different user would fail with CSRF token mismatch and 401 Unauthenticated errors because the browser held stale session cookies and localStorage tokens.
2026-04-07 13:41:23 +00:00 · 2026-04-03 23:53:56 +02:00
parent 7d9fdb79cc
commit 0d7059fcf6
2 changed files with 15 additions and 3 deletions
--- a/resources/scripts/admin/stores/auth.js
+++ b/resources/scripts/admin/stores/auth.js
@@ -46,20 +46,29 @@ export const useAuthStore = (useWindow = false) => {
        return new Promise((resolve, reject) => {
          http
            .post('/auth/logout')
-            .then((response) => {
+            .then(async (response) => {
              const notificationStore = useNotificationStore()
              notificationStore.showNotification({
                type: 'success',
                message: 'Logged out successfully.',
              })

+              // Clear stored auth data so next login doesn't send stale tokens
+              window.Ls.remove('auth.token')
+              window.Ls.remove('selectedCompany')
+
+              // Refresh CSRF token so next login works cleanly
+              await http.get('/sanctum/csrf-cookie').catch(() => {})
+
              window.router.push('/login')
-                // resetStore.clearPinia()
              resolve(response)
            })
            .catch((err) => {
              handleError(err)
-              window.router.push('/')
+              window.Ls.remove('auth.token')
+              window.Ls.remove('selectedCompany')
+              http.get('/sanctum/csrf-cookie').catch(() => {})
+              window.router.push('/login')
              reject(err)
            })
        })