QT/InvoiceShelf
1
0
Fork 0
mirror of https://github.com/InvoiceShelf/InvoiceShelf.git synced 2026-04-07 05:31:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix logout/re-login CSRF mismatch and stale token issues

Browse Source 
Cherry-picked from v3.0 branch. Three fixes:
1. Refresh CSRF cookie after logout (auth.js)
2. Clear auth.token and selectedCompany from localStorage on logout (auth.js)
3. Invalidate session and regenerate CSRF token on server-side logout (web.php)

Without these, logging out and back in as a different user would fail
with CSRF token mismatch and 401 Unauthenticated errors because the
browser held stale session cookies and localStorage tokens.
This commit is contained in:
Darko Gjorgjijoski
2026-04-03 23:53:56 +02:00
parent 7d9fdb79cc
commit 0d7059fcf6
2 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
resources/scripts/admin/stores/auth.js vendored
View File

@@ -46,20 +46,29 @@ export const useAuthStore = (useWindow = false) => {
return new Promise((resolve, reject) => {
http
.post('/auth/logout')
.then((response) => {
.then(async (response) => {
const notificationStore = useNotificationStore()
notificationStore.showNotification({
type: 'success',
message: 'Logged out successfully.',
})
// Clear stored auth data so next login doesn't send stale tokens
window.Ls.remove('auth.token')
window.Ls.remove('selectedCompany')
// Refresh CSRF token so next login works cleanly
await http.get('/sanctum/csrf-cookie').catch(() => {})
window.router.push('/login')
// resetStore.clearPinia()
resolve(response)
})
.catch((err) => {
handleError(err)
window.router.push('/')
window.Ls.remove('auth.token')
window.Ls.remove('selectedCompany')
http.get('/sanctum/csrf-cookie').catch(() => {})
window.router.push('/login')
reject(err)
})
})

3
routes/web.php
View File

@@ -34,6 +34,9 @@ Route::post('login', [LoginController::class, 'login']);
Route::post('auth/logout', function () {
Auth::guard('web')->logout();
request()->session()->invalidate();
request()->session()->regenerateToken();
});
// Customer auth