I made a small change here that is probably worth noting.
In the logout function, I used the following:
$user =User::where('email', $request->email)->first(); // REMOVED THIS LINE$user =Auth::user(); // ADDED THIS LINEif($user) { $user->tokens()->delete();}returnresponse()->noContent();
If I am reading the video code properly, User A could log out User B by putting in their email instead of their own. By doing it like I have above, you can only log yourself out.
MS
Mike Scott
✓ Link copied!
I was about to comment the same thing. The logout should be by access token in the authenticated group, with no need to pass in the email or any other parameter other than the bearer token.
S
Slon
✓ Link copied!
Logout must be inside the 'auth:sanctum' group, otherwise knowing any user's email you can logout him.
I made a small change here that is probably worth noting.
In the logout function, I used the following:
If I am reading the video code properly, User A could log out User B by putting in their email instead of their own. By doing it like I have above, you can only log yourself out.
I was about to comment the same thing. The logout should be by access token in the authenticated group, with no need to pass in the email or any other parameter other than the bearer token.