einundzwanzig/einundzwanzig-app
1
0
Fork 0
mirror of https://github.com/HolgerHatGarKeineNode/einundzwanzig-app.git synced 2026-06-17 16:40:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add DELETE /api/mobile/token so the app can revoke its token on logout

Browse Source
This commit is contained in:
HolgerHatGarKeineNode
2026-06-12 15:12:38 +02:00
parent 54c959d18e
commit f9b3428865
3 changed files with 62 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/Feature/Auth/MobileAuthTest.php
+32
View File
@@ -224,3 +224,35 @@ it('returns the token owner profile on /api/user', function () {
it('denies /api/user without a token', function () {
$this->getJson('/api/user')->assertUnauthorized();
});
it('revokes the requesting token on mobile logout', function () {
$user = User::factory()->create();
$plainTextToken = $user->createToken('Pixel 10')->plainTextToken;
$this->deleteJson('/api/mobile/token', [], ['Authorization' => 'Bearer '.$plainTextToken])
->assertOk()
->assertJson(['status' => 'OK']);
expect($user->tokens()->count())->toBe(0);
// The revoked token no longer authenticates API requests. The guard
// caches the resolved user within a test, so reset it first.
$this->app['auth']->forgetGuards();
$this->getJson('/api/user', ['Authorization' => 'Bearer '.$plainTextToken])
->assertUnauthorized();
});
it('only revokes the token used for the logout request', function () {
$user = User::factory()->create();
$phoneToken = $user->createToken('Pixel 10')->plainTextToken;
$user->createToken('Tablet');
$this->deleteJson('/api/mobile/token', [], ['Authorization' => 'Bearer '.$phoneToken])
->assertOk();
expect($user->tokens()->pluck('name')->all())->toBe(['Tablet']);
});
it('denies the mobile logout without a token', function () {
$this->deleteJson('/api/mobile/token')->assertUnauthorized();
});