When Session based Guard is not used Logout fails

[karmendra]

In Fortify configuration, when I switch the middleware to "api," the logout functionality doesn't work as expected. It attempts to invalidate the session and regenerate it, but there is no session present in api middleware, and the code errors.

I suggest, to add a conditional check in the Laravel\Fortify\Http\Controllers\AuthenticatedSessionController@destroy() method, as shown below, to ensure that the session is invalidated and regenerated only when request has a session.

public function destroy(Request $request): LogoutResponse
    {
        $this->guard->logout();

       if ($request->hasSession()) { // this is the check I like to add
            $request->session()->invalidate();
            $request->session()->regenerateToken();
        }

        return app(LogoutResponse::class);
    }

I can submit a PR if it makes sense.

[karmendra]

Created a PR #487

[driesvints]

Hi there. This isn't a real issue since an api is stateless. There's no way to "destroy" a session. The destroy endpoint is always for state based authentication.

[karmendra]

To clarify, my mobile app includes a Logout button that initiates an API call (/logout) to delete the current User Token, effectively logging the user out and invalidating their token.

To manage this process, I've implemented the LogoutResponseContract within FortifyServiceProvider. This approach was chosen because there aren't alternative options available, such as pipelines as seen in the login method.

However, as the session is being invalidated and regenerated within the AuthenticateSessionController@destroy before the LogoutResponse is invoked. This is hindering my ability to implement my logic for token deletion effectively.

Thanks to @driesvints, @crynobone, and @taylorotwell for reviewing and merging the PR.