Fix #73 - CSRF token mismatch

2025-03-15 07:28:30 +01:00 · 2022-05-14 13:45:12 +02:00 · 2022-05-14 13:45:12 +02:00 · 070c6a2486
commit 070c6a2486
parent 986e216896
4 changed files with 15 additions and 3 deletions
--- a/app/Http/Middleware/KickOutInactiveUser.php
+++ b/app/Http/Middleware/KickOutInactiveUser.php
@ -46,7 +46,7 @@ public function handle($request, Closure $next, ...$quards)
                Auth::logout();
            }
     
-            return response()->json(['message' => 'unauthorised'], Response::HTTP_UNAUTHORIZED);
+            return response()->json(['message' => 'inactivity detected'], Response::HTTP_I_AM_A_TEAPOT);
        }

        return $next($request);
--- a/resources/js/api.js
+++ b/resources/js/api.js
@ -39,6 +39,16 @@ Vue.axios.interceptors.response.use(response => response, error => {
    if ( error.response.status === 401 ) {
        routeName = 'login'
    }
+
+    // api calls are stateless so when user inactivity is detected
+    // by the backend middleware it cannot logout the user directly
+    // so it returns a 418 response.
+    // We catch the 418 response and push the user to the login view
+    // with the instruction to request a session logout
+    if ( error.response.status === 418 ) {
+        router.push({ name: 'login', params: { forceLogout: true } })
+        throw new Vue.axios.Cancel();
+    }
    
    if ( error.response.status === 404 ) routeName = '404'

--- a/resources/js/views/auth/Login.vue
+++ b/resources/js/views/auth/Login.vue
@ -130,6 +130,8 @@

        beforeRouteEnter (to, from, next) {
            next(async vm => {
+                if( to.params.forceLogout ) await vm.axios.get('/user/logout')
+
                const { data } = await vm.axios.get('api/v1/user/name')

                if( data.name ) {
--- a/tests/Feature/Http/Auth/LoginTest.php
+++ b/tests/Feature/Http/Auth/LoginTest.php
@ -159,7 +159,7 @@ public function test_user_logout_returns_validation_success()
    /**
     * @test
     */
-    public function test_user_logout_after_inactivity_returns_unauthorized()
+    public function test_user_logout_after_inactivity_returns_teapot()
    {
        // Set the autolock period to 1 minute
        $settingService = resolve('App\Services\SettingService');
@ -178,7 +178,7 @@ public function test_user_logout_after_inactivity_returns_unauthorized()

        $response = $this->actingAs($this->user, 'api-guard')
            ->json('GET', '/api/v1/twofaccounts')
-            ->assertUnauthorized();
+            ->assertStatus(418);
    }

 }