Merge pull request #59 from ellaisys/56-force-user-logout

56 force user logout
ellaisys · Apr 17, 2023 · a6b5126 · a6b5126
2 parents 2f9c8fd + 0457593
commit a6b5126
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,5 @@
+Release 26 (tag v1.0.11)
+ - Feature: Forced signout with RefreshToken revoked.
 
 Release 25 (tag v1.0.10)
  - Feature: Sign Out / Logout of the Access Token from AWS Cognito

diff --git a/README.md b/README.md
@@ -33,8 +33,9 @@ We decided to use it and contribute it to the community as a package, that encou
 - Easy configuration of Token Expiry (Manage using the cognito console, no code or configurations needed)
 - Support for App Client without Secret
 - Support for Cognito Groups, including assigning a default group to a new user
-- Session (Web) now has AccessToken and RefreshToken as part of the claim object **(NEW Feature)**
-- Logout (Sign Out) - Remove access tokens from AWS **(NEW Feature)**
+- Session (Web) now has AccessToken and RefreshToken as part of the claim object
+- Logout (Sign Out) - Remove access tokens from AWS
+- Forced Logout (Sign Out) - Revoke the RefreshToken from AWS **(NEW Feature)**
 
 ## Compatability
 
@@ -415,12 +416,19 @@ In case you want to use this trait for API based login, you can write the code a
 
 The logout methods are now part of the guard implementations, the logout method removes the access-tokens from AWS and also removes from Application Storage managed by this library. Just calling the auth guard logout method will be sufficient. You can implement it into the routes or controller based on your development preference.
 
+The logout method now takes an **optional** boolean parameter (true) to revoke RefreshToken. The default value is (false) and that will persist the Refresh Token with AWS Cognito.
+
 ```php
 
    ...
 
    Auth::guard('api')->logout();
 
+
+   ...
+
+   Auth::guard('api')->logout(true); //Revoke the Refresh Token.
+
 ```
 
 

diff --git a/src/Guards/CognitoSessionGuard.php b/src/Guards/CognitoSessionGuard.php
@@ -264,6 +264,22 @@ public function invalidate($forceForever = false)
                 //Revoke the token from AWS Cognito
                 if ($this->client->signOut($accessToken)) {
 
+                    //Global logout and invalidate the Refresh Token 
+                    if ($forceForever) {
+                        //Get claim data
+                        $dataClaim = (!empty($claim))?$claim['data']:null;
+                        if ($dataClaim) {
+                            //Retrive the Refresh Token from the claim
+                            $refreshToken = $dataClaim['RefreshToken'];
+
+                            //Invalidate the Refresh Token
+                            $this->client->revokeToken($refreshToken);
+                        } //End if
+                    } //End if
+
+                    //Remove the token from application storage
+                    return $session->invalidate();
+                } else {
                     //Remove the token from application storage
                     return $session->invalidate();
                 } //End if                

diff --git a/src/Guards/CognitoTokenGuard.php b/src/Guards/CognitoTokenGuard.php
@@ -249,7 +249,7 @@ public function setToken()
      *
      * @return void
      */
-    public function logout($forceForever = false)
+    public function logout(bool $forceForever = false)
     {
         $this->invalidate($forceForever);
         $this->user = null;
@@ -263,7 +263,7 @@ public function logout($forceForever = false)
      *
      * @return \Ellaisys\Cognito\AwsCognito
      */
-    public function invalidate($forceForever = false)
+    public function invalidate(bool $forceForever = false)
     {
         try {
             //Get authentication token from request
@@ -272,6 +272,19 @@ public function invalidate($forceForever = false)
             //Revoke the token from AWS Cognito
             if ($this->client->signOut($accessToken)) {
 
+                //Global logout and invalidate the Refresh Token 
+                if ($forceForever) {
+                    //Get claim data
+                    $data = $this->cognito->getClaim();
+                    if ($data && ($dataClaim = $data['data'])) {
+                        //Retrive the Refresh Token from the claim
+                        $refreshToken = $dataClaim['RefreshToken'];
+
+                        //Invalidate the Refresh Token
+                        $this->client->revokeToken($refreshToken);
+                    } //End if
+                } //End if
+
                 //Remove the token from application storage
                 return $this->cognito->unsetToken($forceForever);
             } //End if