For background we have two servers: the oauth server which issues out tokens and has laravel passport installed, and an api server which handles requests for the front end. In order to minimize requests, we are caching the access token on the api server, so that there is no need to make a request out to the oauth server from the api server.
However, in the case of an emergency, we want to quickly invalidate all of a user's tokens and remove the tokens from the cache on the api server.
I have figured out how to invalidate all of a user's tokens, but getting the actual access token value proves to be difficult. Is there a way to get a user's access tokens and return them to the api server?
For reference, here is the code I have to currently invalidate a user's tokens:
use App\User;
public function invalidate_sessions($user_id) {
$user = User::find($user_id);
$tokens = [];
foreach ($user->tokens as $token) {
$token->revoke();
// this doesn't work
$tokens[] = $token;
}
$api_server = config('auth.api_server');
$http = new \GuzzleHttp\Client;
$response = $http->post("{$api_server}/api/invalidate_sessions", [
\GuzzleHttp\RequestOptions::JSON => $tokens
]);
return (string)$response->getBody();
}
