laravel · taylorotwell · Apr 10, 2024 · Apr 6, 2024 · Apr 6, 2024 · Apr 8, 2024
diff --git a/src/Http/Middleware/AuthenticateSession.php b/src/Http/Middleware/AuthenticateSession.php
@@ -64,8 +64,10 @@ public function handle(Request $request, Closure $next): Response
         }
 
         return tap($next($request), function () use ($request, $guards) {
-            if (! is_null($request->user())) {
-                $this->storePasswordHashInSession($request, $guards->keys()->first());
+            $guard = $guards->keys()->first();
+
+            if ($this->auth->guard($guard)->hasUser()) {
+                $this->storePasswordHashInSession($request, $guard);
             }
         });
     }
@@ -79,12 +81,12 @@ public function handle(Request $request, Closure $next): Response
      */
     protected function storePasswordHashInSession($request, string $guard)
     {
-        if (! $request->user()) {
+        if (! $this->auth->guard($guard)->hasUser()) {
             return;
         }
 
         $request->session()->put([
-            "password_hash_{$guard}" => $request->user()->getAuthPassword(),
+            "password_hash_{$guard}" => $this->auth->guard($guard)->user()->getAuthPassword(),
         ]);
     }
 }
diff --git a/tests/Controller/FrontendRequestsAreStatefulTest.php b/tests/Controller/FrontendRequestsAreStatefulTest.php
@@ -13,7 +13,8 @@
 
 class FrontendRequestsAreStatefulTest extends TestCase
 {
-    use RefreshDatabase, WithWorkbench;
+    use RefreshDatabase;
+    use WithWorkbench;
 
     protected function defineEnvironment($app)
     {
@@ -57,6 +58,13 @@ protected function defineRoutes($router)
 
             return $request->user()->email;
         })->middleware($webMiddleware);
+
+        $router->get('/sanctum/api/logout', function () {
+            auth()->guard('web')->logout();
+            session()->flush();
+
+            return 'logged out';
+        })->middleware($apiMiddleware);
     }
 
     public function test_middleware_keeps_session_logged_in_when_sanctum_request_changes_password()
@@ -143,6 +151,28 @@ public function test_middleware_can_deauthorize_valid_user_using_acting_as_after
         ])->assertStatus(401);
     }
 
+    public function test_middleware_removes_password_hash_after_session_is_cleared_during_request()
+    {
+        $user = UserFactory::new()->create();
+
+        $this->actingAs($user)
+        ->getJson('/web/user', [
+            'origin' => config('app.url'),
+        ])
+        ->assertOk()
+        ->assertSee($user->email);
+
+        $this->getJson('/sanctum/web/user', [
+            'origin' => config('app.url'),
+        ])
+        ->assertOk()
+        ->assertSee($user->email)->assertSessionHas('password_hash_web', $user->getAuthPassword());
+
+        $this->getJson('/sanctum/api/logout', [
+            'origin' => config('app.url'),
+        ])->assertOk()->assertSee('logged out')->assertSessionMissing('password_hash_web');
+    }
+
     public static function sanctumGuardsDataProvider()
     {
         yield [null];