Laravel REST API - infinite loop

I am building a REST user-microservice using Laravel 5.5 + Passport. I am using the standard Passport::routes(), but I have had to modify the Auth::routes in order to make them return JSON responses, and to make them work with Passport.

I have added the following lines to my routes/web.php file:

Route::group(['middleware' => 'auth:api'], function () {
    $this->post('logout', 'Auth\[email protected]')->name('logout');

This allows me to POST https://myapi/logout

  • If I make the call with the header "Authorization => Bearer TOKEN", I get a successful logout response.
  • If I provide no header at all, I get a "not authenticated" message (which is good)
  • However, if I provide the header with a revoked token, I get a recursive deadloop of the function: Illuminate\Auth\RequestGuard->user() (it keeps calling itself recursively until stack-overflow)

This is all done in the auth:api middleware, my logout code is not reached, but my LoginController constructor is called. Constructor code:

public function __construct(Application $app)
        $this->apiConsumer = $app->make('apiconsumer');


I'm struggling to understand if it's my code causing this issue, or some combination of Laravel + passport + auth.

My first thought was that the auth:api middleware fails to authenticate the user, and as a result redirects the user to /home, where for some reason it's triggered again, recursively. But if that was the case, why would it work correctly with no header?

My current thinking is that the token in question does exist in the database, but Laravel is failing to figure out that it's revoked.

Any suggestions appreciated,