Ensure tokens are found in the database using the expected logic

app/Exceptions/Handler.php

@@ -47,6 +47,18 @@ class Handler extends ExceptionHandler
         ValidationException::class,
     ];
 
+    /**
+     * Maps exceptions to a specific response code. This handles special exception
+     * types that don't have a defined response code.
+     *
+     * @var array<string, int>
+     */
+    protected static array $exceptionResponseCodes = [
+        AuthenticationException::class => 401,
+        AuthorizationException::class => 403,
+        ValidationException::class => 422,
+    ];
+
     /**
      * A list of the inputs that are never flashed for validation exceptions.
      *
@@ -187,12 +199,14 @@ class Handler extends ExceptionHandler
      */
     public static function convertToArray(Throwable $exception, array $override = []): array
     {
+        $match = self::$exceptionResponseCodes[get_class($exception)] ?? null;
+
         $error = [
             'code' => class_basename($exception),
             'status' => method_exists($exception, 'getStatusCode')
                 ? strval($exception->getStatusCode())
-                : ($exception instanceof ValidationException ? '422' : '500'),
-            'detail' => $exception instanceof HttpExceptionInterface
+                : strval($match ?? '500'),
+            'detail' => $exception instanceof HttpExceptionInterface || !is_null($match)
                 ? $exception->getMessage()
                 : 'An unexpected error was encountered while processing this request, please try again.',
         ];

app/Http/Controllers/Api/Client/AccountController.php

@@ -19,19 +19,19 @@ class AccountController extends ClientApiController
     private $updateService;
 
     /**
-     * @var \Illuminate\Auth\SessionGuard
+     * @var \Illuminate\Auth\AuthManager
      */
-    private $sessionGuard;
+    private $manager;
 
     /**
      * AccountController constructor.
      */
-    public function __construct(AuthManager $sessionGuard, UserUpdateService $updateService)
+    public function __construct(AuthManager $manager, UserUpdateService $updateService)
     {
         parent::__construct();
 
         $this->updateService = $updateService;
-        $this->sessionGuard = $sessionGuard;
+        $this->manager = $manager;
     }
 
     public function index(Request $request): array
@@ -64,13 +64,17 @@ class AccountController extends ClientApiController
     {
         $user = $this->updateService->handle($request->user(), $request->validated());
 
+        $guard = $this->manager->guard();
         // If you do not update the user in the session you'll end up working with a
         // cached copy of the user that does not include the updated password. Do this
         // to correctly store the new user details in the guard and allow the logout
         // other devices functionality to work.
-        $this->sessionGuard->setUser($user);
+        $guard->setUser($user);
 
-        $this->sessionGuard->logoutOtherDevices($request->input('password'));
+        // This method doesn't exist in the stateless Sanctum world.
+        if (method_exists($guard, 'logoutOtherDevices')) {
+            $guard->logoutOtherDevices($request->input('password'));
+        }
 
         return new JsonResponse([], Response::HTTP_NO_CONTENT);
     }

app/Models/ApiKey.php

@@ -195,9 +195,13 @@ class ApiKey extends Model
     public static function findToken($token)
     {
         $id = Str::substr($token, 0, self::IDENTIFIER_LENGTH);
-        $token = Str::substr($token, strlen($id));
 
-        return static::where('identifier', $id)->where('token', encrypt($token))->first();
+        $model = static::where('identifier', $id)->first();
+        if (!is_null($model) && decrypt($model->token) === Str::substr($token, strlen($id))) {
+            return $model;
+        }
+
+        return null;
     }
 
     /**