From df1b4947b6ec93851ca5528bc90c1568b04be57b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Pedro=20Lopes?= <joaopalopes24@gmail.com>
Date: Tue, 10 Feb 2026 15:28:13 -0300
Subject: [PATCH] fix(block): cycle remember token to logout devices

---
 src/Http/Requests/BlockDeviceRequest.php | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/Http/Requests/BlockDeviceRequest.php b/src/Http/Requests/BlockDeviceRequest.php
index 9386886..fa46fdc 100644
--- a/src/Http/Requests/BlockDeviceRequest.php
+++ b/src/Http/Requests/BlockDeviceRequest.php
@@ -4,6 +4,7 @@
 
 use Illuminate\Foundation\Http\FormRequest;
 use Illuminate\Support\Facades\Session;
+use Illuminate\Support\Str;
 use UserDevices\DeviceCreator;
 use UserDevices\Models\UserDevice;
 
@@ -35,11 +36,19 @@ public function fulfill(): void
     {
         $this->getDevice()?->block();
 
-        $sessionId = $this->getDevice()?->session_id;
+        rescue(function () {
+            $user = $this->getDevice()?->user;
 
-        if (filled($sessionId)) {
-            Session::getHandler()->destroy($sessionId);
-        }
+            $sessionId = $this->getDevice()?->session_id;
+
+            if (filled($user) && filled($sessionId)) {
+                Session::getHandler()->destroy($sessionId);
+
+                // Cycle remember token so the blocked device
+                // cannot re-authenticate via remember me cookie
+                tap($user, fn ($user) => $user->setRememberToken(Str::random(60)))->save();
+            }
+        });
     }
 
     /**