Laravel 5.4: Password reset token not the same as email token

4
votes

I have a slight problem after upgrading to laravel 5.4

When i do a password reset, the email gets generated and sent perfectly, however the token it saves to the user record in the database is as follows:

$2y$10$N0WFuqEkEIFto.CazxYLdOUmY1X9tBHfvDn8iWKUdlq2W9uOc00Ku

But the token it sends to the user to do a password reset is:

bc1c82830bc8ad1356aa5e2a2a5a342ae6c6fabd385add503795cca1a1993e15

My question is why are the two tokens different. and how do i perform a check now to validate if the token exists in the database as i need to get the email address to post to the reset controller.

Thanx in advance.

3
laravel
did you find any solution...?usama

3 Answers

6
votes

Token you store in database is hashed same as your password column in users table. However the token you recieve is not hashed. Thats why they are different

Due to get this password ;

$2y$10$N0WFuqEkEIFto.CazxYLdOUmY1X9tBHfvDn8iWKUdlq2W9uOc00Ku

you have to do

Hash::make('bc1c82830bc8ad1356aa5e2a2a5a342ae6c6fabd385add503795cca1a1993e15');

And you cannot revert this process backwards.

3
votes

The token in the database is encrypted with Bcrypt. That's why it is different in the database.

The token will still work when you use it.

3
votes

The token it stores in the database is the same string, but hashed with bcrypt, a secure and adaptive algorithm based on the Blowfish cipher.

You can see the documentation for the vanilla PHP password_hash() function to see how it's built, and the password_verify() function to verify that the hashed string is valid against an unhashed version of it (what is sent to the user, in this case).

Laravel Hashing

Laravel includes its own hashing objects and facades which are documented.

To create a hash:

$string = 'Hello world.';
$hash = Hash::make($string);

To verify the hash against a plain string:

if (Hash::check($string, $hash)) {
    // The passwords match...
}

Note: In Laravel 5.4, the email token changed from SHA256 to bcrypt in an undocumented change (as issue #18570 shows), so bear that in mind if you are upgrading from Laravel 5.3 or lower.