Laravel 5 retrieve user email from resetpasswordlog through hashed token

0
votes

I want to get the record from resetpasswordlog (Note, I have changed the table name) table in Laravel 5.5 through the generated token during forgot password. I do not want to use the default notification and instead send email to users. I used Hash::make($token) but this is not matched with any record in the "resetpasswordlog" table.

// user model
public function sendPasswordResetNotification($token)
{
dd(Hash::make($token));
}

The result is:

$2y$10$sBeJOd33E7A10ZSwvVZpFeqNe/Cka2jYLdp4rI8fwIkgIFoJZgY5S

But in the db table, I saw the record is entered as like:

$2y$10$v1BM7EE4Xs64Xlv8Cktz/OHpwS/KX0qpMjg4Jf.VuPg...

My intention is to get the user email through the hashed token and send email to that user.

1
laravellaravel-5
What's the token value before hashing?ZerosAndOnes
In DB before get the token: $2y$10$mj.GPulAe7LlyX//qAuHD.nqwaYOD4d.J3tUy9MdkbC... I received the token in browser: $2y$10$v7jpSPv1wMmdMoV75RK0jOS2Qr7Yh5M6Gzc0NCTYAVHg4159pns8e Value changed in DB: $2y$10$WUUKtwguFcxlVLcQLFBMbOZ/nn9saSwUFk6Vzz7Yxhl...Niladri Banerjee - Uttarpara
did you find a solution to this yet?ZerosAndOnes
@ZerosAndOnes No! But I made another way and it was successful.Niladri Banerjee - Uttarpara
You may share it here and select your own answer, so that if someone in future faces the same issue, it will be helpful for them. Thanks.ZerosAndOnes

1 Answers

1
votes

Bcrypt generates a different hash value for the same input string, as it generates a random 128-bit salt during hashing, thus, the values from Hash::make will not match.

Instead, you can use the check method to confirm if there is a match of the unhashed token with the hashed token value in database i.e.,

Hash::check($token, $hashedTokenInDatabase);

Also, due to the above you won't be directly able to retrieve user's email through only the token, you will require a field through which you can query the resetpasswordlog table to retrieve the relative hashed token value.

A workaround would be to extend the DatabaseTokenRepository class and override its getPayload method, so that the tokens aren't hashed in the database and an email can be retrieved from the database with a matching token, i.e., 

return ['email' => $email, 'token' => $token, 'created_at' => new Carbon];

However, if security is a concern then I wouldn't suggest this approach due to the points mentioned in Should password reset tokens be hashed when stored in a database?.