Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Decrypt Laravel Password Reset Token

I am writing a test that ensures that the password reset functionality of my application works. The password reset system was created using the php artisan make:auth command. In order to make the test pass I need to automate a GET request to /password/reset/{$token} where $token is the value stored in the password_resets table. Laravel stores the token like this:

$2y$10$9grKb3c6.Toiv0kjUWbCUeT8Q8D.Fg2gZ/xDLGQUAkmdyHigmRkNW

but when Laravel sends the password reset email to the user, the reset token looks like this in the email:

382aa64567ecd05a774c2e4ebb199d3340a1424300707053354c749c10487594.

My GET request to /password/reset/$2y$10$9grKb3c6.Toiv0kjUWbCUeT8Q8D.Fg2gZ/xDLGQUAkmdyHigmRkNW fails due to the forward slash in the reset token. (Right after the 'g2gZ')

I tried using the helper function decrypt() but had no luck.

How can I convert the password reset token I pull from the password_resets table to match what Laravel sends to the user?

Not sure if this is relevant but I did upgrade my application from 5.3 to 5.4.

like image 237
Denis Priebe Avatar asked Jan 25 '17 21:01

Denis Priebe


People also ask

Can you decrypt hash password in Laravel?

@ershakti Passwords are hashed, not encrypted. That means they can't be reversed into their plain text form. This is for security reasons.


2 Answers

You can get token from closure used for additional checks passed to Notification's assertSentTo method because $token is a public property of standard ResetPassword notification.

In your test:

Notification::fake();

$this->postJson('api/user/reset', ['email' => $user->email])
    ->assertStatus(200);

$token = '';

Notification::assertSentTo(
    $this->user,
    \Illuminate\Auth\Notifications\ResetPassword::class,
    function ($notification, $channels) use (&$token) {
        $token = $notification->token;

        return true;
    });

$this->postJson('api/user/resetting', [
    'email' => $user->email,
    'token' => $token,
    'password' => '87538753',
    'password_confirmation' => '87538753'
])
    ->assertStatus(200);
like image 81
pinguinjkeke Avatar answered Sep 30 '22 19:09

pinguinjkeke


The token stored in the password_resets table is hashed just like a normal password, so you can't reverse it to get the original token.

I suggest that you use the log mail driver when running tests. Then the password reset email will be printed in plain text in the laravel log and you can grab the token from that.

like image 21
BrokenBinary Avatar answered Sep 30 '22 20:09

BrokenBinary