Laravel 5.5 Custom reset password throws token mismatch

Question

I wanted to override/customize the existing laravel forget and reset password functionality. Mainly due to my table does not contain and "email" column and we've our own email sent method. Therefore I updated my ForgotPasswordController.php as follows:

<?php

namespace App\Http\Controllers\Auth;

use App\Http\Controllers\Controller;
use Illuminate\Foundation\Auth\SendsPasswordResetEmails;
use Illuminate\Contracts\Auth\PasswordBroker;
use App\People;
use Illuminate\Http\Request;

class ForgotPasswordController extends Controller
{
    /*
    |--------------------------------------------------------------------------
    | Password Reset Controller
    |--------------------------------------------------------------------------
    |
    | This controller is responsible for handling password reset emails and
    | includes a trait which assists in sending these notifications from
    | your application to your users. Feel free to explore this trait.
    |
    */
    use SendsPasswordResetEmails;



    /**
     * Create a new controller instance.
     *
     * @return void
     */
    public function __construct()
    {
        $this->middleware('guest');
    }

    public function sendResetLinkEmail(Request $request)
    {
        $this->validateEmail($request);

        // We will send the password reset link to this user. Once we have attempted
        // to send the link, we will examine the response then see the message we
        // need to show to the user. Finally, we'll send out a proper response.

        $people = People::where('username_email', $request['email'] )->first();

        if (!empty($people->cust_id)) { // user found
            $password_broker = app(PasswordBroker::class); //so we can have dependency injection
            $people->email = $people->username_email; // because below createToken function is looking for email field in the people table
            $token = $password_broker->createToken($people); //create reset password token
            $link = getHTTPURL(true) .'/profile/password/reset/'.$token;

            $objemail = new \email();
            $objemail->body = "
            You can reset the password via : ". $link ."<br /><br />";

            $objemail->to_address = $request['email'];
            $objemail->send(true);    

            return array('error' =>0, 'succuss'=> 1);
        }

        return array('error' =>0, 'succuss'=> 0);

        /*$password_broker->emailResetLink($user, $token, function (Message $message) {
                $message->subject('Custom Email title');
        });//send email.*/
    }

}

Now if I submit the default laravel password reset form, I'm getting "This password reset token is invalid." error in the view file.

Note: I override the credentials function in the ResetPasswordController.php as follows:

 protected function credentials(Request $request)
    {
        return $request->only(
            'username_email', 'password', 'password_confirmation', 'token'
        );
    } 

Any idea, what's wrong?

Answer 1

You can customize forget and reset password functionality in Laravel. Here is something that needs attention.

The token that is sent to the user through email is actually sha256 of your APP_KEY.

$this->hashKey is actually APP_KEY.
$token = hash_hmac('sha256', Str::random(40), $this->hashKey);
But the token that is stored in your database is bcrypt of that sha256.
bcrypt(hash_hmac('sha256', Str::random(40), $this->hashKey));