Laravel 5: Diagnose password reset token is invalid error

I use the Laravel auth system to send out a welcome email to all new users. Mostly it works fine but I have had a few isolated incidents where I get the "password reset token is invalid" error.

In order to diagnose this I would like to be able to manually compare the strings that are provided in the user's URL (i.e. the token that I emailed them) against the value stored in the password_resets.token field. How can I do that?

The token in the URL seems to be 64 hex characters. The token in the database starts with $2y$10$, so I presume it is the output of the password_hash function. How can I translate from one to another?

2 answers

  • answered 2018-11-07 23:54 Elisha Senoo

    First of all I want to say the token in the URL is not the output of the password_hash function.

    To compare the token in the URL and what is generate or stored, you can check from your database. Check the password_resets table, check the email of the user, search for the token that corresponds to that email address.

    The token in the URL, should be the same as what is in the database for the email address.

  • answered 2018-11-08 00:58 HCK

    An alternative is to check if one is equivalent to the other (this means, if one is the hashed/unhashed version of the other one). To do this you can use the Hash::check() function. From the docs:

    Verifying A Password Against A Hash

    The check method allows you to verify that a given plain-text string corresponds to a given hash. However, if you are using the LoginController included with Laravel, you will probably not need to use this directly, as this controller automatically calls this method:

    if (Hash::check('plain-text', $hashedPassword)) {
        // The passwords match...