my BOSS can't reset password -- I'm Looking BAD

What does your rendered html looks like in your dev-tools?

This has nothing to do with csrf token and has everything to do with not passing the password token.

In the reset stub, you'll see this line of code:

<input type="hidden" name="token" value="{{ $token }}">

You don't have that, and yes, it is different from the csrf_token.

Also, in the ResetsPassword file, you'll see this:

protected function getResetValidationRules()
{
    return [
        'token' => 'required',
        'email' => 'required|email',
        'password' => 'required|confirmed|min:6',
    ];
}

You'll see that the token is required.

Also, in the CreatePasswordResetsTable migration file, you'll see that one of the fields in the password_resets column is the token.

Basically, the token is used to figure out if the user trying to reset the password is valid. It checks to see if an email with that token exists in the password_resets table.

<form method="POST" action="http://www.team-adc.com/password/reset" accept-charset="UTF-8" role="form”>
    <input name="_token" type="hidden" value="fjovdy0teDQcebc1wiaTIS3S7ovjFU3UfALqjUek">
    <input type="hidden" name="_token" value="fjovdy0teDQcebc1wiaTIS3S7ovjFU3UfALqjUek">
    <div class="input-group">
        <span class="input-group-addon"><i class="fa fa-user"></i></span>
            <input type="email" class="form-control" placeholder="Email Address" name="email" value="jgravois@uaminc.com">
    </div>
    <div class="input-group">
        <span class="input-group-addon"><i class="fa fa-key"></i></span>
             <input type="password" class="form-control" placeholder="Password" id="password" name="password">
    </div>
    <div class="input-group">
        <span class="input-group-addon"><i class="fa fa-check-square"></i></span>
            <input type="password" class="form-control" placeholder="Confirm Password" id="password_confirmation" name="password_confirmation">
    </div>
    <div class="row">
        <div class="col-xs-12">
            <button type="submit" class="btn btn-success col-xs-12">Reset Password</button>
         </div>
    </div>
</form>

token field required is not the csrf token

Password reset involves sending the user a one-time token that they click on. This then brings them to your site, and the token is passed to the reset password function.

You then need to send the password to the reset form (the token field).

So, you should have a field on your form like;

<input type="hidden" name="token" value="{{ $token }}">

The token is passed to the form in the resetsPasswords trait like;

    public function showResetForm($token = null)
    {
        if (is_null($token)) {
            return $this->getEmail();
        }

        if (view()->exists('auth.passwords.reset')) {
            return view('auth.passwords.reset')->with('token', $token);
        }

        return view('auth.reset')->with('token', $token);
    }

hm, i see ... what does the request->all() say?

@thomaskim goddamit!

@thomaskim now I get Undefined variable: token (View: /var/www/team-adc.com/resources/views/auth/password.blade.php)

Try {{ Session::token() }} instead of {{ $token }}

There is also a helper function that will fetch it for you: {{ csrf_token() }}

My personal preference is to use the form builder for my forms. https://github.com/LaravelCollective/html

When you use {!! Form::open() !!} it includes the token for you.

it would HELP if I put that in reset.blade.php instead of password.blade.php.

@jgravois Check out what @Snapey posted. That's the default way of handling things. If you don't have a token, you show the password reset link form (a form where a user inputs his email, then you email the link to the reset form). If you do have a token, you show the form where the user enters his new password and resets it.

Edit: Nvm. I guess you figured it out. :)

@AdrianB -- its NOT the csrf token that it is missing. Its the password reset token, which should be in a hidden field.

@jgravois - see my post for how the out of the box does it. The token is grabbed from the user's initial request and then sent to the form using ->with('token', $token);

My bad, just read CSRF token not working and went with that.