Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

kevzz1994's avatar

Resetting passwords using default generates "invalid token"`

Hi,

I am using Laravel 5.6, and I changed the default resetting passwords so that it only needs a token and a password, instead of an e-mail.

See below.

 protected function reset(Request $request)
    {
        $this->validate($request, $this->rules(), $this->validationErrorMessages());

        // Here we will attempt to reset the user's password. If it is successful we
        // will update the password on an actual user model and persist it to the
        // database. Otherwise we will parse the error and return the response.
        $response = $this->broker()->reset(
            $this->credentials($request), function ($user, $password) {
            $this->resetPassword($user, $password);
        }
        );

        // If the password was successfully reset, we will redirect the user back to
        // the application's home authenticated view. If there is an error we can
        // redirect them back to where they came from with their error message.
        return $response == Password::PASSWORD_RESET
            ? $this->sendResetResponse($response)
            : $this->sendResetFailedResponse($request, $response);
    }


    protected function credentials(Request $request)
    {
        return $request->only([
            'password', 'password_confirmation', 'token'
        ]);
    }

And I get the error that my token is invalid. Do I have to look in the code above, or somewhere else?

Thank you a lot!

0 likes
3 replies
click's avatar

This class is being used when $this->broker->reset() is called: https://github.com/laravel/framework/blob/56a58e0fa3d845bb992d7c64ac9bb6d0c24b745a/src/Illuminate/Auth/Passwords/PasswordBroker.php

And inside that password broker the credentials are checked. Because you removed the email address the logic inside that class is 'broken' and will never give green lights for the password reset.

You need to create your own password broker and overwrite it. I never had to do that so I can't give you any tips on that. But with the proper search keywords you should be able to figure that out with Google.

But before you start all this customization ask yourself if you really need to change the default behavior of Laravel. It ain't a problem to do it but if you start changing default behavior you also need to maintain it during upgrades to newer versions.

1 like
kaiden's avatar

i guess you missed the rules() function. its in the same folder and expecting an email. get rid of it.

protected function rules()
    {
        return [
            'token' => 'required',
            'email' => 'required|email',  // get rid of this.
            'password' => 'required|confirmed|min:6',
        ];
    }
kaiden's avatar

one another thing that hits me. dont forget resetPassword view must have two tokens in it. first is a crsf token with a name="_token" attribute. second is the token that user came with from their emails with a name="token" attribute. be sure you di set them up properly

1 like

Please or to participate in this conversation.