Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

hjortur17's avatar

This password reset token is invalid.

Hi, I am trying to implement a middleware which redirects the user to the reset password page. This should only occur if the user is created by the admin (the admin has to check a box so this middleware pops up).

I it redirecting correctly, and it's storing password reset token in the database but still gets This password reset token is invalid.

This is the middleware

class ChangedPassword
{
    public function handle(Request $request, Closure $next)
    {
        if (Auth::user()->reset_password) {
            $email = Auth::user()->email;

            DB::table('password_resets')->insert([
                'email' => $email,
                'token' => Hash::make(Str::random(64)),
                'created_at' => Carbon::now()
            ]);

            $tokenData = DB::table('password_resets')->where('email', $email)->orderBy('created_at', 'desc')->first();

            return redirect('/endurstilla-lykilorð/' . $tokenData->token);
        }

        return $next($request);
    }
}

Added this to the NewPasswordController:

if ($status == Password::PASSWORD_RESET) {
            \Auth::user()->update([
                'reset_password' => False
            ]);

            return redirect()->route('login')->with('status', __($status));
        }

Any ideas?

0 likes
16 replies
Nakov's avatar

Do you have this: reset_password in your $fillable array of the User model? Because it obviously does not go to false. and make sure you use false with small, not False just in case it is case sensitive and depending on what type of data you can store in that column.

hjortur17's avatar

@Nakov - yes

protected $fillable = [
        'name',
        'email',
        'password',
        'reset_password'
    ];
Nakov's avatar

@hjortur17 okay, then what is $status are you getting to that condition at all? You can debug my friend.. Make sure after the change the column in the database really get's set to false

hjortur17's avatar

@Nakov - The issue would I guess relates to the token. Because I get token is invalid when trying to submit the reset password form, so I can't see if the reset_password field gets set to false

Nakov's avatar

@hjortur17 okay, but where in the code above you shared the code that throws that error?

hjortur17's avatar

@Nakov - I am trying to get a help with that...

I would guess it something related to the middleware and the token

Nakov's avatar

@hjortur17 it does not seem like it is related with that, because that's not where the error comes from.

You probably check for the token somewhere in the controller, and I don't know how do you validate if it is valid or not. Do you just check if it exists? In that case you are probably missing to pass it in the request.

It is hard to tell blindly.

hjortur17's avatar

@Nakov - I would guess that the reset password form provided by Breeze should validate the token for me. I do redirect from the middleware to the route provided

Nakov's avatar

@hjortur17 we can go on and on guessing, but obviously it does not work..

I don't see how this return redirect('/endurstilla-lykilorð/' . $tokenData->token); is connected to Breeze.

hjortur17's avatar

@Nakov - Because that is redirecting to the reset password form from Breeze. That's how it's connected

endurstilla-lykilorð = reset-password

hjortur17's avatar

@Nakov - Tried adding this to AuthServiceProvider, still gets same error

Nakov's avatar

@hjortur17 did you changed the url to your redirect as I gave the line above, to include the email? Not to add that to the app service provider..

hjortur17's avatar

@Nakov - Yes

My middleware looks like this:

return redirect('/endurstilla-lykilorð/' . $tokenData->token . '?email=' . $email);

And the AuthServiceProvider:

public function boot()
    {
        $this->registerPolicies();

        ResetPassword::createUrlUsing(function ($notifiable, $token) {
            return config('app.frontend_url')."/endurstilla-lykilorð/$token?email={$notifiable->getEmailForPasswordReset()}";
        });
    }
Nakov's avatar

@hjortur17 okay my friend, this is the last reply that I'll leave, because I cannot debug this for you not having your code.

Make sure that when the password reset page loads, the email shows on the page for the user you are trying to reset the password for.. It is either displayed in a field, or it might be in a input type="hidden"

So open up the browser developer tools, and in the network tab, clear all requests first. And then after adding the new password, click Reset.. and inspect the request that it is going through. Does the request contains the EMAIL and PASSWORD -- AND the TOKEN, either in the request body or in the URL.

Good luck!

hjortur17's avatar

@Nakov - Okay, thanks for trying

I have been trying to debug this myself but I decided to search for help here. I did check the network tab but it's sending the correct EMAIL, PASSWORD and TOKEN.

Please or to participate in this conversation.