Level 50
maybe like this?
'_token' => 'required',
May 16, 2018
17
Level 3
"Undefined index: token" error on password reset.
Hi,
I'm having an issue with password reset. It's quiet frustrating that something that should work right out of the box failed on me. (I'm using the built-in scaffolding)
All validation works perfectly but I simply couldn't change my password or I should say, 'confirm my NEW password.
The page simply simply redirect to the reset page and no error whatsoever. So I simply took the validation rules out and tried. Voila, "Undefined index: token" error.
\ ResetsPasswords.php
protected function rules()
{
return [
'token' => 'required',
'email' => 'required|email',
'password' => 'required|confirmed|min:8',
];
}
I'm just wondering what could possibly be the problem. Mismatched token?
Any advise is much appreciated.
Level 3
Yeah, that's exactly what happened.
"Undefined index: token"
It will only work if I remove the token required validation. Otherwise, it will not pass as apparently the token doesn't validate.
Level 67
View the html source of that reset password page after it's rendered in the browser. Does the token fields value match the one in the password_resets db table? Is there a value for the token in both places?
Level 3
They are obviously different.
I'm assuming you're referring to this?
https://laravel.test/password/reset/ced8d44650cd6fedbd5d1642fe2e3cf7e6f947d989df4d98c762500a0c4e76ff
<input type="hidden" name="_token" value="y8TS4wSU3W6ujiTW27Lw7MjxHLivn1XUOuPCfwrM">
1 like
Level 67
No, one is the password reset token (in the url) and the other is the csrf token (the input). Those should be different
Did you look in your password_resets database table? Is there a ced8d44650cd6fedbd5d1642fe2e3cf7e6f947d989df4d98c762500a0c4e76ff value for the token for that users email?
1 like
Level 3
Ah, ok my bad and yes, they're different
From DB
$2y$10$p6N7vmA2AoFW2OSQaHYr7.cKZOfV3oFLf/wynO4dEJQ5E8ZDrLU5K
Token from email
06e53e36628590038b8b8fdb2f0315bedea2612a6349be3098bb1162fa107a5a
Level 67
That's the issue obviously. I don't know what would cause it though. I haven't had that problem with the default password reset, so never really had to troubleshoot it.
Level 3
Yeah, me too. I have no idea why the token sent to email is different from the one in the database. I can only concur that they are in different format.
I'm trying to figure out whether the email is sent first or the token is first created and stored in the database and an email is sent.
I didn't have this problem in L5.2.
Level 35
@yansusanto @Cronix the password reset token is hashed equal to a password. So it is correct that your password reset token in your url is not in the password_reset database table.
This will return true:
\Hash::check(
'06e53e36628590038b8b8fdb2f0315bedea2612a6349be3098bb1162fa107a5a',
'$2y$10$p6N7vmA2AoFW2OSQaHYr7.cKZOfV3oFLf/wynO4dEJQ5E8ZDrLU5K'
)
laracasts note: if you have a value like $2 it is hidden within triple backticks code. Adding a backslash to does show it.
hidden dollar sign 2:
visible dollar sign and 2: $2
Level 3
Is there a solution to that issue?
Level 35
There is no issue, this is normal behavior. You have some other problem I guess but I do not know what. Do you have xDebug available? Try stepping through the code and you will figure out why you are being redirected.
Btw, you mentioned you didn't had this problem with L5.2. Are you currently running a fresh installation of L5.5 or L5.6? Or did you upgrade from L5.2 to a newer version? If I am not mistaken somewhere in between these versions the token is now passed as route parameter instead of a query parameter... not sure though if this causes this behavior.
Level 3
@m-rk
Thanks for the input. No, it is a fresh installation of 5.6 and created auth with the built-in scaffolding.
I'm wondering why laravel isn't doing hash::checkby default or maybe it is?
Level 35
Laravel is doing something like this:
- You request a new token
- Laravel creates a new token for you (40 random chars) and hashes that value and stores it in the password_reset together with the email address
- Laravel sends an email with the 40 random chars to you.
- You click on the link with the 40 random chars.
- You enter your email and your new password
- Laravel looks up the email in the database and checks the hashed token in the database with the 40 random chars in the url. If they match your password is changed. If they don't match you should see an error.
So even if you use an invalid token or a token of just 6 characters you end up at the password reset page. But it won't allow you to reset your password.
The question in your case is, what exactly is going wrong. I can't see that from here with this less information. You should be able to figure it out with xDebug and stepping through the code or with some old school die() in your code.
1 like
Level 3
Thank you for the taking the time to explain it, @mr-k. I guess I have skip this and have a new install and see if the problem persists.
Level 1
I know this is very late to the game, but I had the same issue with a new install. In my view, instead of {{ $token }} I changed it to {{ $request->route('token') }} and that solved the problem. I hope this helps someone else!
Level 1
Hi, Melanie,
Pay attention to @click post. It seems to me that Laravel, now, to reset a password takes two steps:
a) Send an email to the user with a link. This link contains on its query string a token with a random hashed/token;
b) Then when the link is clicked, it takes the user to the reset page. Then the user has the form filled and clicks to submit the form, at this moment, there are two tokens. The one carried by the link (email sent) and the one as hidden on the form.
I am facing such a problem like this now. Because I have dropped the e-mail sender process - so, I am facing the token issue, but there is a way to manually generate that link.
Search for this on Laravel´s site: You may customize the password reset link URL using the createUrlUsing method provided by the ResetPassword notification class
Level 1
@melaniecarr23 It work for me also
Please or to participate in this conversation.