php – Laravel 5 password reset not working-ThrowExceptions

Exception or error:

I am working on laravel 5 eCommerce web portal.

I am having an issue when the user updates the password using the ready made scripts.

The issue is that I can send the link to the customer perfectly without any issue and the customer can change his password also. But when logged out and re-logging in, I get the error as Invalid credentials.

In my routes.php, I have this:

Route::controllers([
    'auth' => 'Auth\AuthController',
    'password' => 'Auth\PasswordController',
]);

This is the login page:

<form class="form-horizontal" role="form" method="POST" action="{{ url('/login') }}">
    <input type="hidden" name="_token" value="{{ csrf_token() }}">

    <div class="form-group">
        <label class="col-md-4 control-label">E-Mail Address</label>
        <div class="col-md-6">
            <input type="email" class="form-control" name="email" value="{{ old('email') }}">
        </div>
    </div>

    <div class="form-group">
        <label class="col-md-4 control-label">Password</label>
        <div class="col-md-6">
            <input type="password" class="form-control" name="password">
        </div>
    </div>

    <div class="form-group">
        <div class="col-md-4"></div>
        <div class="col-md-4">
            <a href="{{url('/password/email')}}">Forgot Password</a>
        </div>
    </div>

    <div class="form-group">
        <div class="col-md-6 col-md-offset-4">
            <button type="submit" class="btn btn-primary btn-block">Login</button>
        </div>
    </div>
</form>

I cannot login again after I am logged out once the password has been reset.

EDIT 1:

When the login button is clicked on the login form page, the postLogin method is called. Here’s the code

public function postLogin( Request $request ) {
    $this->validate( $request, [
        'email'     => ['required', 'exists:users,email,role,customer'],
        'password'  => 'required'
    ]);

    $credentials = $request->only('email', 'password');

    if ( \Auth::attempt($credentials) ) {
        \Session::flash('logged_in', 'You have successfully logged in.');
        return redirect('/');
    }

    return redirect('/login')->withInput($request->all())->withErrors(['email' => 'Invalid Email Address Or Password']);
}

EDIT 2:

I just realize that login is not checking for the hash and hence returning false, on doing dd(\Hash::check($request->password, $user->password)), after updating the password and re-logging in. What could be the issue with this ?

Where have I made mistake ? Kindly guide me.

Thanks in advance.

P.S.: I am using the defaults only to update the password, rest all, I have made the controllers and models which are all working fine without any issue.

How to solve:

I stumbled upon this as well and found the answer here, just adding this for future reference..

The reason is that as soon as you add the setPasswordAttribute method on your User model, the password is hashed twice when using the built-in password reset functionality of Laravel. As explained on the Laracast page, all it needs is a check for an already hashed password, eg:

// Add Hash facade
use Illuminate\Support\Facades\Hash;

class User extends Authenticatable
{

    // ...

    /**
     * Automatically hash password
     * 
     * @param String $value The password, maybe hashed already
     * 
     * @return string|null
     */
    public function setPasswordAttribute($value)
    {
        if ($value) {
            $this->attributes['password'] = Hash::needsRehash($value) ? Hash::make($value) : $value;
        }
    }
}

Answer´╝Ü

If the new password does not work after changing then something goes wrong when changing the password.

Most likely suspect is the encryption. It can be possible that you are not using the Hash::make($password) and saving it in plaintext format.

You can doublecheck if the hash is saved correctly to DB with function Hash::check($password, $hash);

During the login you can check the password as

public function postLogin( Request $request ) {
    $user=User::where('email', $request->email);
    Log::debug("Testing $request->password $user->password ". Hash::check($request->password, $user->password));
}

If the Hash::check is false then something went wrong when saving new password. $user->password must be in hashed form.

Leave a Reply

Your email address will not be published. Required fields are marked *