-
Notifications
You must be signed in to change notification settings - Fork 10.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Password Reset Email does not take into account a subdomain, if it's being used #27045
Comments
For the record, i've worked around it by setting public function sendResetLinkEmail(Request $request)
{
$this->validateEmail($request);
config(['app.url' => url('/')]);
// We will send the password reset link to this user. Once we have attempted
// to send the link, we will examine the response then see the message we
// need to show to the user. Finally, we'll send out a proper response.
$response = $this->broker()->sendResetLink(
$request->only('email')
);
return $response == Password::RESET_LINK_SENT
? $this->sendResetLinkResponse($request, $response)
: $this->sendResetLinkFailedResponse($request, $response);
} |
Also worth noting: When resetting the password, the |
@danmatthews - I think I saw a PR for that for 5.8 - I think it is fixed there edit: here is the PR: #26872 |
@laurencei beautiful, thanks all. |
@laurencei thanks for pointing that out. |
@driesvints @laurencei just actually checked the PR - looks like it solves the token issue, but not the subdomain issue? |
Ah sorry, might have been a bit too fast. |
@driesvints no problem - i was myself. |
Just tried this and I believe this has been resolved with this fix: #32345 |
Description:
When
Auth::routes()
is registered from within aRoute::group
that uses the subdomain option, the reset email still only links to the root domain. This isn't ideal for those using subdomains to provide people with their own unique accounts.I believe this is related to commit cef1055 where the APP_URL is added to ensure hostname security. Unfortunately, this breaks dynamic generation that
url()
would typically handle if the hostname wasn't included as part of the argument string.Steps To Reproduce:
Create a route group for wildcard subdomains, then register the auth routes within that.
I also have a middleware registered that adds the domain as a URL param:
Then visit
myrealsubdomain.myapp.com/password/reset
and submit a password reset request - the URL on the action button will contain the value ofAPP_URL
, without the subdomain.The text was updated successfully, but these errors were encountered: