Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong password reset token in multi-language setups (Laravel 6 LTS) #36997

Closed
aimeos opened this issue Apr 15, 2021 · 2 comments
Closed

Wrong password reset token in multi-language setups (Laravel 6 LTS) #36997

aimeos opened this issue Apr 15, 2021 · 2 comments

Comments

@aimeos
Copy link
Contributor

aimeos commented Apr 15, 2021

  • Laravel Version: v6.20.23 LTS
  • PHP Version: 7.4.16
  • Database Driver & Version: MySQL 5.7

Description:

After artisan make:auth and adding {locale} in front of the auth routes, the password reset form doesn't work any more and shows an error: "This password reset token is invalid."

Steps To Reproduce:

  • Set up authentication
  • Add {locale} for auth routes
  • Add ['locale' => app()->getLocale()] to all routes() calls
  • Use password reset form
  • Click on the password reset link in the generated email
  • Try to reset the password

More information:

Routes:

|        | GET|HEAD      | {locale}/password/reset                                              | password.request             | App\Http\Controllers\Auth\ForgotPasswordController@showLinkRequestForm | web          |
|        | POST          | {locale}/password/reset                                              | password.update              | App\Http\Controllers\Auth\ResetPasswordController@reset                | web          |
|        | GET|HEAD      | {locale}/password/reset/{token}                                      | password.reset               | App\Http\Controllers\Auth\ResetPasswordController@showResetForm        | web          |

Generated URL:

https://example.com/en/password/reset/ebecdbb7a2a5ed4a0d95c8792c86f1a064d6b95a060ab3185e5f9f465b820d1f?email=...

HTML source

<form method="POST" action="https://example.com/en/password/reset">
       <input type="hidden" name="_token" value="BGPUX7zWblg8WhQ5EUWFQpkwTPXBN3stdv0bI86N">
       <input type="hidden" name="token" value="en">

As you can see the token value is en instead of ebecdbb7a2a5ed4a0d95c8792c86f1a064d6b95a060ab3185e5f9f465b820d1f.

The source code passing the token to the form is: https://github.com/laravel/framework/blob/6.x/src/Illuminate/Foundation/Auth/ResetsPasswords.php#L25-L30

The problem seems to be that the router passes the first route variable instead of the value in {token}
@driesvints
Copy link
Member

As Laravel doesn't supports multilingual routes out of the box we can't consider this an issue in the framework. Please try a support channel:

You're also always free to attempt a PR if you want to change anything. Thanks.

@aimeos aimeos mentioned this issue Apr 15, 2021
Open
@nl123
Copy link

nl123 commented May 26, 2021

https://laracasts.com/discuss/channels/code-review/password-reset-link-incorrect-format-and-invalid-token-laravel-57-multi-language

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@driesvints @aimeos @nl123