You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
if (is_null($user = $this->getUser($credentials))) {
returnstatic::INVALID_USER;
}
if (! $this->tokens->exists($user, $credentials['token'])) {
returnstatic::INVALID_TOKEN;
}
return$user;
}
), one can only distinguish valid from non-valid tokens.
I think it could be beneficial to distinguish existing but expired tokens from non-existing ones, to provide better feedback to users trying to reset their password. Currently for me to do so, this would require extensive framework overrides (extended TokenRepositoryInterface + implementation, overridden PasswordBroker and consequently PasswordBrokerManager). Therefore, I would prefer to see if it is possible to alter the framework implementation to do this or more easily allow for this.
However, given this will likely be a backward incompatible change with some room for choice, I would first like to see if there is support for this idea, and if there's any preference on the suggested implementation. Some rough ideas to implement this I have are:
Adding some method to the TokenRepositoryInterface to check for expired-but-valid tokens; e.g. exposing the tokenExpired function of the DatabaseTokenRepository (
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
The current
TokenRepositoryInterfaceinterface (see https://github.com/laravel/framework/blob/master/src/Illuminate/Auth/Passwords/TokenRepositoryInterface.php) does not allow distinguishing invalid/non-existing password reset tokens from expired ones. Consequently, in the implementation ofvalidateResetinPasswordBroker(seeframework/src/Illuminate/Auth/Passwords/PasswordBroker.php
Lines 119 to 136 in 0454123
I think it could be beneficial to distinguish existing but expired tokens from non-existing ones, to provide better feedback to users trying to reset their password. Currently for me to do so, this would require extensive framework overrides (extended
TokenRepositoryInterface+ implementation, overriddenPasswordBrokerand consequentlyPasswordBrokerManager). Therefore, I would prefer to see if it is possible to alter the framework implementation to do this or more easily allow for this.However, given this will likely be a backward incompatible change with some room for choice, I would first like to see if there is support for this idea, and if there's any preference on the suggested implementation. Some rough ideas to implement this I have are:
TokenRepositoryInterfaceto check for expired-but-valid tokens; e.g. exposing thetokenExpiredfunction of theDatabaseTokenRepository(framework/src/Illuminate/Auth/Passwords/DatabaseTokenRepository.php
Line 98 in 0454123
existsmethod on theTokenRepositoryInterfaceto have a broader return type (enumorstring), to distinguish token states.getTokenStatemethod on theTokenRepositoryInterfacedoing the above, with theexiststhen calling this in the framework implementation.Beta Was this translation helpful? Give feedback.
All reactions