Resetting Passwords

Introduction

{tip} Want to get started fast? Install the laravel/ui Composer package and run php artisan ui vue —auth in a fresh Laravel application. After migrating your database, navigate your browser to http://your-app.test/register or any other URL that is assigned to your application. This single command will take care of scaffolding your entire authentication system, including resetting passwords!

Most web applications provide a way for users to reset their forgotten passwords. Rather than forcing you to re-implement this on each application, Laravel provides convenient methods for sending password reminders and performing password resets.

{note} Before using the password reset features of Laravel, your user must use the Illuminate\Notifications\Notifiable trait.

Database Considerations

To get started, verify that your App\User model implements the Illuminate\Contracts\Auth\CanResetPassword contract. The App\User model included with the framework already implements this interface, and uses the Illuminate\Auth\Passwords\CanResetPassword trait to include the methods needed to implement the interface.

Generating The Reset Token Table Migration

Next, a table must be created to store the password reset tokens. The migration for this table is included with Laravel out of the box, and resides in the database/migrations directory. So, all you need to do is run your database migrations:

  1. php artisan migrate

Routing

Laravel includes Auth\ForgotPasswordController and Auth\ResetPasswordController classes that contains the logic necessary to e-mail password reset links and reset user passwords. All of the routes needed to perform password resets may be generated using the laravel/ui Composer package:

  1. composer require laravel/ui --dev
  2. php artisan ui vue --auth

Views

To generate all of the necessary view for resetting passwords, you may use the laravel/ui Composer package:

  1. composer require laravel/ui --dev
  2. php artisan ui vue --auth

These views are placed in resources/views/auth/passwords. You are free to customize them as needed for your application.

After Resetting Passwords

Once you have defined the routes and views to reset your user's passwords, you may access the route in your browser at /password/reset. The ForgotPasswordController included with the framework already includes the logic to send the password reset link e-mails, while the ResetPasswordController includes the logic to reset user passwords.

After a password is reset, the user will automatically be logged into the application and redirected to /home. You can customize the post password reset redirect location by defining a redirectTo property on the ResetPasswordController:

  1. protected $redirectTo = '/dashboard';

{note} By default, password reset tokens expire after one hour. You may change this via the password reset expire option in your config/auth.php file.

Customization

Authentication Guard Customization

In your auth.php configuration file, you may configure multiple "guards", which may be used to define authentication behavior for multiple user tables. You can customize the included ResetPasswordController to use the guard of your choice by overriding the guard method on the controller. This method should return a guard instance:

  1. use Illuminate\Support\Facades\Auth;
  2. /**
  3. * Get the guard to be used during password reset.
  4. *
  5. * @return \Illuminate\Contracts\Auth\StatefulGuard
  6. */
  7. protected function guard()
  8. {
  9. return Auth::guard('guard-name');
  10. }

Password Broker Customization

In your auth.php configuration file, you may configure multiple password "brokers", which may be used to reset passwords on multiple user tables. You can customize the included ForgotPasswordController and ResetPasswordController to use the broker of your choice by overriding the broker method:

  1. use Illuminate\Support\Facades\Password;
  2. /**
  3. * Get the broker to be used during password reset.
  4. *
  5. * @return PasswordBroker
  6. */
  7. public function broker()
  8. {
  9. return Password::broker('name');
  10. }

Reset Email Customization

You may easily modify the notification class used to send the password reset link to the user. To get started, override the sendPasswordResetNotification method on your User model. Within this method, you may send the notification using any notification class you choose. The password reset $token is the first argument received by the method:

  1. /**
  2. * Send the password reset notification.
  3. *
  4. * @param string $token
  5. * @return void
  6. */
  7. public function sendPasswordResetNotification($token)
  8. {
  9. $this->notify(new ResetPasswordNotification($token));
  10. }