8

On the password reset form the user supplies current_password, password and password-confirmation. Is there a way to specify in the validation rules that current_password (it's hash value) must match the database value?

Currently I have this:

$rules = array(
    'current_password' => 'required',
    'password'         => 'required|confirmed|min:22'
);

Thank you.

UPDATE

Thanks to @ChrisForrence and @Ben, I came up with the following which works great! Much appreciated. Hope this will help someone else:

Validator::extend('hashmatch', function($attribute, $value, $parameters)
{
    return Hash::check($value, Auth::user()->$parameters[0]);
});
$messages = array(
    'hashmatch' => 'Your current password must match your account password.'
);
$rules = array(
    'current_password' => 'required|hashmatch:password',
    'password'         => 'required|confirmed|min:4|different:current_password'
);

$validation = Validator::make( Input::all(), $rules, $messages );
PeterKA
  • 24,158
  • 5
  • 26
  • 48

1 Answers1

3

You can't, bcrypt hashes are unique (they have their own random salt incorporated) so even if you knew the user's plain text password you would't be able do a hash-to-hash comparison.

What you can do is actually check the plain text password against a bcrypt hash by doing Hash::check('plain text password', 'bcrypt hash') on your controller.

Ben
  • 16,275
  • 9
  • 45
  • 63