Unwanted validation rule being applied on password reset

Question

I'm trying to use the password reset ability of Laravel's authentication. After running make:auth command, inside my ResetPasswordController, I have overridden rules function of Illuminate\Foundation\Auth\ResetsPasswords trait as the following:

protected function rules()
{
    return [
        'token' => 'required',
        'email' => 'required|email',
        'password' => 'required|confirmed|min:4',    
    ];
}

So, I am trying to change the minimum length value to 4. But when I try to reset my password, a rule of minimum of 8 characters is still being applied instead of 4. Here is the reset function of laravel in the same file:

public function reset(Request $request)
{
    $request->validate($this->rules(), $this->validationErrorMessages());

    // Here we will attempt to reset the user's password. If it is successful we
    // will update the password on an actual user model and persist it to the
    // database. Otherwise we will parse the error and return the response.
    $response = $this->broker()->reset(
        $this->credentials($request), function ($user, $password) {
            $this->resetPassword($user, $password);
        }
    );

    // If the password was successfully reset, we will redirect the user back to
    // the application's home authenticated view. If there is an error we can
    // redirect them back to where they came from with their error message.
    return $response == Password::PASSWORD_RESET
                ? $this->sendResetResponse($request, $response)
                : $this->sendResetFailedResponse($request, $response);
}

And the $response being returned is Illuminate\Support\Facades\Password::INVALID_PASSWORD. I don't understand where this rule is coming from. Actually the validation behavior is like this: When I enter less than 4 characters, my own rule is applied (correctly). However, entering 4 to less than 8 characters is also an error by some other rule.

Did you change the code in the actual trait or in the controller? — Rwd, Jul 29 '19 at 12:04
@Rwd I didn't change the trait. I added new rules function in the controller to override it. — Stack crawler, Jul 29 '19 at 12:08

score 1 · Accepted Answer · answered Jul 29 '19 at 13:13

The reason that you're getting the error back is because the PasswordBroker expects a password with a minimum length of 8 characters so even though your form validation is passing, the validation in the PasswordBroker isn't.

One way to get around this would be to override the broker() method in your ResetPasswordController and pass your own validator to it:

public function broker()
{
    $broker = Password::broker();

    $broker->validator(function ($credentials) {
        return $credentials['password'] === $credentials['password_confirmation'];
    });

    return $broker;
}

The above is essentially the same as what's going on in the PasswordBroker itself, just without the string length check as well.

Don't forget to import the Password facade into your controller:

use Illuminate\Support\Facades\Password;

This isn't essential, but for good measure I would then suggest updating the password error message in your resources/lang/en/passwords.php file as well.

Unwanted validation rule being applied on password reset

1 Answers1

Linked