I am using Laravel v9. I know there is a default password reset flow provided by Laravel, but I am not using it because I want to have a customized route name. So I am writing my own flow.

I would hope it will have a similar security level to that provided by Laravel. I observed that Laravel is hashing the password reset token in their database. From my understanding, this is a security measure to prevent anyone other than the user account owner from resetting account password without the owner's consent (just like hashing account password).

When a user requests to reset their account password, a link with a token will be sent to their registered email address. The link directs the user to the page for resetting their account password. Before the page shows, my system would check whether the token exists:

1. Retrieve all table records
2. Loop over all records and use Hash::check() to compare each record token with the incoming request token
3. If token found, then display the page. Otherwise, return an error 404 page

I realize that this could be a potential performance issue: if there are many users requesting for password reset within a short period of time, then step 2 would be an intensive task both in terms of time complexity and memory usage. Is there any way to compare the token values on the database query rather than application loop, since in general database query is quicker in terms of speed?

CodePudding user response：

Maybe I'm missing something, but the simple solution appears to be to include the username or ID in the URL alongside the token. Then the checking page would:

1. Look up the specified user in the database
2. Check if it exists, and has an active reset token
3. Check the token from the database against the one in the URL
4. Allow a password reset if all checks pass