Search code examples
laravellaravel-5.5

Laravel : Reset password get 6 digits without validation

I have simple function to reset my password. In my function there is minimum requirement for password value is 1 digit but when i try to update the password it is not updated, when i put 6 digits in password it is working fine.

I found that in vendor\laravel\framework\src\Illuminate\Auth\Passwords a passwordBroker.phpfile has one function 

 protected function validatePasswordWithDefaults(array $credentials)
{
    list($password, $confirm) = [
        $credentials['password'],
        $credentials['password_confirmation'],
    ];

    return $password === $confirm && mb_strlen($password) >= 6; // here it is
}

and it contains validation that ($password) >= 6 how can i remove it, when i changes in this file it is working. on my .gitignore vendor folder not updated in live. what is the solution ? how can override this validation ?

for reference here is my resetpassword function

public function resetPassword(ResetPasswordRequest $request, JWTAuth $JWTAuth)
{
    $validator = Validator::make($request->all(), User::resetPasswordRules());
    if ($validator->fails()) {
        return response()->json([
            'message'       => "422 Unprocessable Entity",
            'errors'        => $validator->messages(),
            'status_code'   => 422,
        ]);
    }


    $response = $this->broker()->reset(
        $this->credentials($request), function ($user, $password) {
            $this->reset($user, $password);
        }
    );

    if($response !== Password::PASSWORD_RESET) {
        return response()->json([
                'message'       => "Internal Server Error",
                'status_code'   => 500,
            ]);
    }
    $user = User::where('email', '=', $request->get('email'))->first();
    $user->UserDeviceData()->firstOrCreate([
        'device_id' => $request->device_id
    ]);

     return (new UserTransformer)->transform($user,[
        'request_type'  => 'reset_password',
        'token'         =>  $JWTAuth->fromUser($user)
    ]);
}
Solution

  • This is how you can fix this:

    public function resetPassword(ResetPasswordRequest $request, JWTAuth $JWTAuth)
{
    ... // Validator check and json response

    $broker = $this->broker();

    // Replace default validation of the PasswordBroker
    $broker->validator(function (array $credentials) {
        return true; // Password match is already validated in PasswordBroker so just return true here
    });

    $response = $broker->reset(
        $this->credentials($request), function ($user, $password) {
        $this->reset($user, $password);
    });

    ...
}

    First you gen an instance of the broker and then you add a callable function which it will use for the validation instead of validatePasswordWithDefaults. In there you just need to return true because the PasswordBroker already has a check $password === $confirm.