Add the option to override password reset token duration

[andrewpitts15]

In our application, new user accounts are created by administrators and we send these new users a welcome email containing a password reset token. Unfortunately, these expire within 60 minutes and a lot of the time the user hasn't seen the email before the token expires.

We would like to keep the expiry at 60 minutes for standard password resets initiated by the user for security purposes so it would be good if there was a way to override this for individual tokens or to define different token types with different expiries in the config.

[Muffinman]

https://github.com/laravel/framework/blob/11.x/config/auth.php#L97

[andrewpitts15]

Thanks for you reply. I know about that setting, however it only currently supports having a single expiry time for every single password reset token generated. I would like password resets for existing users to stay at 60 minutes while having the reset link sent to new users expire after 24 hours. Setting that value to 24 hours for all reset tokens introduces an extra security risk.

[Muffinman]

You'd need a custom password broker to achieve this. The Expiry date is checked at the time the link is viewed in your case you probably need to calculate the desired expiry date at the moment the token is generated, and then check against this date rather than $createdAt.

    public function exists(CanResetPasswordContract $user, #[\SensitiveParameter] $token)
    {
        $record = (array) $this->getTable()->where(
            'email', $user->getEmailForPasswordReset()
        )->first();

        return $record &&
               ! $this->tokenExpired($record['created_at']) &&
                 $this->hasher->check($token, $record['token']);
    }

    /**
     * Determine if the token has expired.
     *
     * @param  string  $createdAt
     * @return bool
     */
    protected function tokenExpired($createdAt)
    {
        return Carbon::parse($createdAt)->addSeconds($this->expires)->isPast();
    }