[BUG] The `Auth\Passwords\DoctrineTokenRepository` creates tokens without hashing

laravel-doctrine / orm

An integration library for Laravel and Doctrine ORM

MIT License

829 stars 178 forks source link

[BUG] The `Auth\Passwords\DoctrineTokenRepository` creates tokens without hashing #506

Closed rosamarsky closed 2 years ago

rosamarsky commented 2 years ago

I used the default Illuminate Password Broker before I found in your documentation This page After changing PasswordResetServiceProvider in config/app.php I checked the table password_resets and saw not hashed tokens. It looks really unsafe.

Package version 1.4, Laravel version 8.0

dpslwk commented 2 years ago

I believe that that token is generated here https://github.com/laravel-doctrine/orm/blob/2824a8516ac8b5b812d7195f01c7c64470abc179/src/Auth/Passwords/DoctrineTokenRepository.php#L213-L221

which just results on a different Hash/Token that laravel which is likely using there built in Hash Facade

dpslwk commented 2 years ago

ah laravel are building it the same but are pushing the token through the hasher before it goes into the database

https://github.com/laravel/framework/blob/cf00a5621f2eacdb978d3176e6d601193d9dc57d/src/Illuminate/Auth/Passwords/DatabaseTokenRepository.php#L207-L215

https://github.com/laravel/framework/blob/cf00a5621f2eacdb978d3176e6d601193d9dc57d/src/Illuminate/Auth/Passwords/DatabaseTokenRepository.php#L111-L121

Happy to take PR to fix this, but it might be considered a BC, since it would invalidate all existing tokens