Delete existing tokens when user updates password (#598)

patrickomeara · web-flow · commit 2b3f76ba2fef · 2025-06-05T11:18:11.000-05:00
This prevents an attacker using an existing password reset link after a user has changed their password. https://community.auth0.com/t/invalidating-password-reset-links-after-password-change/150437?utm_source=chatgpt.com
diff --git a/src/Http/Controllers/PasswordController.php b/src/Http/Controllers/PasswordController.php
@@ -2,8 +2,10 @@
 
 namespace Laravel\Fortify\Http\Controllers;
 
+use Illuminate\Contracts\Auth\PasswordBroker;
 use Illuminate\Http\Request;
 use Illuminate\Routing\Controller;
+use Illuminate\Support\Facades\Password;
 use Laravel\Fortify\Contracts\PasswordUpdateResponse;
 use Laravel\Fortify\Contracts\UpdatesUserPasswords;
 use Laravel\Fortify\Events\PasswordUpdatedViaController;
@@ -21,8 +23,20 @@ public function update(Request $request, UpdatesUserPasswords $updater)
     {
         $updater->update($request->user(), $request->all());
 
+        $this->broker()->deleteToken($request->user());
+
         event(new PasswordUpdatedViaController($request->user()));
 
         return app(PasswordUpdateResponse::class);
     }
+
+    /**
+     * Get the broker to be used to delete any existing password reset tokens.
+     *
+     * @return \Illuminate\Contracts\Auth\PasswordBroker
+     */
+    protected function broker(): PasswordBroker
+    {
+        return Password::broker(config('fortify.passwords'));
+    }
 }
diff --git a/tests/PasswordControllerTest.php b/tests/PasswordControllerTest.php
@@ -4,9 +4,12 @@
 
 use App\Actions\Fortify\UpdateUserPassword;
 use Database\Factories\UserFactory;
+use Illuminate\Contracts\Auth\PasswordBroker;
 use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\Password;
 use Illuminate\Validation\ValidationException;
 use Laravel\Fortify\Contracts\UpdatesUserPasswords;
+use Mockery;
 
 class PasswordControllerTest extends OrchestraTestCase
 {
@@ -16,9 +19,20 @@ public function test_passwords_can_be_updated()
     {
         $user = UserFactory::new()->create();
 
+        Password::shouldReceive('broker')->andReturn($broker = Mockery::mock(PasswordBroker::class));
+
+        $broker->shouldReceive('deleteToken')
+            ->once()
+            ->with($user);
+
         $this->mock(UpdatesUserPasswords::class)
-                    ->shouldReceive('update')
-                    ->once();
+            ->shouldReceive('update')
+            ->once()
+            ->with($user, [
+                'current_password' => 'password',
+                'password' => 'new-password',
+                'password_confirmation' => 'new-password',
+            ]);
 
         $response = $this->withoutExceptionHandling()->actingAs($user)->putJson('/user/password', [
             'current_password' => 'password',
