#password reset links causing error 403

8 messages · Page 1 of 1 (latest)

vestal elbow
#

Hi all,

I am having a bit of trouble understanding the default behavior of Laravel. When using Laravel Breeze to add sign-up functionality, the reset password function will send the user a password reset link like: example.com/reset-password/{token}. When looking at the password reset token database it seems they are hashes Hash::make().

From what I can tell these hashes might sometimes contain /. This is usually disallowed by Nginx because you might access hidden files like that. I recently had a problem, where one of my users got an error 403 because his hash was something like $2y$10$4pMXFD531gW4LczTG8DF4eCS9F47/.yG6q.74LP/IJAUUCoZ5x9A2

Why is this implemented that way? What should I do instead? Should I check all my hashes for /. and just regenerate until I get a good one? Am I missing something?

Any insight into this is greatly appreciated!

spark tide
#

Hello,
You just need to add

Route::get(...)->where("token", ".*")

so it can treat anything after the slash as string and not a route.

vestal elbow
#

I had that in already, because I previously encountered problems, when there were / and . in the token. However with /. it doesn't work, because nginx blocks the url before it even gets to laravel.

wintry relic
#

Sounds like a problem with your nginx config then. .* will catch slashes as well and shouldn't cause issues.

vestal elbow
#

In my understanding nginx would catch this, before laravels routes come into play. In my (default) nginx config I do have the rule
location ~ /\.(?!well-known).* { deny all; }
From what I understand, this is pretty standard and not something I should allow globally.

Like I said, the .* does not work and I believe if it was related to that, I'd get 404, because the route gets more parameters than it expects.

wintry relic
#

That location block is fine, but it is not the one that should be catching the routes and forward it to Laravel. You'd want something like this above it:

location / {
    try_files $uri $uri/ /index.php?$query_string;
}
#

That will just catch anything and pass it as a query string.

vestal elbow
#

That's also in the file.