Skip to Content

Comprehensive documentation to help you get started and make the most of this feature.

Launchpanel - Laravel Admin Panel & Dynamic Website Starter Kit Updated 2 days ago

Admin Password Reset Feature

5 min read
Updated 2 days ago

Admin Password Reset Feature

Overview

The Admin Password Reset feature provides a dedicated, secure password reset flow for administrators, separate from the regular user password reset system. This ensures better security and separation of concerns for admin accounts.

Features

Security Enhancements

  1. Admin-Only Verification: Only users with admin privileges can use this reset flow
  2. Account Status Check: Inactive admin accounts cannot request password resets
  3. Enhanced Audit Logging: All admin password resets are logged with IP addresses
  4. Custom Email Notifications: Admins receive specialized password reset emails
  5. Rate Limiting: Protected against brute force attacks (5 attempts per minute)
  6. Token Expiration: Reset links expire after 60 minutes
  7. Single-Use Tokens: Each reset link can only be used once

User Experience

  1. Dedicated UI: Custom admin-themed password reset pages
  2. Password Strength Indicator: Real-time feedback on password strength
  3. Password Requirements Display: Clear visual indicators for password requirements
  4. Show/Hide Password: Toggle visibility for both password fields
  5. Responsive Design: Works seamlessly on all devices

Routes

Guest Routes (Unauthenticated)

GET  /admin/forgot-password          - Display forgot password form
POST /admin/forgot-password          - Send password reset link
GET  /admin/reset-password/{token}   - Display reset password form
POST /admin/reset-password           - Process password reset

Route Names

admin.password.request  - Forgot password page
admin.password.email    - Send reset link
admin.password.reset    - Reset password page
admin.password.store    - Process reset

Controllers

AdminPasswordResetLinkController

Location: app/Http/Controllers/Admin/Security/AdminPasswordResetLinkController.php

Methods:

  • create(): Display the forgot password form
  • store(): Validate admin status and send reset link

Security Checks:

  • Verifies user exists
  • Confirms user has admin privileges
  • Checks account is active
  • Returns generic errors to prevent email enumeration

AdminNewPasswordController

Location: app/Http/Controllers/Admin/Security/AdminNewPasswordController.php

Methods:

  • create(): Display the reset password form
  • store(): Validate and reset the password

Features:

  • Validates reset token
  • Confirms admin status
  • Updates password with hashing
  • Resets failed login attempts
  • Clears account locks
  • Logs the password reset action
  • Invalidates old sessions

Views

Forgot Password Page

Location: resources/views/admin/auth/forgot-password.blade.php

Features:

  • Email input with validation
  • Success/error message display
  • Security notice about link expiration
  • Back to login link
  • India-themed gradient design

Reset Password Page

Location: resources/views/admin/auth/reset-password.blade.php

Features:

  • Email and token validation
  • Password strength meter
  • Real-time password requirements checker
  • Show/hide password toggles
  • Password confirmation matching indicator
  • Comprehensive password requirements list

Email Notification

AdminResetPasswordNotification

Location: app/Notifications/AdminResetPasswordNotification.php

Features:

  • Queued for performance
  • Custom subject line for admin resets
  • Security warning message
  • Personalized greeting
  • Expiration time notice
  • Single-use link warning
  • Security team signature

Email Content:

  • Recipient name personalization
  • Clear call-to-action button
  • Link expiration information
  • Security warnings
  • Contact information for suspicious activity

Password Requirements

Admins must create passwords that meet these criteria:

  1. Minimum Length: At least 8 characters
  2. Mixed Case: Both uppercase and lowercase letters
  3. Numbers: At least one numeric digit
  4. Special Characters: At least one special character
  5. Confirmation: Must match the confirmation field

Security Features

Rate Limiting

  • Forgot Password: 5 requests per minute per IP
  • Reset Password: Standard throttling applies
  • Prevents brute force attacks
  • Protects against email enumeration

Audit Logging

All admin password resets are logged with:

  • User ID and email
  • IP address
  • User agent
  • Timestamp
  • Action type: admin_password_reset

Token Security

  • Tokens are cryptographically secure
  • Expire after 60 minutes
  • Single-use only
  • Stored hashed in database
  • Invalidated after successful reset

Account Protection

  • Failed login attempts are reset
  • Account locks are cleared
  • Old sessions are invalidated
  • Remember tokens are regenerated

Integration with Existing System

User Model Enhancement

The User model includes a custom sendPasswordResetNotification() method that:

  • Detects if the user is an admin
  • Sends AdminResetPasswordNotification for admins
  • Sends standard ResetPassword notification for regular users

Admin Login Page

The admin login page (resources/views/admin/login.blade.php) includes:

  • "Forgot Password?" link pointing to admin.password.request
  • Maintains consistent admin UI theme
  • Preserves all existing security features

Usage

For Administrators

  1. Navigate to /admin/login
  2. Click "Forgot Password?" link
  3. Enter your admin email address
  4. Check your email for the reset link
  5. Click the link (valid for 60 minutes)
  6. Enter and confirm your new password
  7. Password must meet all requirements
  8. Submit to reset your password
  9. Login with your new credentials

For Developers

Testing the Flow

# Test forgot password page
php artisan route:list --name=admin.password

# Clear password reset tokens
php artisan tinker
>>> DB::table('password_reset_tokens')->truncate();

# Test email sending
php artisan queue:work

Customizing Email Template

Edit app/Notifications/AdminResetPasswordNotification.php:

public function toMail(object $notifiable): MailMessage
{
    return (new MailMessage)
        ->subject('Your Custom Subject')
        ->line('Your custom message')
        // ... customize as needed
}

Adjusting Token Expiration

Edit config/auth.php:

'passwords' => [
    'users' => [
        'expire' => 60, // Change to desired minutes
    ],
],

Troubleshooting

Email Not Received

  1. Check mail configuration in .env
  2. Verify queue is running: php artisan queue:work
  3. Check mail logs
  4. Verify admin email is correct
  5. Check spam folder

Token Expired Error

  • Reset links expire after 60 minutes
  • Request a new reset link
  • Check system time is correct

"Not an Admin" Error

  • Verify user has admin role
  • Check isAdmin() method in User model
  • Confirm role assignment in database

Rate Limit Exceeded

  • Wait 1 minute before retrying
  • Check for multiple failed attempts
  • Verify IP address isn't blocked

Best Practices

For Administrators

  1. Use strong, unique passwords
  2. Don't share reset links
  3. Report suspicious reset emails
  4. Change password immediately if compromised
  5. Enable two-factor authentication

Support

For issues or questions:

  • Check the troubleshooting section above
  • Review audit logs for security events
  • Contact the development team
  • Submit a bug report with details

Last Updated: November 29, 2025
Version: 1.0.0
Maintainer: Development Team

Need More Help?

Our comprehensive documentation covers everything from basic setup to advanced configurations. Check out these additional resources:

Was this helpful?

Let us know if you found this documentation useful.