Admin Password Reset Feature
Admin Password Reset Feature
Overview
The Admin Password Reset feature provides a dedicated, secure password reset flow for administrators, separate from the regular user password reset system. This ensures better security and separation of concerns for admin accounts.
Features
Security Enhancements
- Admin-Only Verification: Only users with admin privileges can use this reset flow
- Account Status Check: Inactive admin accounts cannot request password resets
- Enhanced Audit Logging: All admin password resets are logged with IP addresses
- Custom Email Notifications: Admins receive specialized password reset emails
- Rate Limiting: Protected against brute force attacks (5 attempts per minute)
- Token Expiration: Reset links expire after 60 minutes
- Single-Use Tokens: Each reset link can only be used once
User Experience
- Dedicated UI: Custom admin-themed password reset pages
- Password Strength Indicator: Real-time feedback on password strength
- Password Requirements Display: Clear visual indicators for password requirements
- Show/Hide Password: Toggle visibility for both password fields
- Responsive Design: Works seamlessly on all devices
Routes
Guest Routes (Unauthenticated)
GET /admin/forgot-password - Display forgot password form
POST /admin/forgot-password - Send password reset link
GET /admin/reset-password/{token} - Display reset password form
POST /admin/reset-password - Process password reset
Route Names
admin.password.request - Forgot password page
admin.password.email - Send reset link
admin.password.reset - Reset password page
admin.password.store - Process reset
Controllers
AdminPasswordResetLinkController
Location: app/Http/Controllers/Admin/Security/AdminPasswordResetLinkController.php
Methods:
create(): Display the forgot password formstore(): Validate admin status and send reset link
Security Checks:
- Verifies user exists
- Confirms user has admin privileges
- Checks account is active
- Returns generic errors to prevent email enumeration
AdminNewPasswordController
Location: app/Http/Controllers/Admin/Security/AdminNewPasswordController.php
Methods:
create(): Display the reset password formstore(): Validate and reset the password
Features:
- Validates reset token
- Confirms admin status
- Updates password with hashing
- Resets failed login attempts
- Clears account locks
- Logs the password reset action
- Invalidates old sessions
Views
Forgot Password Page
Location: resources/views/admin/auth/forgot-password.blade.php
Features:
- Email input with validation
- Success/error message display
- Security notice about link expiration
- Back to login link
- India-themed gradient design
Reset Password Page
Location: resources/views/admin/auth/reset-password.blade.php
Features:
- Email and token validation
- Password strength meter
- Real-time password requirements checker
- Show/hide password toggles
- Password confirmation matching indicator
- Comprehensive password requirements list
Email Notification
AdminResetPasswordNotification
Location: app/Notifications/AdminResetPasswordNotification.php
Features:
- Queued for performance
- Custom subject line for admin resets
- Security warning message
- Personalized greeting
- Expiration time notice
- Single-use link warning
- Security team signature
Email Content:
- Recipient name personalization
- Clear call-to-action button
- Link expiration information
- Security warnings
- Contact information for suspicious activity
Password Requirements
Admins must create passwords that meet these criteria:
- Minimum Length: At least 8 characters
- Mixed Case: Both uppercase and lowercase letters
- Numbers: At least one numeric digit
- Special Characters: At least one special character
- Confirmation: Must match the confirmation field
Security Features
Rate Limiting
- Forgot Password: 5 requests per minute per IP
- Reset Password: Standard throttling applies
- Prevents brute force attacks
- Protects against email enumeration
Audit Logging
All admin password resets are logged with:
- User ID and email
- IP address
- User agent
- Timestamp
- Action type:
admin_password_reset
Token Security
- Tokens are cryptographically secure
- Expire after 60 minutes
- Single-use only
- Stored hashed in database
- Invalidated after successful reset
Account Protection
- Failed login attempts are reset
- Account locks are cleared
- Old sessions are invalidated
- Remember tokens are regenerated
Integration with Existing System
User Model Enhancement
The User model includes a custom sendPasswordResetNotification() method that:
- Detects if the user is an admin
- Sends
AdminResetPasswordNotificationfor admins - Sends standard
ResetPasswordnotification for regular users
Admin Login Page
The admin login page (resources/views/admin/login.blade.php) includes:
- "Forgot Password?" link pointing to
admin.password.request - Maintains consistent admin UI theme
- Preserves all existing security features
Usage
For Administrators
- Navigate to
/admin/login - Click "Forgot Password?" link
- Enter your admin email address
- Check your email for the reset link
- Click the link (valid for 60 minutes)
- Enter and confirm your new password
- Password must meet all requirements
- Submit to reset your password
- Login with your new credentials
For Developers
Testing the Flow
# Test forgot password page
php artisan route:list --name=admin.password
# Clear password reset tokens
php artisan tinker
>>> DB::table('password_reset_tokens')->truncate();
# Test email sending
php artisan queue:work
Customizing Email Template
Edit app/Notifications/AdminResetPasswordNotification.php:
public function toMail(object $notifiable): MailMessage
{
return (new MailMessage)
->subject('Your Custom Subject')
->line('Your custom message')
// ... customize as needed
}
Adjusting Token Expiration
Edit config/auth.php:
'passwords' => [
'users' => [
'expire' => 60, // Change to desired minutes
],
],
Troubleshooting
Email Not Received
- Check mail configuration in
.env - Verify queue is running:
php artisan queue:work - Check mail logs
- Verify admin email is correct
- Check spam folder
Token Expired Error
- Reset links expire after 60 minutes
- Request a new reset link
- Check system time is correct
"Not an Admin" Error
- Verify user has admin role
- Check
isAdmin()method in User model - Confirm role assignment in database
Rate Limit Exceeded
- Wait 1 minute before retrying
- Check for multiple failed attempts
- Verify IP address isn't blocked
Best Practices
For Administrators
- Use strong, unique passwords
- Don't share reset links
- Report suspicious reset emails
- Change password immediately if compromised
- Enable two-factor authentication
Support
For issues or questions:
- Check the troubleshooting section above
- Review audit logs for security events
- Contact the development team
- Submit a bug report with details
Last Updated: November 29, 2025
Version: 1.0.0
Maintainer: Development Team
Quick Links
Need More Help?
Our comprehensive documentation covers everything from basic setup to advanced configurations. Check out these additional resources: