Change password using API via Passport


So, I'm using Passport and what I do need is to set a way to change the user password via API Rest. Here is what I thought:
1 - I create in a website that I created using laravel an account with basic password(i.e.: 123456) (I know how to do it)
2 - User then access the account in a mobile, using API, and get with the access_token a boolean requesting to change passwd; (I know how to do it, in a bad way, because I will change the response direct in the vendor folder)
3- User then is redirect in the app to the change password screen and change it, passing the valid access token and the new passwd and server changes it (No idea how to do it... :( )

Can someone help me on what I do need to do, or, if there are some tutorials in the internet, point me to there?

Thanks a lot,
Joao sauer

joaosauer replied 1 year ago


answering my own question: First for the part 2:

  • I create a new route outside middleware "auth:api': Route::post('/login', 'Auth\[email protected]');

  • Then, in my apiLogin I modified the request and made the changes that I would like:

     function apiLogin(Request $request) {
         $tokenRequest = $request->create('/oauth/token', 'POST', $request->all());
            "client_id"     => 'your_client_id',
            "client_secret" => 'your_client_secret',
            "grant_type"    => 'password',
            "code"          => '*',
         $response = Route::dispatch($tokenRequest);
         $json = (array) json_decode($response->getContent());
         $json['new_value'] = '123456';
         return $response

and then, I'm able to send more contents with the original json

For part 3:

  • I create a new route, INSIDE of the middleware "auth:api' (Please, not that even the controller is different, once that teh LoginController don't have constructor and the API controller does have the constructor with the mddleware: 'Route::post('login/pwdchange', '[email protected]');'

  • Now, the client will need to send the original access_token with the old password and the new password. After I validate then, I change the password and also create a new token (I'm revoking any possible token after I change the password which will then force everybody to do a new login).

     function changePassword(Request $request) {
         $data = $request->all();
         $user = Auth::guard('api')->user();
         //Changing the password only if is different of null
         if( isset($data['oldPassword']) && !empty($data['oldPassword']) && $data['oldPassword'] !== "" && $data['oldPassword'] !=='undefined') {
             //checking the old password first
             $check  = Auth::guard('web')->attempt([
                 'username' => $user->username,
                 'password' => $data['oldPassword']
             if($check && isset($data['newPassword']) && !empty($data['newPassword']) && $data['newPassword'] !== "" && $data['newPassword'] !=='undefined') {
                 $user->password = bcrypt($data['newPassword']);
                 $user->isFirstTime = false; //variable created by me to know if is the dummy password or generated by user.
                 $token = $user->createToken('newToken')->accessToken;
                 //Changing the type
                 return json_encode(array('token' => $token)); //sending the new token
             else {
                 return "Wrong password information";
         return "Wrong password information";

Aparently is working fine. I hope that it helps someone.

syo replied 1 year ago

That's helps me a lot, thanks

Sign in to participate in this thread!

We'd like to thank these amazing companies for supporting us