laravel-doctrine / orm

I used the default Illuminate Password Broker before I found in your documentation This page
After changing PasswordResetServiceProvider in config/app.php I checked the table password_resets and saw not hashed tokens. It looks really unsafe.

Package version 1.4, Laravel version 8.0

I believe that that token is generated here

orm/src/Auth/Passwords/DoctrineTokenRepository.php

Lines 213 to 221 in 2824a85

    
               /** 
        
                * Create a new token for the user. 
        
                * 
        
                * @return string 
        
                */ 
        
               public function createNewToken() 
        
               { 
        
                   return hash_hmac('sha256', Str::random(40), $this->hashKey); 
        
               }

which just results on a different Hash/Token that laravel which is likely using there built in Hash Facade

ah laravel are building it the same but are pushing the token through the hasher before it goes into the database

https://github.com/laravel/framework/blob/cf00a5621f2eacdb978d3176e6d601193d9dc57d/src/Illuminate/Auth/Passwords/DatabaseTokenRepository.php#L207-L215

https://github.com/laravel/framework/blob/cf00a5621f2eacdb978d3176e6d601193d9dc57d/src/Illuminate/Auth/Passwords/DatabaseTokenRepository.php#L111-L121

Happy to take PR to fix this, but it might be considered a BC, since it would invalidate all existing tokens

	/**
	* Create a new token for the user.
	*
	* @return string
	*/
	public function createNewToken()
	{
	return hash_hmac('sha256', Str::random(40), $this->hashKey);
	}

[BUG] The `Auth\Passwords\DoctrineTokenRepository` creates tokens without hashing