Skip to content

Hash token guard credentials during validation#59586

Closed
Nipun404 wants to merge 1 commit intolaravel:13.xfrom
Nipun404:fix-token-guard-hashed-validation-v2
Closed

Hash token guard credentials during validation#59586
Nipun404 wants to merge 1 commit intolaravel:13.xfrom
Nipun404:fix-token-guard-hashed-validation-v2

Conversation

@Nipun404
Copy link
Copy Markdown
Contributor

@Nipun404 Nipun404 commented Apr 8, 2026
edited
Loading

Problem

TokenGuard::validate does not respect hashed token configuration (hash => true), leading to inconsistent behavior compared to TokenGuard::user.

Currently:

Auth::guard('api')->user(); 
Auth::guard('api')->validate(['api_token' => 'plain-token']);
  • user() → hashes the incoming token before lookup
  • validate() → passes the raw token directly

For applications storing API tokens as SHA-256 hashes, this can cause validate to return false even when the provided plain token is valid.

Solution

This change updates TokenGuard::validate to hash the provided credential when the guard is configured with hash => true, aligning its behavior with TokenGuard::user.

Benefit to Users

  • Ensures consistent behavior between user() and validate()
  • Allows applications using hashed API tokens to validate credentials correctly
  • Improves reliability for apps that avoid storing raw API tokens for security reasons

Backward Compatibility

This change does not introduce breaking behavior:

  • When hash => false (default), behavior remains unchanged
  • The new behavior only applies when hash => true, where hashing is already expected and used in TokenGuard::user

This ensures existing applications relying on raw tokens continue to function as before.

Tests

  • Added unit test to ensure validate hashes credentials when hash => true
  • Added integration test to verify full authentication flow with hashed API tokens

These tests confirm:

  • Plain tokens are correctly validated when stored as hashes
  • Behavior matches TokenGuard::user
  • No regression when hash => false

The integration test ensures the complete authentication pipeline works correctly.

=>This pull request is a follow-up to a previously closed PR with the same change, updated to include a more detailed explanation and additional test coverage (including integration test).

@Nipun404
Copy link
Copy Markdown
Contributor Author

Nipun404 commented Apr 8, 2026

Hey , @taylorotwell could you share the reasoning behind closing this? Would love to understand so I can improve the contribution. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Nipun404 @taylorotwell