Skip to main content

Password Reset


When building a web application it is good practice to provide a way for your users to reset their passwords, that being because they forgotten their password and need to regain access to their account. Voltis implements this functionality for you so you don’t have to implement this for every project that you do.

Reset Routes

By default you should find Route::addAuthRoutes() inside your web routes file, by calling this method it will include all of the required password reset routes for you.

Reset Controller

All of the reset routes will be directed to either the ForgotPasswordController or ResetPasswordController which are provided with Voltis, they handled all the logic which implements the password reset functionality. You can find them at app\Controllers\Auth. You will notice they use a trait, one called AuthForgotPassword and another AuthResetPassword and this is how they gain their logic to perform the actions needed to reset a user’s password, these traits are part of Voltis.


You have a configuration for password resets inside your auth.php configuration file, located at config\auth.php, by default it is setup to use the users source (your users table in the database), a password reset table called password_resets, a timeout of 20 minutes that is the used for how long a user has to wait before sending another password reset email and lastly, an expiration in minutes for how long a reset link can last for, the default is 1 hour.

Here is what the default configuration looks like:

'resets' => [

'passwords' => [

'users' => [
'source' => 'users',
'table' => 'password_resets',
'timeout' => 20,
'expire' => 60,



Database Considerations

For password resets to work Voltis needs to store a reset token in the database thus, requiring a table called password_resets with the following columns and data types:

  • email varchar(64) -- primary key
  • token varchar(128)
  • created_at datetime

Reset Views

Voltis provides you with a set of views that are used for password verification, these can be found within your app\resources\views\auth directory, specifically forgotPassword.view.html and resetPassword.view.html. You can change them to however you like, they are just a starting point. The user will be presented with the forgotten password view that requires their email to request a reset link and after clicking the reset link, they will be shown the password reset view.

Password Reset Process

It all starts with a user navigating to /password/reset which will display the reset view where they can type their email to request a reset link, the email will be sent and they will receive a link to perform a password reset.

Upon opening this reset link they will be directed to /password/reset/{token} where they will need a valid token to perform a password reset. If the token is valid and not expired they will be able to enter a new password for their account.

After submitting the new password, the token is validated and if correct, the password will be changed, a new hash will be stored in the database and the user will be redirected to the login page where they can login using the new password that they set. Any errors will be displayed on either the forgotten password view or the reset password view.


Pretty much all of the core functionality for password resets is provided to you within the core of Voltis, most of the customisation is done by configuring settings within the auth.php file but you can also change how input data is validated from the ResetPasswordController but a default setup for data validation is provided.