Laravel Automatic Password Hashing
Playing
01. Laravel Automatic Password Hashing

Episodes

0%
Your progress
  • Total: 6m
  • Played: 0m
  • Remaining: 6m
Join or sign in to track your progress

Transcript

00:00
In this snippet, I'm going to talk to you about how you can nicely clean up your code using mutators and we're going to be focusing on the example of automatically hashing users' passwords. So to give you an example of this, I've created two routes, one that would create a user and one that would update a user. These are really, really simple routes and I've just created these as get
00:20
routes because I haven't created out any forms and I'm passing this data through in the query which of course you would not do but again this is just a really simple example. So let's go and look at how we might create a user. I already have my database set up just here and we don't have any users in here just at the moment. Let's go ahead and use our user model,
00:40
use our create method in here and let's pass in an array of data. This is usually what we would do when we have some kind of form to create a user and of course this would come from the request. So I'm going to pull the email from the request, I'm going to pull the name from the request as well and we need to add in a password. So of course we don't want to just grab the plain text
01:04
password from the form that we're submitting. If we did do that and we did run this page, making sure that we pull that user model in, you can see that in the database we end up with a plain text password which of course is not very good. So what we would actually have to do is either use the helper function or the hash make method and let's just pull the namespace in for
01:26
that and of course that would go ahead and now give us the hashed version of the password. So that is how simple it would be to register a user account. But what I want to do is take this and tidy it up as much as possible and I actually want to get this so it's on a single line and I don't have to pass this array of data in. So another way that we could do this if we just comment this out
01:48
would be to create out another user variable. Go ahead and use user create. We could then use the array merge function in php to pass the request data in but using the only method. So we could say well we want to put the email and the name in here and then of course what we can do is merge in another array which would be that hashed password. So let's again use hash make here
02:15
to pass in the password that we want to use from the request. So once we submit that form we get exactly the same result and that's tidied things up just that little bit further where we only have a couple of lines of code. But what we want to get to is something like the following. So let's just get rid of all of this. We want to do something like this. We want to use user create
02:37
and we want to use the request only method which is incredibly helpful and we want to pass the email the name and we also want to pass in the password. So that is what we want to end up with. That is going from what we originally had which was that huge array depending on how much data you're registering to the single line of really simple code and depending on how you're building your
02:59
api out or if you are building an api you could just return this data and that would give you the newly created user. Now we already know that if we go ahead and refresh this and look in the database we get a plain text password. So essentially what we want to do is open up the user model and we want to create a mutator in here for when we actually set the password. So what we
03:19
are going to do is create our a set password attribute function. Now that will give us the data that we're trying to set which will be the actual password itself. Just to demo this out let's kill the page here with a die dump and output the value of the password. So if we come over now and refresh this you can see we get the string password which is the password that we're
03:43
trying to store. So what we want to do is now say this attributes and we want to manually set this password in here but we can do this internally so wherever we now update or create the password from we can hash this internally inside of the class. So that's made things a lot cleaner. Now this method isn't quite done we're going to see an issue with this in just a minute which we'll fix
04:06
up but that should have fixed up our original problem. If I give that a refresh now you'll see that by setting that plain text password that mutator has overtaken the creation of this and it's reassigned that hashed version to them attributes. Okay so let's now look at what happens when we want to update the user's account. So I'm going to go ahead and grab out a user from
04:26
the database so I'm going to use user where email and just pop in my email there so we don't have to do this by id but of course this would probably be the currently signed in user. Let's grab that first user and then let's come down to a new line and update this user with their information. So let's say that you've got a form that allows you to enter an email address, a name and a new
04:48
password if you want to change it. Well in this case we're going to go ahead and grab from the request the email address, the name and the password. So let's make sure that we've got an account created first of all and let's just make a note of this string so we've got iqav let's keep that as a note. Let's go over to update this now the password won't always be required so we might
05:12
not want to update the password but if we do hit this to update that information you'll notice that this string changes. What that's actually done is it's set this password to an empty string which isn't great because that user then probably won't be able to sign in. So what we want to do is over in the user model we only want to set this password attribute if it's actually being provided
05:32
and we can do that really really easily inside of here by trimming down the attribute that we get in just to make sure that it isn't an empty space. Checking that if that's equal to an empty string and then returning if not. So now if we come over to the database and we delete this record we come over and create a new user account using that method and we come over to the database and
05:54
check the hash we've got hjb. Let's come over now and update this but not supply a password. You'll notice that the hash does not change however if we wanted to update our password to a different value in a form we could do and that will then change the hash around for us. So essentially what we've done here is we've allowed us to not have to worry when we're
06:14
updating or creating users at setting the password manually using that hash method. All of that is now handled for us over on the user model and we're also checking if that hasn't been provided and not doing anything if it hasn't. So this is going to massively clean up your code and you can use the same technique if you have any specific implementations you need
06:35
for other models or even your user model and it really really helps to clean things up especially if you're pulling data in from the request where you can just use a convenient only method and that's massively reduced the amount of lines of code we've written and also made it look a lot simpler as well.

Episode summary

In this episode, we dive into how you can automatically hash user passwords in Laravel using mutators, making your code a lot cleaner and safer. We start by looking at the old way—explicitly calling Hash::make or other helpers when creating or updating a user—which, while straightforward, can clutter your code and makes it easy to forget to hash passwords.

You'll see quick examples of creating simple user creation and update routes, then we refactor things step by step. We move from manual array building and merging, to using Laravel’s handy only method for streamlined data handling. Then, the real magic happens: we implement a mutator (a special setter function) on the User model. This ensures any time the password attribute is set, it’s automatically hashed, no matter where it comes from—making it almost impossible to accidentally store plain passwords.

We also cover some edge cases, like making sure empty passwords don’t overwrite existing ones with blanks. This makes your updates much safer and prevents those “oh no, I lost my password” moments for your users.

By the end of the video, you’ll see how much cleaner and DRY this mutation approach makes your code. Plus, this method gives you a blueprint for handling similar situations with other sensitive attributes or models in your Laravel apps.

Episode discussion

No comments, yet. Be the first!