From f0af52c01771cb0749e78d161ae8732ec613451f Mon Sep 17 00:00:00 2001
From: David Bomba <turbo124@gmail.com>
Date: Thu, 4 Sep 2025 11:41:06 +1000
Subject: [PATCH] fixes for double encoding

---
 .../Auth/ResetPasswordController.php           | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/app/Http/Controllers/Auth/ResetPasswordController.php b/app/Http/Controllers/Auth/ResetPasswordController.php
index bb84d17abb..2a42b720a1 100644
--- a/app/Http/Controllers/Auth/ResetPasswordController.php
+++ b/app/Http/Controllers/Auth/ResetPasswordController.php
@@ -84,6 +84,24 @@ class ResetPasswordController extends Controller
      */
     public function reset(Request $request)
     {
+         // Safely decode URL-encoded token and email before validation
+         if ($request->has('token')) {
+            $token = $request->input('token');
+            // Only decode if it contains URL encoding characters
+            if (strpos($token, '%') !== false) {
+                $request->merge(['token' => urldecode($token)]);
+            }
+        }
+        
+        if ($request->has('email')) {
+            $email = $request->input('email');
+            // Only decode if it contains URL encoding characters
+            if (strpos($email, '%') !== false) {
+                $request->merge(['email' => urldecode($email)]);
+            }
+
+        }
+        
         $request->validate($this->rules(), $this->validationErrorMessages());
 
         // Here we will attempt to reset the user's password. If it is successful we