PHP - How to Implement Password Reset and Token Expiry

How to add an expiration time to a reset password link?

Use Event Scheduler. It will disable expired tokens automatically.

CREATE EVENT disable_old_pw_reset_token
ON SCHEDULE EVERY 1 MINUTE
DO
UPDATE var SET token = NULL WHERE token_expire < CURRENT_TIMESTAMP;

I assume that token_expire stores expiration datetime value.

The presence of the index by token_expire (by single column or as a prefix) is reasonable.

Do not forget to enable Event Scheduler.

Password reset token storage - should values be hashed?

Yes, you should hash password reset tokens because

reset tokens expire and not every user has an active one
users notice when their passwords are changed, but not when their
passwords are cracked, and can thus take steps to limit the damage
(change password and other sensitive data, etc).

Additionally, as users reuse passwords, an attacker can try a cracked passwords for other accounts, such as the users email, thus increasing the damage.

Key points:

If your token has enough entropy, lets say 20 random characters 0-9 a-z A-Z, then you can calculate an unsalted fast hash (e.g. SHA-256 or SHA-512) and store it. This is safe, because it is not possible to successfully brute-force such strong "passwords". Salting is done, because passwords choosen by people are often relatively weak, because they have to be remembered.

If a "password reset token" allows someone to reset a password with other clear text information, then it's effectively the same as a password and Should be treated as such.
Make them expire of a few minutes or hours, and treat them like secrets, because they are.

I hope this will help

Password-recovery expire time in PHP

Just save the expiration time with the reset token in the database, and when the time has expired just don't accept the reset token anymore. This is by far the easiest and safest method.

Another way would be creating a reset hash, appending the time, and encrypting that with a secret key. Decrypt and check the timestamp when you check the hash. If the key leaked, however, this method becomes as weak as just putting it in plain text in the URL.

Laravel Change Password Reset Token duration for specific tokens

The expiration duration is defined in auth.php. You can simply define another configuration with a different expiration time:

'passwords' => [
    'users' => [
        'provider' => 'users',
        'table' => 'password_resets',
        'expire' => 60,
    ],
    'users_welcome' => [
        'provider' => 'users',
        'table' => 'password_resets',
        'expire' => 120,
    ],
],

And when you're generating the mail you can use that new broker:

\Illuminate\Support\Facades\Password::broker('users_welcome')->sendResetLink($user->email);

To check whether the token is expired, Laravel uses the created_at of the reset and the defined expiration duration:

    /**
     * Determine if the token has expired.
     *
     * @param  string  $createdAt
     * @return bool
     */
    protected function tokenExpired($createdAt)
    {
        return Carbon::parse($createdAt)->addSeconds($this->expires)->isPast();
    }

https://github.com/laravel/framework/blob/5.8/src/Illuminate/Auth/Passwords/DatabaseTokenRepository.php#L139

Laravel 5 How to check password reset token if it has expired or not

Use the created_at to check if a certain duration has passed from the time of insertion. For example you can do like so :

$token = DB::table('password_resets')
    ->where('token','=',$token)
    ->where('created_at','>',Carbon::now()->subHours(2))
    ->first();

Then check if the token exists.