{"id":267,"date":"2026-05-23T19:56:48","date_gmt":"2026-05-24T02:56:48","guid":{"rendered":"https:\/\/www.mariatech.com.mx\/blog\/?p=267"},"modified":"2026-05-23T20:07:42","modified_gmt":"2026-05-24T03:07:42","slug":"como-implementar-recuperacion-de-contrasena-para-administradores-y-clientes-en-laravel-13","status":"publish","type":"post","link":"https:\/\/www.mariatech.com.mx\/blog\/laravel-php\/como-implementar-recuperacion-de-contrasena-para-administradores-y-clientes-en-laravel-13\/","title":{"rendered":"C\u00f3mo implementar recuperaci\u00f3n de contrase\u00f1a para administradores y clientes en Laravel 13"},"content":{"rendered":"\n

En proyectos web con \u00e1reas separadas para administradores y clientes, es com\u00fan que ambos tipos de usuarios necesiten iniciar sesi\u00f3n, cerrar sesi\u00f3n y recuperar su contrase\u00f1a. El reto t\u00e9cnico aparece cuando cada tipo de usuario vive en una tabla diferente y debe tener su propio flujo de autenticaci\u00f3n.<\/p>\n\n\n\n

En este art\u00edculo veremos c\u00f3mo estructurar un proceso de recuperaci\u00f3n de contrase\u00f1a en Laravel 13 para dos tipos de usuarios: administradores<\/strong> y clientes<\/strong>. El objetivo es mantener una arquitectura limpia, segura y f\u00e1cil de mantener.<\/p>\n\n\n\n

Contexto del problema<\/h2>\n\n\n\n

Laravel Breeze instala un sistema de autenticaci\u00f3n funcional, pero por defecto est\u00e1 pensado para trabajar principalmente con una sola tabla de usuarios, normalmente users<\/code>.<\/p>\n\n\n\n

Sin embargo, en proyectos m\u00e1s completos podemos necesitar algo como esto:<\/p>\n\n\n\n

    \n
  • Administradores:<\/strong> usuarios internos del sistema, almacenados en la tabla users<\/code>.<\/li>\n\n\n\n
  • Clientes:<\/strong> usuarios externos que acceden al sitio o portal del cliente, almacenados en la tabla customers<\/code>.<\/li>\n<\/ul>\n\n\n\n

    En este escenario no conviene mezclar ambos tipos de usuario en la misma tabla, porque normalmente tienen permisos, vistas, reglas de negocio y flujos diferentes.<\/p>\n\n\n\n

    Estructura recomendada<\/h2>\n\n\n\n
    app\/\n\u251c\u2500\u2500 Http\/\n\u2502   \u251c\u2500\u2500 Controllers\/\n\u2502   \u2502   \u251c\u2500\u2500 Admin\/\n\u2502   \u2502   \u2502   \u2514\u2500\u2500 Auth\/\n\u2502   \u2502   \u2502       \u251c\u2500\u2500 PasswordResetLinkController.php\n\u2502   \u2502   \u2502       \u2514\u2500\u2500 NewPasswordController.php\n\u2502   \u2502   \u2514\u2500\u2500 Customer\/\n\u2502   \u2502       \u2514\u2500\u2500 Auth\/\n\u2502   \u2502           \u251c\u2500\u2500 PasswordResetLinkController.php\n\u2502   \u2502           \u2514\u2500\u2500 NewPasswordController.php\n\nresources\/\n\u251c\u2500\u2500 views\/\n\u2502   \u251c\u2500\u2500 admin\/\n\u2502   \u2502   \u2514\u2500\u2500 auth\/\n\u2502   \u2502       \u251c\u2500\u2500 forgot-password.blade.php\n\u2502   \u2502       \u2514\u2500\u2500 reset-password.blade.php\n\u2502   \u2514\u2500\u2500 customer\/\n\u2502       \u2514\u2500\u2500 auth\/\n\u2502           \u251c\u2500\u2500 forgot-password.blade.php\n\u2502           \u2514\u2500\u2500 reset-password.blade.php\n\nroutes\/\n\u251c\u2500\u2500 admin.php\n\u2514\u2500\u2500 customer.php<\/code><\/pre>\n\n\n\n
    La idea es separar cada flujo para evitar dependencias innecesarias y tener rutas, controladores, vistas y brokers independientes.<\/p>\n\n\n\n
    Configuraci\u00f3n de autenticaci\u00f3n<\/h2>\n\n\n\n
    En config\/auth.php<\/code> podemos definir un guard y un provider para cada tipo de usuario.<\/p>\n\n\n\n
    <?php\n\nuse App\\Models\\User;\nuse App\\Models\\Customer;\n\nreturn [\n\n    'defaults' => [\n        'guard' => 'web',\n        'passwords' => 'users',\n    ],\n\n    'guards' => [\n        'web' => [\n            'driver' => 'session',\n            'provider' => 'users',\n        ],\n\n        'customer' => [\n            'driver' => 'session',\n            'provider' => 'customers',\n        ],\n    ],\n\n    'providers' => [\n        'users' => [\n            'driver' => 'eloquent',\n            'model' => User::class,\n        ],\n\n        'customers' => [\n            'driver' => 'eloquent',\n            'model' => Customer::class,\n        ],\n    ],\n\n    'passwords' => [\n        'users' => [\n            'provider' => 'users',\n            'table' => 'password_reset_tokens',\n            'expire' => 60,\n            'throttle' => 60,\n        ],\n\n        'customers' => [\n            'provider' => 'customers',\n            'table' => 'customer_password_reset_tokens',\n            'expire' => 60,\n            'throttle' => 60,\n        ],\n    ],\n\n];<\/code><\/pre>\n\n\n\n
    El punto clave est\u00e1 en la secci\u00f3n passwords<\/code>. Ah\u00ed definimos dos brokers: users<\/code> para administradores y customers<\/code> para clientes. Cada broker usa su propio provider y su propia tabla de tokens.<\/p>\n\n\n\n
    Migraci\u00f3n para tokens de clientes<\/h2>\n\n\n\n
    Schema::create('customer_password_reset_tokens', function (Blueprint $table) {\n    $table->string('email')->primary();\n    $table->string('token');\n    $table->timestamp('created_at')->nullable();\n});<\/code><\/pre>\n\n\n\n
    Esto permite que el flujo de administradores y clientes quede completamente separado.<\/p>\n\n\n\n
    Rutas para administradores<\/h2>\n\n\n\n
    use App\\Http\\Controllers\\Admin\\Auth\\PasswordResetLinkController;\nuse App\\Http\\Controllers\\Admin\\Auth\\NewPasswordController;\nuse Illuminate\\Support\\Facades\\Route;\n\nRoute::middleware('admin.guest')->group(function () {\n    Route::get('\/forgot-password', [PasswordResetLinkController::class, 'create'])\n        ->name('password.request');\n\n    Route::post('\/forgot-password', [PasswordResetLinkController::class, 'store'])\n        ->name('password.email');\n\n    Route::get('\/reset-password\/{token}', [NewPasswordController::class, 'create'])\n        ->name('password.reset');\n\n    Route::post('\/reset-password', [NewPasswordController::class, 'store'])\n        ->name('password.store');\n});<\/code><\/pre>\n\n\n\n
    Rutas para clientes<\/h2>\n\n\n\n
    use App\\Http\\Controllers\\Customer\\Auth\\PasswordResetLinkController;\nuse App\\Http\\Controllers\\Customer\\Auth\\NewPasswordController;\nuse Illuminate\\Support\\Facades\\Route;\n\nRoute::middleware('customer.guest')->group(function () {\n    Route::get('\/forgot-password', [PasswordResetLinkController::class, 'create'])\n        ->name('password.request');\n\n    Route::post('\/forgot-password', [PasswordResetLinkController::class, 'store'])\n        ->name('password.email');\n\n    Route::get('\/reset-password\/{token}', [NewPasswordController::class, 'create'])\n        ->name('password.reset');\n\n    Route::post('\/reset-password', [NewPasswordController::class, 'store'])\n        ->name('password.store');\n});<\/code><\/pre>\n\n\n\n
    Controlador para enviar el enlace de recuperaci\u00f3n<\/h2>\n\n\n\n
    El controlador encargado de enviar el enlace de recuperaci\u00f3n debe usar el broker correcto.<\/p>\n\n\n\n
    Administrador<\/h3>\n\n\n\n
    namespace App\\Http\\Controllers\\Admin\\Auth;\n\nuse App\\Http\\Controllers\\Controller;\nuse Illuminate\\Http\\Request;\nuse Illuminate\\Support\\Facades\\Password;\nuse Illuminate\\Validation\\ValidationException;\n\nclass PasswordResetLinkController extends Controller\n{\n    public function create()\n    {\n        return view('admin.auth.forgot-password');\n    }\n\n    public function store(Request $request)\n    {\n        $request->validate([\n            'email' => ['required', 'email'],\n        ]);\n\n        $status = Password::broker('users')->sendResetLink(\n            $request->only('email')\n        );\n\n        if ($status === Password::RESET_LINK_SENT) {\n            return back()->with('status', __($status));\n        }\n\n        throw ValidationException::withMessages([\n            'email' => __($status),\n        ]);\n    }\n}<\/code><\/pre>\n\n\n\n
    Cliente<\/h3>\n\n\n\n
    namespace App\\Http\\Controllers\\Customer\\Auth;\n\nuse App\\Http\\Controllers\\Controller;\nuse Illuminate\\Http\\Request;\nuse Illuminate\\Support\\Facades\\Password;\nuse Illuminate\\Validation\\ValidationException;\n\nclass PasswordResetLinkController extends Controller\n{\n    public function create()\n    {\n        return view('customer.auth.forgot-password');\n    }\n\n    public function store(Request $request)\n    {\n        $request->validate([\n            'email' => ['required', 'email'],\n        ]);\n\n        $status = Password::broker('customers')->sendResetLink(\n            $request->only('email')\n        );\n\n        if ($status === Password::RESET_LINK_SENT) {\n            return back()->with('status', __($status));\n        }\n\n        throw ValidationException::withMessages([\n            'email' => __($status),\n        ]);\n    }\n}<\/code><\/pre>\n\n\n\n
    El cambio central es el broker:<\/p>\n\n\n\n
    Password::broker('users')      \/\/ Administradores\nPassword::broker('customers')  \/\/ Clientes<\/code><\/pre>\n\n\n\n
    Controlador para actualizar la contrase\u00f1a<\/h2>\n\n\n\n
    Administrador<\/h3>\n\n\n\n
    namespace App\\Http\\Controllers\\Admin\\Auth;\n\nuse App\\Http\\Controllers\\Controller;\nuse Illuminate\\Auth\\Events\\PasswordReset;\nuse Illuminate\\Http\\Request;\nuse Illuminate\\Support\\Facades\\Hash;\nuse Illuminate\\Support\\Facades\\Password;\nuse Illuminate\\Support\\Str;\nuse Illuminate\\Validation\\Rules;\n\nclass NewPasswordController extends Controller\n{\n    public function create(Request $request)\n    {\n        return view('admin.auth.reset-password', [\n            'request' => $request,\n        ]);\n    }\n\n    public function store(Request $request)\n    {\n        $request->validate([\n            'token' => ['required'],\n            'email' => ['required', 'email'],\n            'password' => ['required', 'confirmed', Rules\\Password::defaults()],\n        ]);\n\n        $status = Password::broker('users')->reset(\n            $request->only('email', 'password', 'password_confirmation', 'token'),\n            function ($user) use ($request) {\n                $user->forceFill([\n                    'password' => Hash::make($request->password),\n                    'remember_token' => Str::random(60),\n                ])->save();\n\n                event(new PasswordReset($user));\n            }\n        );\n\n        return $status === Password::PASSWORD_RESET\n            ? redirect()->route('admin.login')->with('status', __($status))\n            : back()->withInput($request->only('email'))\n                ->withErrors(['email' => __($status)]);\n    }\n}<\/code><\/pre>\n\n\n\n
    Cliente<\/h3>\n\n\n\n
    namespace App\\Http\\Controllers\\Customer\\Auth;\n\nuse App\\Http\\Controllers\\Controller;\nuse Illuminate\\Auth\\Events\\PasswordReset;\nuse Illuminate\\Http\\Request;\nuse Illuminate\\Support\\Facades\\Hash;\nuse Illuminate\\Support\\Facades\\Password;\nuse Illuminate\\Support\\Str;\nuse Illuminate\\Validation\\Rules;\n\nclass NewPasswordController extends Controller\n{\n    public function create(Request $request)\n    {\n        return view('customer.auth.reset-password', [\n            'request' => $request,\n        ]);\n    }\n\n    public function store(Request $request)\n    {\n        $request->validate([\n            'token' => ['required'],\n            'email' => ['required', 'email'],\n            'password' => ['required', 'confirmed', Rules\\Password::defaults()],\n        ]);\n\n        $status = Password::broker('customers')->reset(\n            $request->only('email', 'password', 'password_confirmation', 'token'),\n            function ($customer) use ($request) {\n                $customer->forceFill([\n                    'password' => Hash::make($request->password),\n                    'remember_token' => Str::random(60),\n                ])->save();\n\n                event(new PasswordReset($customer));\n            }\n        );\n\n        return $status === Password::PASSWORD_RESET\n            ? redirect()->route('customer.login')->with('status', __($status))\n            : back()->withInput($request->only('email'))\n                ->withErrors(['email' => __($status)]);\n    }\n}<\/code><\/pre>\n\n\n\n
    Personalizar la URL del correo de recuperaci\u00f3n<\/h2>\n\n\n\n
    Un detalle importante es que Laravel genera el enlace de recuperaci\u00f3n usando una notificaci\u00f3n. Si no personalizamos ese enlace, puede terminar enviando al usuario al flujo equivocado.<\/p>\n\n\n\n
    Para resolverlo, podemos agregar la l\u00f3gica en app\/Providers\/AppServiceProvider.php<\/code>.<\/p>\n\n\n\n
    namespace App\\Providers;\n\nuse App\\Models\\Customer;\nuse App\\Models\\User;\nuse Illuminate\\Auth\\Notifications\\ResetPassword;\nuse Illuminate\\Support\\Facades\\URL;\nuse Illuminate\\Support\\ServiceProvider;\n\nclass AppServiceProvider extends ServiceProvider\n{\n    public function register(): void\n    {\n        \/\/\n    }\n\n    public function boot(): void\n    {\n        ResetPassword::createUrlUsing(function (object $notifiable, string $token): string {\n            if ($notifiable instanceof Customer) {\n                return URL::route('customer.password.reset', [\n                    'token' => $token,\n                    'email' => $notifiable->getEmailForPasswordReset(),\n                ]);\n            }\n\n            if ($notifiable instanceof User) {\n                return URL::route('admin.password.reset', [\n                    'token' => $token,\n                    'email' => $notifiable->getEmailForPasswordReset(),\n                ]);\n            }\n\n            return URL::route('customer.password.reset', [\n                'token' => $token,\n                'email' => $notifiable->getEmailForPasswordReset(),\n            ]);\n        });\n    }\n}<\/code><\/pre>\n\n\n\n
    Con esto, cuando el modelo sea User<\/code>, Laravel enviar\u00e1 al flujo de administrador. Cuando el modelo sea Customer<\/code>, enviar\u00e1 al flujo de cliente.<\/p>\n\n\n\n
    Vistas de recuperaci\u00f3n de contrase\u00f1a<\/h2>\n\n\n\n
    En cada formulario es importante apuntar a la ruta correcta.<\/p>\n\n\n\n
    Formulario para solicitar enlace<\/h3>\n\n\n\n
    Administrador:<\/p>\n\n\n\n
    <form method=\"POST\" action=\"{{ route('admin.password.email') }}\">\n    @csrf\n    <input type=\"email\" name=\"email\" required>\n    <button type=\"submit\">\n        Enviar enlace\n    <\/button>\n<\/form><\/code><\/pre>\n\n\n\n
    Cliente:<\/p>\n\n\n\n
    <form method=\"POST\" action=\"{{ route('customer.password.email') }}\">\n    @csrf\n    <input type=\"email\" name=\"email\" required>\n    <button type=\"submit\">\n        Enviar enlace\n    <\/button>\n<\/form><\/code><\/pre>\n\n\n\n
    Formulario para crear nueva contrase\u00f1a<\/h3>\n\n\n\n
    Administrador:<\/p>\n\n\n\n
    <form method=\"POST\" action=\"{{ route('admin.password.store') }}\">\n    @csrf\n    <input type=\"hidden\" name=\"token\" value=\"{{ $request->route('token') }}\">\n    <input type=\"email\" name=\"email\" value=\"{{ old('email', $request->email) }}\" required>\n    <input type=\"password\" name=\"password\" required>\n    <input type=\"password\" name=\"password_confirmation\" required>\n    <button type=\"submit\">\n        Actualizar contrase\u00f1a\n    <\/button>\n<\/form><\/code><\/pre>\n\n\n\n
    Cliente:<\/p>\n\n\n\n
    <form method=\"POST\" action=\"{{ route('customer.password.store') }}\">\n    @csrf\n    <input type=\"hidden\" name=\"token\" value=\"{{ $request->route('token') }}\">\n    <input type=\"email\" name=\"email\" value=\"{{ old('email', $request->email) }}\" required>\n    <input type=\"password\" name=\"password\" required>\n    <input type=\"password\" name=\"password_confirmation\" required>\n    <button type=\"submit\">\n        Actualizar contrase\u00f1a\n    <\/button>\n<\/form><\/code><\/pre>\n\n\n\n
    Buenas pr\u00e1cticas<\/h2>\n\n\n\n
      \n
    • Usar modelos separados cuando los usuarios internos y externos tienen responsabilidades diferentes.<\/li>\n\n\n\n
    • Separar rutas, vistas y controladores por tipo de usuario.<\/li>\n\n\n\n
    • Usar un broker de contrase\u00f1a diferente para cada tabla.<\/li>\n\n\n\n
    • Personalizar la URL del correo para evitar que el usuario llegue al flujo equivocado.<\/li>\n\n\n\n
    • No depender completamente de la estructura por defecto de Breeze cuando el proyecto requiere m\u00faltiples \u00e1reas de autenticaci\u00f3n.<\/li>\n\n\n\n
    • Mantener nombres claros como Admin<\/code> y Customer<\/code> para facilitar el mantenimiento.<\/li>\n<\/ul>\n\n\n\n
      Conclusi\u00f3n<\/h2>\n\n\n\n
      La recuperaci\u00f3n de contrase\u00f1a para m\u00faltiples tipos de usuarios en Laravel requiere separar correctamente guards, providers, brokers, rutas, controladores y vistas. Aunque Breeze ofrece una buena base inicial, en proyectos con administradores y clientes conviene tomar el control del flujo para evitar cruces entre autenticaciones.<\/p>\n\n\n\n
      La clave est\u00e1 en usar un broker distinto para cada tipo de usuario:<\/p>\n\n\n\n
      Password::broker('users')      \/\/ Administradores\nPassword::broker('customers')  \/\/ Clientes<\/code><\/pre>\n\n\n\n
      Y personalizar el enlace generado por correo desde AppServiceProvider<\/code>, para que cada usuario llegue al formulario correcto.<\/p>\n\n\n\n
      Con esta estructura, el sistema queda m\u00e1s limpio, seguro y preparado para crecer.<\/p>\n\n\n\n
      \u00a1Si te ha servido de algo este art\u00edculo no olvides dejarnos un comentario!<\/p>\n\n\n\n
      <\/p>\n","protected":false},"excerpt":{"rendered":"
      En este art\u00edculo veremos c\u00f3mo estructurar un proceso de recuperaci\u00f3n de contrase\u00f1a en Laravel para dos tipos de usuarios: administradores y clientes.<\/p>\n","protected":false},"author":1,"featured_media":268,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-267","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-laravel-php"],"_links":{"self":[{"href":"https:\/\/www.mariatech.com.mx\/blog\/wp-json\/wp\/v2\/posts\/267","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mariatech.com.mx\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mariatech.com.mx\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mariatech.com.mx\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mariatech.com.mx\/blog\/wp-json\/wp\/v2\/comments?post=267"}],"version-history":[{"count":0,"href":"https:\/\/www.mariatech.com.mx\/blog\/wp-json\/wp\/v2\/posts\/267\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mariatech.com.mx\/blog\/wp-json\/wp\/v2\/media\/268"}],"wp:attachment":[{"href":"https:\/\/www.mariatech.com.mx\/blog\/wp-json\/wp\/v2\/media?parent=267"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mariatech.com.mx\/blog\/wp-json\/wp\/v2\/categories?post=267"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mariatech.com.mx\/blog\/wp-json\/wp\/v2\/tags?post=267"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}