Reset Password return invalid url after clicking the link from the email

Hellow im using cakephp 4 in developing my project. I have deployed my project to a hosting. after sending an email to the user’s gmail for reseting the password. I just get redirected to an invalid url. here is my code

//Forgot Password function
public function forgotPassword()


        if ($this->request->is('post')) {
            $user = $this->Users->findByEmail($this->request->getData('email'))->first();

            if ($user) {
                // Generate a unique token
                $token = bin2hex(random_bytes(32));
                $user->password_reset_token = $token;
                $user->password_reset_expires = FrozenTime::now()->addHours(1);

                if ($this->Users->save($user)) {
                    // Send the reset email
                    $mailer = new Mailer('default');
                        ->setSubject('Password Reset')
                        ->setViewVars(['token' => $token])
                            ->setLayout('default'); // You can specify a layout if needed
                  echo $this->Flash->success('An email with instructions to reset your password has been sent.');
                } else {
                    $this->Flash->error('Could not save token.');
            } else {
                $this->Flash->error('No user found with that email address.');

    // ...

    public function resetPassword($token)

        //use for skipping the authorization making anyone view the contents
        $user = $this->Users->findByPasswordResetToken($token)
            ->where(['password_reset_expires >' => FrozenTime::now()])

        if (!$user) {
            $this->Flash->error('Invalid or expired token.');
            return $this->redirect(['action' => 'forgotPassword']);

        if ($this->request->is(['post', 'put'])) {
            $user = $this->Users->patchEntity($user, $this->request->getData(), [
                'fields' => ['password', 'confirm_password'],

            if ($this->Users->save($user)) {
                // Clear the token and expiration
                $user->password_reset_token = null;
                $user->password_reset_expires = null;

                $this->Flash->success('Your password has been reset.');
                return $this->redirect(['action' => 'login']);


email template


You have requested to reset your password.

Click the link below to reset your password:

<?= $this->Html->link('Reset Password', ['controller' => 'Users', 'action' => 'resetPassword', 'token'=>$token], ['_full' => true]) ?>

If you didn't request this, you can safely ignore this email.

‘App’ => [
‘namespace’ => ‘App’,
‘encoding’ => env(‘APP_ENCODING’, ‘UTF-8’),
‘defaultLocale’ => env(‘APP_DEFAULT_LOCALE’, ‘en_US’),
‘defaultTimezone’ => env(‘APP_DEFAULT_TIMEZONE’, ‘UTC’),
‘base’ => false,
‘dir’ => ‘src’,
‘webroot’ => ‘webroot’,
‘wwwRoot’ => WWW_ROOT,
//‘baseUrl’ => env(‘SCRIPT_NAME’),
‘fullBaseUrl’ => ‘’,
‘imageBaseUrl’ => ‘img/’,
‘cssBaseUrl’ => ‘css/’,
‘jsBaseUrl’ => ‘js/’,
‘paths’ => [
‘plugins’ => [ROOT . DS . ‘plugins’ . DS],
‘templates’ => [ROOT . DS . ‘templates’ . DS],
‘locales’ => [RESOURCES . ‘locales’ . DS],

$builder->connect(‘/forgot-password’, [‘controller’ => ‘Users’, ‘action’ => ‘forgotPassword’])
->setMethods([‘GET’, ‘POST’]); // Allow both GET and POST requests for this route
$builder->connect(‘/reset-password/{token}’, [‘controller’ => ‘Users’, ‘action’ => ‘resetPassword’])

I would be so glad if someone will be able to give me advice on my problem. It haven’t solved this problem for days now and I’m stuck. thank you for those who can help me solve my problem. much appreciate it.

Here’s the error after clicking the reset

Looks like your fullBaseUrl setting is not being honoured. Is there something in another config file or elsewhere that might be overwriting it? Or maybe you have a custom route definition for the reset password function that’s faulty.

yes it seems like the fullBaseUrl is not being honoured. when i copy the reset/token and put it in the i need to login first then after that i can access the reset function. after that when i change the password it’ll work. unfortunately i need to manually type it instead of just clicking the link. in the config file i’ve only been using the default and just change the app,app_local, and routes. should i post here all codes of my route? thank you for having time to see my post.

thank you for your advice. i somehow made it work. thank you so much.