Password-less Login with Magic Link in Laravel 8
Provide users with a secure URL that automatically logs them in
Last updated
Was this helpful?
Provide users with a secure URL that automatically logs them in
Last updated
Was this helpful?
Was this helpful?
This article follows on from code we built in Password-less Login with Laravel 8. Be sure to read that first as it requires much of what we scaffolded there.
In the AdvisePassPhrase notification we are also going to add back the button that we commented out earlier and attach our secure URL to the button.
use Illuminate\Support\Facades\URL;
//
public function toMail($notifiable)
{
return (new MailMessage)
->line('Here is your login PassPhrase which is valid for the next 15 minutes')
->line($this->passphrase)
->line('Or click the button to access the site (opens in a new window)')
->action('Confirm', URL::temporarySignedRoute(
'login.magiclink',
now()->addMinutes(15),
['user' => $notifiable->id, 'code' => $this->passphrase]
))
->line('Thank you for using our application!');
}Line 11 we create our button labelled 'Confirm' and pass it a temporary signed route.
Line 12 is the named route that we will create in a moment where we check the signed route.
Line 13 we set the expiry time as 15 minutes in the future.
Line 14, we are passing and securing the user ID and the passphrase
php artisan make:controller MagicLinkController
This controller only needs one function. Its responsibility is to check the URL is still secure and has not been tampered with and then clear the session passphrase keys.
use App\Models\User;
use Illuminate\Support\Facades\Auth;
//
public function confirm(Request $request, User $user)
{
if (!$request->hasValidSignature() || Auth::guest()) {
abort(401);
}
if ($request->code != $request->session()->get('passphrase')) {
abort(401);
}
$request->session()->forget('passphrase');
$request->session()->forget('passphrase_expiry');
return app(LoginResponse::class);
}If the signature is valid and the user is still logged in then clear the passphrase from session and perform the default LoginResponse.
If the Link has already been used then show an error.
Route::get('/login/magic/{user}',[MagicLinkController::class,'confirm'])->name('login.magiclink');Make sure the route name starts login. so that it can bypass the protection we placed in our earlier middleware.
When we login and provide the email address, an email is sent containing a secure link. Clicking this link within 15 minutes should remove the passphrase we are using as a guard in middleware.
Any longer than 15 minutes and they will see an error.
If you have any suggestions how this article can be improved, DM the author on Twitter @snapey