Laravel: Log in users with emails
Not so simple as it sounds, but a package can save the day
This is an exciting age for authentication alternatives. Companies are starting to move away from the classic passwords, and coming out with more securer, simpler ways to authenticate. One of them seems easy to implement and doesn’t require anything more than an email address: sending a login link through an email.
The principle of the email-login is quite simple: since the user already has access to his email through a secure device, an email link for login works below the securer email authentication. In other words, it doesn’t create a new authentication barrier like classic passwords do.
There is plethora of ways to achieve this in Laravel, but is not an easy task when you start to think about the complete implementation. That’s why I decided to make my own package that already solves it: Laragear MailLogin.
1 minute set up
Laragear MailLogin works out-of-the-box thanks to its included batteries: controllers, login procedures, a login form, an email view, secure links, and even routes. You can start quickly in just three steps:
1. Register the authentication routes in your web.php file.
2. Install the authentication controllers using the vendor:publish Artisan command.
3. Set the form to send a login email at login/mail/send.
In just three steps the Login authentication is ready to work. Once the user tries to authenticate with his email and clicks the link, he will be greeted by this simple form that will complete the authentication in 5 seconds, or less if he presses the button before it turns green.
And that’s it. There is not much to wonder about, let along setting up everything from the ground up and testing if it works.
Laragear MailLogin doesn’t imposes a way to send an email and login the user. The quick start is just a suggestion based on how most vanilla Laravel applications work.
You can still go full-manual using the convenient MailLogin facade, override the form and email views with your own, and even change how to handle the whole process with the included configuration file.
Login users correctly, not accidentally
Let’s say Bob wants to log in using his email. The normal way to think about the process would be to send Bob an email with a link to a given URL. The controller action responsible for that URL should receive the ID of Bob, log him in, and redirect him to the site’s home.
Seems easy, but there is a lot of work to do to complete the whole process.
- How we ensure the link is not tampered with?
- How about a different authentication guard?
- How to remember the user?
- Should the login link expire after some minutes?
- How to avoid sending multiple emails?
- How to tackle the email client link preload / prefetch?
The latter is what makes implementing the Mail Login more difficult than just slapping a link to an email and calling it a day.
Most email services, like Gmail or Outlook, will scan links for malicious intents, or cache the asset (like images) to avoid the so called “pixel tracking”. This StackOverflow thread talks about it with great detail, but in short, you shouldn’t trust an email client to just show an email.
A controller action that immediately logs in Bob is a catastrophe. There is a high change the user will login even before opening the mail. We can tackle this using a form that logs in the user after some interaction, or even a timeout.
That’s one problem that can be solved, but most developers won’t want to fiddle around the rest of solving these problems. That’s why Laragear MailLogin exists.
