Skip to content

feat: add Magic Login Modes (link or code with multiple formats) #1300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
datamweb wants to merge 14 commits into
base: develop
Choose a base branch
from
Draft

feat: add Magic Login Modes (link or code with multiple formats) #1300

datamweb wants to merge 14 commits into from

Conversation

@datamweb
Copy link
Collaborator

@datamweb datamweb commented Dec 5, 2025
edited
Loading

Description
This update makes the Magic-Login system configurable without breaking backward compatibility. Now developers can choose between:

  1. A activation link(clickable)
  2. A verification code — in 6-numeric, 6-alpha, 6-alnum or 6-oneof format.

This flexibility lets you adapt authentication to your app’s needs, compliance rules, or user-experience preferences.

For the code-based flow, a new dedicated view is introduced to keep things clean and avoid conflicts with existing or customized views, ensuring backwards compatibility.

close : #1293
see : #1261
Checklist:

  • Securely signed commits
  • Component(s) with PHPDoc blocks, only if necessary or adds value
  • Unit testing, with >80% coverage
  • User guide updated
  • Conforms to style guide

@datamweb datamweb added enhancement New feature or request new feature PRs for new features labels Dec 5, 2025
@datamweb datamweb force-pushed the feat-magic-login-method branch from d64dc48 to b92af36 Compare December 6, 2025 12:29
@datamweb datamweb force-pushed the feat-magic-login-method branch from 750c12c to f2e3ec8 Compare December 6, 2025 13:43
@datamweb datamweb force-pushed the feat-magic-login-method branch from 21e6d75 to 84ab8d9 Compare December 6, 2025 14:03
sanchawebo
sanchawebo reviewed Dec 8, 2025
View reviewed changes
Copy link

@sanchawebo sanchawebo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor thing: You have multiple calls to resolveMode() in the loginAction() method, which generates a new token everytime. This could lead to confusion about its usage in the future.
Otherwise looks good to me and would fix my issue #1261

@datamweb
Copy link
Collaborator Author

datamweb commented Dec 8, 2025

@sanchawebo Thank you for your helpful review!

lonnieezell
lonnieezell approved these changes Dec 9, 2025
View reviewed changes
Copy link
Member

@lonnieezell lonnieezell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What a simple, yet powerful solution. I like it. Looks great. Thanks!

michalsn
michalsn reviewed Dec 9, 2025
View reviewed changes
Copy link
Member

@michalsn michalsn left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A 20-character alphanumeric token is safe to use as a standalone login identifier, because it has high entropy. The chance of guessing any user's token, even with many users in the system, is close to zero.

In contrast, a 6-digit or 6-character code is far too weak to use as the only credential that grants access. Even if it expires quickly, it is still unsafe if it is accepted without any additional user identifier. As the number of users grows, the system becomes more vulnerable because many short codes are active at once, which increases the probability that an attacker's random guess will match someones code.

The short lifetime does not fix the fundamental problem: if a code alone identifies and authenticates the user, then anyone who guesses an active code gains access to whichever account it belongs to.

IMO, to use short codes safely, we must ties them to a user identifier (user ID) and protect with rate limiting (Throttler).

@datamweb datamweb marked this pull request as draft December 10, 2025 05:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michalsn michalsn michalsn left review comments

@lonnieezell lonnieezell lonnieezell approved these changes

+1 more reviewer

@sanchawebo sanchawebo sanchawebo approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

enhancement New feature or request new feature PRs for new features

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Dev: Add bot detection for magic links

4 participants

@datamweb @lonnieezell @michalsn @sanchawebo