Passwordless authentication is a method whereby users access an app without entering passwords. It is the most effective way to reduce risky password management practices and prevent credential theft attacks.
Above is an architecture diagram of a Passwordless authentication flow.
we will be using this laravel package laravel-passwordless-authentication to implement a passwordless authentication by sending a magic link to the user's email address to authenticate them.
Install
Setup new Laravel application
composer create-project laravel/laravel passwordless-app
Install Laravel Breeze to scaffold quick UI
composer require laravel/breeze --dev
php artisan breeze:install
php artisan migrate
npm install
npm run dev
Install passwordless package and follow instruction to setup package.
composer require norbybaru/passwordless-auth
php artisan vendor:publish --provider="NorbyBaru\Passwordless\PasswordlessServiceProvider" --tag="passwordless-config"
php artisan vendor:publish --provider="NorbyBaru\Passwordless\PasswordlessServiceProvider" --tag="passwordless-migrations"
php artisan migrate
1. Mail driver Setup
Setup mail driver with mailtrap.io. Copy below values into your .env and replace MAIL_USERNAME and MAIL_PASSWORD with your correct credentials from mailtrap.io.
MAIL_MAILER=smtp
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
MAIL_USERNAME=
MAIL_PASSWORD=
MAIL_ENCRYPTION=tls
MAIL_FROM_ADDRESS=support@example.test
MAIL_FROM_NAME="${APP_NAME}"
2. User Model Setup
Setup User model to work with laravel-passwordless-authentication package by extending CanUsePasswordlessAuthenticatable::class and implementing PasswordlessAuthenticatable::class on the model.
<?php
namespace App\Models;
use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Foundation\Auth\User as Authenticatable;
use Illuminate\Notifications\Notifiable;
use Laravel\Sanctum\HasApiTokens;
use NorbyBaru\Passwordless\CanUsePasswordlessAuthenticatable;
use NorbyBaru\Passwordless\Traits\PasswordlessAuthenticatable;
class User extends Authenticatable implements CanUsePasswordlessAuthenticatable
{
use HasApiTokens, HasFactory, Notifiable, PasswordlessAuthenticatable;
...
}
3. Login Form
Update login form to capture only email address of user as an identifier to send magic link to login.
4. Login Route
Update login route in routes/auth.php to require an email address and use laravel-passwordless-authentication package to send magic link token.
Route::post('login', function (Request $request) {
$validated = $request->validate([
'email' => 'required|email|exists:users|max:255',
]);
$status = Passwordless::magicLink()->sendLink($validated);
return redirect()->back()->with([
'status' => trans($status)
]);
});
5. Update Translation
Add file passwordless.php under translation directory lang/en/passwordless.php with the following values to show correct message back to user depending on response status from sending magic link to user.
<?php
return [
'sent' => 'Login link sent to inbox.',
'throttled' => 'Login link was already sent. Please check your inbox or try again later.',
'invalid_token' => 'Invalid link supplied. Please request new one.',
'invalid_user' => 'Invalid user info supplied.',
'verified' => 'Login successful.',
];
Final Steps
Start your application and make sure to create or seed some dummy user to test login flow with them.
Top comments (0)