wefabric / token-login
Laravel package to login users by unique tokens
README
Allows to login an user by an unique token.
Security Concerns: Using tokens for login is a security concern because it’s the equivalent of storing a password in plain text.
Table of Contents
Background
For private and closed applications we created this package to allow users to quickly sign in. For example: We provide updates to users by mail, in this mail we provide a one click login url (with an unique token for each user). The user doesn't have to fill in the login credentials and can quickly see it's private data.
Install
This project uses Laravel 7+ and requires PHP 7.4 as minimum version.
composer require wefabric/token-login
Publish the config and migration:
php artisan vendor:publish --provider='Wefabric\TokenLogin\Providers\ServiceProvider'
Check the configuration (config/token-login.php). By the default the token and expiration will be setup for the default User model. To use it with a custom model change the configuration accordingly. When you are all setup. Run the migration
php artisan migrate
Usage
This package adds commands to manage the tokens. By default configuration the user table will contain two new fields ('login_token' and 'login_token_expires_at').
Concerns
Add the following traits to the user model.
use Wefabric\TokenLogin\Concerns\HasTokenLogin; use Wefabric\TokenLogin\Concerns\HasTraitsWithCasts; class User extends Authenticatable { use HasTokenLogin, HasTraitsWithCasts;
Token creation
After the traits are added, you need to run the following command to generate the tokens and expiration dates.
php artisan token-login:create
Login
When the tokens are created, it is possible to login by the token. The package adds the route /users/token-login by default (to change it, change the 'login_path' variable in the config/token-login.php file). You can do a GET and POST request to login, like the following:
When the token is correct and not expired. The user will be redirected to the default redirect path (see config/token-login.php). You can also specify a redirect as parameter.
https://site.test/users/token-login?token={TOKEN}&redirect=https://site.test/my-redirect
Refresh tokens
The token expires after a certain period. To refresh the tokens, you can use the following command.
php artisan token-login:refresh
This will refresh all expired tokens.
Use this command in your scheduler. For example, let it run every five minutes.
Delete expired tokens
To delete all expired tokens run the following command
php artisan token-login:delete-expired
Delete all tokens
To delete all tokens run the following command
php artisan token-login:delete
Exclude users
To exclude users from the token generation, change the following in the config (config/token-login.php)
'not_allowed' => [ 'key' => 'id', 'items' => [ 1 ] ]
Helper
There is a helper available for using this package.
To check if the token login is enabled:
echo tokenLogin()->enabled();
To retrieve the login url for a specific model:
echo tokenLogin()->loginUrl(User::first(), 'https://site.test/redirect');
Maintainers
Contributing
Feel free to dive in! Open an issue or submit PRs.
Contributors
License
MIT © Wefabric