magic_login_link

Magic Login Link provides a secure, passwordless authentication method for Drupal. It adds a "Login with Magic Link" option to your site, allowing users to receive a one-time, time-sensitive sign-in link via email. This eliminates the "forgotten password" friction and improves user retention by providing a seamless, modern entry point to your website.

Features

This module simplifies the login experience without compromising security. Key features include:

One-Time Use Tokens: Links are automatically invalidated the moment they are successfully used, preventing "replay" attacks.

UUID-Based Security: Unlike traditional methods that expose numeric User IDs (UIDs) in URLs, this module uses obscure UUIDs to prevent user enumeration.

Automatic Expiration: Links are strictly time-limited (defaulting to 15 minutes) to ensure stale links in inboxes cannot be exploited.

Zero-Password Friction: Perfect for sites where users visit infrequently or for communities that want to move toward a passwordless future.

Developer Friendly: Built with Drupal 11 standards and includes a full suite of Kernel tests for reliability.

Post-Installation

Once installed, the module is ready to go with zero configuration required:

Navigate to your site's login page (/user/login).

You will see a new button: "Login with Magic Link".

Users simply enter their email or username and click the button to receive their link.

The email sent uses the site's default mail system. You can customize the email look and feel using standard Drupal mail templates or modules like MailSystem and SwiftMailer/Symfony Mailer.

Additional Requirements

This module is designed to be lightweight and has no additional requirements beyond Drupal Core. It is fully compatible with Drupal 10 and Drupal 11.

Recommended modules/libraries

To enhance the delivery and security of your magic links, we recommend:

Symfony Mailer / Redirect: To ensure your emails are delivered reliably via SMTP or API (SendGrid, Mailgun, etc.).

Flood Control: While this module uses basic throttling, the Flood Control module provides a UI to manage login attempt limits globally.

Similar projects

Passwordless: A similar concept, but Magic Login Link differs by utilizing the State API for token storage and UUIDs for routing, providing a more modern architectural approach for Drupal 10/11.

Email Registration: Often used alongside magic links to allow users to log in exclusively with email addresses rather than usernames.

Supporting this Module

If you find this module helpful, please consider reporting bugs or suggesting features in the issue queue. Community feedback is the best way to support development!

Community Documentation

Detailed technical documentation, including how to extend the token logic or customize the redirect destination, can be found in the README.md file included with the module source code.