Secure Magic Login Link

Magic Login Link provides an alternative authentication method for Drupal via time-sensitive, one-time sign-in links delivered to a user's email address. It adds a "Login with Magic Link" section to the standard user login form.

Magic Login Link Features:

• Standalone Implementation: The module has zero dependencies and requires no third-party libraries or JavaScript.
• One-Time Use Tokens: Tokens are stored in the State API and invalidated immediately upon a successful login to prevent replay attacks.
• UUID-Based Routing: Uses account UUIDs rather than numeric User IDs (UIDs) in the URL structure to mitigate user enumeration.
• Token Expiration: Links are time-limited (defaulting to 15 minutes) and are automatically ignored by the controller after they expire.
• Built-in Throttling: Includes a MagicLoginThrottler service to limit the frequency of link requests per email address.
• Automated Testing: Contains Kernel tests covering token generation, expiration logic, and access control.
• Core Compatibility: Requires Drupal 10.2+ or Drupal 11.

Post-Installation

Once installed, the module is ready to go with zero configuration required:

Navigate to your site's login page (/user/login).

You will see a new button: "Login with Magic Link".

Users simply enter their email or username and click the button to receive their link.

The email sent uses the site's default mail system. You can customize the email look and feel using standard Drupal mail templates or modules like MailSystem and SwiftMailer/Symfony Mailer.

Recommended modules/libraries

To enhance the delivery and security of your magic links, we recommend:

Symfony Mailer / Redirect: To ensure your emails are delivered reliably via SMTP or API (SendGrid, Mailgun, etc.).

Flood Control: While this module uses basic throttling, the Flood Control module provides a UI to manage login attempt limits globally.

Similar projects

• Magic Link: This module provides similar link-based authentication but requires the HTMX module as a dependency. Magic Login Link is a standalone solution with zero external dependencies and no JavaScript requirement.
• Passwordless: This project replaces the standard Drupal login form entirely with its own interface. Furthermore, it currently lacks a stable release for Drupal 11. Magic Login Link maintains the core login experience by extending the existing form and is built specifically for Drupal 10.2 and 11.
• Simple Login: Like Passwordless, this module focuses on a themed, standalone login page that replaces the default core login form. Magic Login Link is designed for sites that wish to keep the standard /user/login form intact while offering an additional authentication method.