Magic Login Link provides a secure, passwordless authentication method for Drupal. It adds a "Login with Magic Link" option to the site, allowing users to receive a one-time, time-sensitive sign-in link via email. This eliminates "forgotten password" friction and improves user retention by providing a seamless, modern entry point to the website.
How it differs from similar projects:
While other modules like "Passwordless" offer similar functionality, Magic Login Link is built with modern Drupal 10/11 standards in mind. It utilizes the State API for token storage and leverages UUIDs for routing instead of traditional numeric User IDs (UIDs), which prevents user enumeration and provides a more modern, secure architectural approach.
Comments
Comment #2
vishal.kadamComment #3
fpap commented1. FILE: magic_login_link.info.yml
package: Custom
This line is used by custom modules created for specific sites. It is not a package name used for projects hosted on drupal.org.
Comment #4
yusuf_khan commentedThank you for applying!
Please review the following documentation before continuing:
Important notes for the applicant:
To reviewers
Please review:
For new reviewers, also read how this issue queue differs from other project queues.
Comment #5
yusuf_khan commentedThe important notes are the following.
Keep in mind that once the project is opted into security advisory coverage, only Security Team members may change coverage.
Comment #6
yusuf_khan commentedI reviewed the
1.0.xbranch.Main blocker
The module declares Drupal core compatibility with
^10.2 || ^11 || ^12, but the implementation relies on OOP hook attributes:src/Hook/FormHooks.phpsrc/Hook/MailHooks.phpThe OOP hook system using
Drupal\Core\Hook\Attribute\Hookwas introduced in Drupal 11.1.0. For Drupal 10.x / Drupal 11.0 compatibility, the Drupal core change record recommends adding procedural hook shims with#[LegacyHook], or otherwise limiting the supported core version. See Support for object oriented hook implementations using autowired services.As written, on older advertised core versions the login form alter and mail hook may not run, so the module’s main functionality can fail.
Please either:
core_version_requirementand composer constraints to the actually supported Drupal versions, orCoding standards
I ran:
PHPCS reports the following errors/warnings:
Additional coding-standard/documentation cleanup:
magic_login_link.info.yml:package: Customshould be changed to an appropriate contrib package.README.mdsays the expiration period is configurable, but the code hardcodes900seconds.README.mdsays expiration can be altered by decoratingMagicLoginThrottler, but expiration is implemented in the controller, not that service.web/modules/custom/magic_login_link; for this project it should use the contrib path.I also attempted to run the kernel tests locally, but the local environment does not define
SIMPLETEST_DB, so PHPUnit could not run here. Please enable GitLab CI and ensure the test suite passes there.