There’s often a need to give users a one-time use ‘magic’ URL to login to an application without a password.
URLs like this could be added to invitation emails for new users so they can get started straight away.
The bundle includes a
SingleUseAuthenticator, with the service name
perform_user.auth.single_use, to add to your firewall configuration.
Here’s an example for a firewall also using form logins:
firewalls: main: pattern: ^/ + simple_preauth: + authenticator: perform_user.auth.single_use form_login: login_path: perform_user_login check_path: perform_user_login csrf_token_generator: security.csrf.token_manager logout: path: perform_user_logout target: / anonymous: true
Users will now be able to login with a signed URL.
generateUrl() method of the authenticator, passing in the user and the destination URL.
You can then use this URL in welcome emails, administration areas, or wherever else you require it.
<?php /* @var Symfony\Component\Routing\Generator\UrlGeneratorInterface $urlGenerator */ $targetUrl = $urlGenerator->generate('app_index', , UrlGeneratorInterface::ABSOLUTE_URL); // https://example.com/ /* @var Perform\UserBundle\Entity\User $user */ /* @var Perform\UserBundle\Security\SingleUseAuthenticator $auth */ $signedUrl = $auth->generateUrl($user, $targetUrl); // https://example.com/?_a=0000&_t=0000&_hash=0000
You’ll likely want to use the router to generate the target URL, making sure the hostname is included, not just the path.
Make sure the
passwordExpiresAt property of the user is in the past.
See Resetting passwords.
You may wonder why there are two URL-based mechanisms to gain access to an account without the password; reset tokens and one-time logins. However, they both have distinct uses that necessitates they both exist:
Both reset tokens and one-time logins use the
UriSigner service to sign the generated URLs.
framework.secret configuration value changes, all URLs will be invalidated.
Read more about the implications of changing the secret here.