How to Make a Passwordless Login System In Laravel

My god this is such bad practice. let me explain in a couple steps:
1. email is NOT a secure channel.
2. your link might be secure, but you're sending it over an INSECURE channel.
3. You basically allow anyone who know the email to log in without knowing the password, >>>
4. if the email is compromised .
5. you removed the "something you know part" from security principles.
6. why is everyone going to 2fa?
7. to ADD another step: "Something you have".
8. convenience over security is ALWAYS bad.
9. giving a hint, that the email is not found?? BAD gives attackers info to retry with another email.

I like the fact that you show how you debug in real life. It gives me confidence that I am not a dull lad.

When I watch error-free screencasts, I feel like there is a stage in programming when you are not supposed to ever have an error in your code!

Meanwhile, I got Laracast's lifetime account so that I can just copy and use straight out of the box. If you have done it, why should I repeat 🤭🤭

This approch can be used for admins, sometimes admin wants to see user screen so if it has implemented for only admin users than admin can check the user screen. And Admin does need to know user's password. It is very usefull for me. It is exacly what I want. Many thaks.

I'll get to know this stuff soon

Lol laravel looks tedious with all the errors encountered even if you know what's up 🥲🥲

I will use this for board of directors approval email. They won’t need to login or access the system to give a quick approval.

I also do ray() most in my development and ray does encodes html entities in the URL most of the times..

So easy. I'm in love with Laravel

If a page or application forces me to go to my inbox and therefore doing an extra step that would otherwise be unnecessary it's a no from me. I'd rather have my browser autofill the input than having open my inbox, click on the link and close the old browser tab. Just like I hate it when pages or applications have the login inputs on different pages or the password input is revealed after submitting the email/username, thus having an extra click.

Thank you for this great explanation. Passwordless would be better with passkey or Fido2. Is it possible to extend your example app with passkeys?

A question:

When you hit the url with user id 2, laravel is throwing "404 | Not Found", probably because user does not exists in the database.
I may be wrong, but it should throw "403 | Invalid Url" or "403 | Invalid Signature" whatever it is.
I guess, Laravel is allowing the URL to be hit the method "loginWithToken" with user ID 2. Please correct me If I am wrong.

Always enjoy Laracasts' Video. Keep Posting.

While simple security like this may seem a positive step and make life easier for your users. It's not. What if the user no longer has access to the email address? How do they log in to change it? This system can also be used in a password reset attack if the implementation Isn't protected against it. Some email systems can take quite a while before the email is delivered. For example my ISP delays emails by up to 10 min. Which means I have to wait 10 minutes before I can log in.

I use this for "Shit I forgot my password"

Thank you. I have used signedTemporaryRoute added to my knowledge.

Great teaching as always. One quick note: I would also give positive feedback to the user in case the provided e-mail address is not in the database. This prevents guessing website users.

What PhpStorm theme do you use?

Your videos are awesome; however, I really like the way you set up your editor. Can you please share how I can set up mine like yours?

At least you are also victim of random problem occuring when making a video and debugging on point. Not like other people who just doing copy paste from their 2nd screen 😅. ❤

perfect.

When you changed the user id to 2 it showed as 404 not found, shouldn't any change in the sign url give a 403 status code ? Because it looks like the validation is passing and because there is no user it gives a 404 which will be concerning, if the middleware was working then it should not give a 404. I don't know if i am correct. I'll check

Thanks for this 🙏