Creating a password-less, Medium-style, email-only authentication system in Laravel

Recently I was working on a project where one of our major pain points was users’ passwords. Users were added to the application by administrators, so they didn’t have passwords when they were first added, and forcing them to set and remember passwords was a big hitch on the project’s usability.

So, we decided to try out a Medium/Slack-inspired password-less login. If you’ve never had the chance to work with this, the login system works like this: enter your email address on the login page, get emailed a login link, click the link, and now you’re logged in. Access to your email address proves your identity without the need for a password.

Let’s build one together.

New app and make:auth

First we create our Laravel app and scaffold the authentication system:

laravel new medium-login cd medium-login php artisan make:auth

We now have a series of new authentication-related files, including the login and registration pages. Let’s start by tweaking those files.

Modify the login and registration pages

The login and registration pages are pretty good, but we need to drop the password fields from each.

Open up the login page at resources/views/auth/login.blade.php and delete the entire password form group (label, input, and wrapping

). Save and close.

Open up the registration page at resources/views/auth/register.blade.php and delete the password and password-reset form groups there too. Save and close.

Later you’ll probably want to give some instructions on both pages describing how our authentication will work, and drop the links to password resets, but for right now this should be good enough.

Modify the registration routes

Now, we need to update the route that the login and registration forms are pointing to. Let’s head over to the AuthController and see what we have.

First, we’ll notice the validator method, which returns a validator that expects a password field. This is the validator for the account registration process, so let’s get rid of the password there.

The function should end up looking like this:

// app/http/Controllers/Auth/AuthController.php protected function validator(array $data) { return Validator::make($data, [ 'name' => 'required|max:255', 'email' => 'required|email|max:255|unique:users', ]); }

And we’ll do the same thing for the create method, which is also used for registration (app/http/Controllers/Auth/AuthController.php):

protected function create(array $data) { return User::create([ 'name' => $data['name'], 'email' => $data['email'], ]); }

Override the login route

Originally published at

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.