The Magic Login plugin

Details
Written by: alikon
Category: Extensions
Hits: 2

The plg_system_magiclogin plugin is a utility designed to simplify the authentication process in Joomla 4/5 by providing a "Magic Link" or "Auto-Login" mechanism. This is particularly useful for development, testing environments, or specific automated workflows where you want to bypass the standard username/password form.

What this Plugin Does

The primary function of this plugin is to detect a specific token or parameter in the URL and automatically authenticate a user based on that information.

  1. URL Interception: It listens to every page request via the onAfterInitialise or onAfterRoute system events.

  2. Token Validation: It checks if a predefined "Magic Key" exists in the query string (e.g., index.php?magic=your_secret_token).

  3. User Mapping: If the token is valid, it identifies which user account it should log in (often hardcoded in the plugin parameters or mapped to a specific User ID).

  4. Session Creation: It programmatically logs the user into the Joomla CMS, creating a valid session without requiring a password entry.

(Note: While not OAuth, the internal redirection and token-to-session flow follows a similar pattern of "Token Exchange" for a "Session".)

How to Use the Plugin

1. Installation

  • Zip the src/plugins/system/magiclogin folder.

  • Install it via System > Manage > Extensions.

  • Important: Go to System > Manage > Plugins and enable "System - Magic Login".

2. Configuration

Open the plugin settings to define the "Secret" and the "Target User":

  • Magic Parameter: Define the URL key (e.g., login_token).

  • Secret Key: A long, complex string that acts as the password.

  • User ID: The ID of the Joomla user you want to log in as (e.g., 42 for the Super Admin).

3. The Login Action

Once configured, you can log in by simply visiting a URL like this: https://your-joomla-site.com/administrator/index.php?login_token=your_secret_key

The plugin will:

  1. See the login_token.

  2. Match it against the "Secret Key" in the settings.

  3. Instantly log you into the backend (or frontend) as the assigned User ID.

Use Cases

  • Cypress Testing: As seen in your earlier tests, this is much faster than using cy.type() on the login form. You can simply cy.visit('/?magic=123') to be logged in instantly.

  • Development Access: Quick access to the backend without re-typing credentials during long coding sessions.

  • Email Links: Sending a "One-Click Login" link to a user (though this requires high security precautions).

⚠️ Critical Security Warning

Because this plugin allows access without a password, it is a high-security risk if used incorrectly:

  • Never use this on a production site unless the token is one-time-use and highly encrypted.

  • Limit by IP: If possible, modify the plugin code to only allow specific IP addresses.

  • Development Only: It is best practice to only keep this enabled in localhost or staging environments.

Web Links

Login Form

Main menu en-GB