Areas on a subpage should be protected with a password only. User registration is not required. For this I created a user (client), which should be used for the login.
As a basis I have successfully implemented this cookbook:
However, an e-mail address is provided for the login. Can I do without the e-mail when logging in, or replace it with a key word?
(I have only found posts here that talk about logging in with key word instead of email, but a user login is also provided. This does not apply to my case.)
Instead of putting an email input into the login page, you can hardcode the email in your controller.
Do you mean this line in the controller?
$kirby->auth()->login(get('email'), get('password'));
Unfortunately, I am not familiar with auth(). Without background knowledge of how it works, I have a hard time making changes here.
Is it also possible to protect the content of the page with a password only? That would also be easier for the visitor, instead of logging in with ID and password. It is not sensitive data, so a simple protection is quite enough.
get('email') gets the email from the email input field in the login page. Replace with a hard-coded email address if you don’t want the user to fill in an email field (and remove the email input).
There are several form-related cookbook recipes you might want to check out to get a better understanding of how forms work: Forms | Kirby CMS
A user needs to log in with email and password (or code). Of course, instead of using a Kirby user, you can protect content in other ways, but then you have to write the code for that from scratch.
1 Like
Thanks for your quick reply. 
The solution with a hard coded email seems the best way to use Kirby’s features instead of implementing an external solution.
Most likely, the email should also be hard coded in the controller so that it is not visible in the source code. This is currently the case for me. However, how I accomplish this in the controller is unknown to me.
That is what I said when I wrote “replace get('email') in the controller with a hard-coded email address” (i.e. the email of the user you want to use for login).
1 Like
Some solutions are too simple in retrospect.
It takes a few detours until I understand it.
This is how it works, as you requested:
$kirby->auth()->login(‘john@doe.com’, get(‘password’));
I hope this is also the - safe- way you suggested.
With this, the password can be changed as needed by the customer in the panel. Perfect!
Thanks for your patience and help.
Another question arises concerning the user blueprint. The password can be changed - somewhat hidden - under “Settings”. Can this field also be integrated - immediately visible - in the Blueprint? This way, the customer does not have to search when the password needs to be changed.
No, because the password is not and may not be saved as plain text, but encoded.
Sorry if I did not express myself clearly enough.
I don’t mean the password display, but the field to change.
I would like to display this directly in the blueprint instead of opening it in a modal.
I did understand you, but again, you cannot have the password field as part of the content and that would happen if you had the field in the blueprint.
It is on purpose that the password is stored in a separate file.
It would be one less click for the customer instead of doing this in the settings. I can already hear the phone ringing, “Where can I find the function…?”.
But I am now very happy that the login works without entering the e-Mail and you showed me the right way. Thanks for that.
I should probably add that taking away the email component from the login is not recommended.
An attacker now only has to guess the password, instead of a combination of email and password. This gets worse in combination with a weak password a user might use for more comfort. And even more so if the user used for this purpose also has Panel access.
So be very careful with this approach. There is a reason why logins require email/username and password. And why such “uncomfortable” additional security features like 2FA exist.
1 Like
Thank you for your additional advice.
I hope I have taken everything into account and there is no gap.
Here are the relevant areas:
Login form:
<input class="d-none" type="email" id="email" name="email" value="<?= get('email') ? esc(get('email'), 'attr') : '' ?>">
<input type="password" id="password" name="password" placeholder="<?= $page->password()->html() ?>" value="<?= get('password') ? esc(get('password'), 'attr') : '' ?>">
Controller:
$kirby->auth()->login('john@doe.com', get('password'));
The login works as expected and I am satisfied with the solution.
I think you did not quite understand what I wrote about security above. Adding back the email input does nothing to improve the situation. The user or attacker still has to only guess the password when the email is already set, so this whole setup with only requiring a password is not a good idea.
I just wanted to point this out for anyone coming across this post, in case they don’t know what they are doing.
The concerns about safety are justified and understandable. However, for my case, the solution is optimal: if the password is guessed, no critical information is revealed.
For other use cases, logging in with email and password is of course a priority.
