I’m looking to give each user account a protected landing page with personalized content (only viewable to this specific account). In terms of a friction-less experience a login with code would be ideal.
…the cherry on top (which I am looking for) would be if the url could be shared within an organization, so that it is valid with any address as long as the specified domain matches. I’ve seen this with slack or miro in conjunction with team invites where the measure is if the one trying to login has access to a dedicated domain.
Is this possible with the current release of kirby?
Yes, I understand that, but since for all the methods in the guide the user email seems to be required, I don’t think different email addresses will work.
Thank you very much for your answer @lukasbestle. In fact, they do not need panel access — not at all. Could you maybe outline the “that could be done part”?
And if you would do your own frontend login you even don’t need the hook, you just can create the user and login the user yourself. $user->login($password) or with passwordless login.
Ofcourse this entire setup is super vulnerable because of the lack of email validation. You can setup your own logic for that or “abuse” the reset password functionality. (create user on the fly if business rule validates and trigger the reset the password so user can reset password and login afterwards)
Or use the code validation so they will receive a mail with the code to login.
Just thinking out loud here obviously Haven’t done any of those things yet
Wow @samzzi! Thanks for your input and inspiration That definitely gives me some ideas. Authentication via code is my currently preferred as I find it most elegant. As I’m just getting started with this kirby site I’ll have to look up a few things and keep thinking a bit more.
The route that Sam has explained above is what I had in mind as well. In your login controller you could do something like this:
If there is already a user with the entered email address, create an authentication challenge directly.
Otherwise, check that the domain of the email address matches the allowed domain.
If it does, create a user with $kirby->users()->create() (you don’t need to pass most of the options) and then immediately create an authentication challenge for them.
Just wanted to give a short update that I was able to implement the idea successfully, so that now anyone with the same domain can login via code if the domain is known (meaning, at least one registered user with that domain exists).
Obviously, non unique domains such as “gmail” are a problem to think of. I went the easy/practical solution and kindly ask them to request access via contact, if the mail address is not known (if they are, they just proceed to the code). For my setup it’s an edge case but I thought it would be nice to have it anyway due to being more versatile.
In addition to your ideas @samzzi & @lukasbestle the thread below and the working case within from Anthony1 where a huge help.
Haven’t done any of those things yet 
