Creating One-Time Login Links in Drupal 9 Programmatically

In Drupal 9, generating one-time login links programmatically is a common requirement for various use cases, such as sending users unique links for password reset or account verification. In this blog post, we will explore three methods for creating one-time login links, including how to achieve it with the User Entity, and highlight the most commonly used approach in Drupal 9. We will also discuss the drawbacks of each method.

Prerequisites

Before we dive into the methods, ensure you have:

1. A working Drupal 9 website.
2. The ability to create custom modules or code snippets.
3. Basic knowledge of Drupal module development.

Method 1: Using the User Pass Utility (Commonly Used Method)

Creating a One-Time Login Link with User Pass Utility

One of the most common scenarios for generating one-time login links is for password reset. The User Pass utility functions are often employed for this purpose:

use Drupal\user\Entity\User;

// Load the user by their username or email.
$user = user_load_by_name('username');

// Or load the user by email.
// $user = user_load_by_mail('user@example.com');

if ($user) {
  // Generate a one-time login link.
  $token = user_pass_rehash($user, user_password());
  $link = Url::fromRoute('user.reset.login', [], ['query' => ['u' => $user->id(), 'timestamp' => $user->get('login')->value, 'token' => $token]]);
  $link = $link->toString();
}

Drawbacks of Using User Pass Utility

While this method is widely used and recommended for password reset functionality, it has some drawbacks:

• Limited to password reset use cases: The User Pass utility is primarily designed for password reset scenarios. Using it for other purposes might not be as straightforward.
• Complexity: The code to generate the link and extract user information can be a bit complex, especially for developers new to Drupal.

Method 2: Using the Redirect Route

Creating a One-Time Login Link with the Redirect Route

In certain cases, you may need to create a one-time login link that directs users to the password reset form. Drupal provides a built-in route, 'user.pass,' that can be used for this purpose:

use Drupal\Core\Url;

// Generate a one-time login link for password reset.
$link = Url::fromRoute('user.pass', [], ['query' => ['user' => $user->id()]]);
$link = $link->toString();

Drawbacks of Using the Redirect Route

This method has its own limitations:

• Limited to password reset form: It's primarily designed to send users to the password reset form, making it less versatile for other use cases.
• Less control: You have less control over the link's format and query parameters compared to custom token generation.

Method 3: Custom Token Generation

Creating a One-Time Login Link with Custom Token Generation

For more custom use cases where you need to create one-time login links with unique tokens, you can implement your token generation logic:

use Drupal\Core\Utility\Token;

// Load the user by their username or email.
$user = user_load_by_name('username');

// Or load the user by email.
// $user = user_load_by_mail('user@example.com');

if ($user) {
  // Generate a unique token.
  $token = Token::replace('[user:uid]-[user:timestamp]', ['user' => $user]);

  // Create a URL with a custom path and the token as a query parameter.
  $link = Url::fromUserInput('/custom-path', ['query' => ['token' => $token]]);
  $link = $link->toString();
}

Drawbacks of Custom Token Generation

This method provides more flexibility but also has limitations:

• Development effort: Implementing custom token generation requires additional development effort, making it less straightforward than using the User Pass utility.
• Maintenance: Custom tokens may require additional maintenance and testing to ensure they work as expected.

Achieving it with User Entity

To achieve one-time login links with the User Entity, you can use a method similar to Method 3, where you load the user, generate a custom token, and create a URL with the token as a query parameter.

Conclusion

Creating one-time login links programmatically is a crucial part of Drupal 9 development, whether for password resets, account verification, or custom workflows. The most commonly used approach, leveraging the User Pass utility, is particularly handy for implementing secure and user-friendly password reset functionality. Depending on your specific use case, you can choose the method that best aligns with your project requirements and implement it within your custom module or application.

Remember that each method has its advantages and drawbacks, so select the one that best suits your project's needs and complexity.