# Keyless Auth - Login without Passwords **Secure keyless authentication allowing users to login without passwords via email magic links. Enhanced with customizable templates and improved security.** ![Version](https://img.shields.io/badge/version-2.0.12-blue.svg) ![WordPress](https://img.shields.io/badge/wordpress-3.9%2B-blue.svg) ![License](https://img.shields.io/badge/license-GPL%20v2-green.svg) ## ๐Ÿš€ Description **Forget passwords. Let your users log in with a secure magic link sent to their email โ€” fast, stylish, and hassle-free.** Includes customizable email templates, SMTP support, full logging, and a beautiful WYSIWYG editor. ### ๐Ÿ” Feature Overview **โœ… Ready:** โ€ข Passwordless Login via Email โ€“ secure, simple, password-free โ€ข Token Expiry + Security Rules โ€“ one-time login links with expiration and abuse protection โ€ข SMTP Integration โ€“ send emails via your own mail server โ€ข Simple Mail Log โ€“ track when and to whom login links were sent โ€ข Email Templates โ€“ customize your login email content โ€ข Basic Email Designer โ€“ quick styling options directly in the dashboard **๐Ÿ›  In Progress:** โ€ข Role-Based Token Redirects โ€“ redirect users based on their role after login โ€ข Webhook Support โ€“ trigger external actions after login (e.g., automation tools) โ€ข Telegram Support โ€“ receive login links via Telegram Bot โ€ข Simple CSS Styling โ€“ easily adjust button & container styles **๐Ÿง  Planned:** โ€ข BricksBuilder Login Element โ€“ full BricksBuilder integration โ€ข Visual Email Designer (Bricks-Based) โ€“ design login emails visually with Bricks โ€ข White-Label / Branding Removal โ€“ perfect for agencies & white-label solutions โ€ข REST API โ€“ access login functionality via secure API endpoints โ€ข KLA Companion App (PWA) โ€“ receive login links in an app instead of email โ€ข Login Audit Log โ€“ log IP, timestamp, device type, etc. โ€ข Two-Factor Authentication โ€“ extra security via Telegram, app-based code, or similar ## โœจ New Features in v2.0.12 * **๐Ÿ”— Settings Link Added** - Direct settings link in WordPress plugin list for easier access * **๐Ÿ“ง Fixed Mail Logs View Button** - View Content button now properly displays email content * **๐ŸŽฏ Improved Admin JavaScript** - Added missing functions for mail logs interaction * **๐Ÿ”„ SMTP Cache Management** - Added "Clear SMTP Cache" button to resolve configuration issues when settings aren't updating * **๐Ÿ“ง Enhanced Email Deliverability** - Message-ID domain now matches authenticated sender for better SPF/DKIM/DMARC alignment * **๐Ÿ› ๏ธ Automatic Cache Clearing** - SMTP settings now automatically clear cache when saved to ensure fresh configuration * **โ˜‘๏ธ Bulk Delete Mail Logs** - Select multiple mail logs with checkboxes and delete them in one action * **โœ… Select All Checkbox** - Quickly select/deselect all mail logs for bulk operations ## ๐Ÿ” Features in v2.0.11 * **๐Ÿ“ง Critical SMTP Fix** - Fixed sender email not being used, emails now properly send from configured SMTP address * **๐Ÿ“ Fixed Mail Logging** - Resolved post type name length issue preventing mail logs from being saved * **๐Ÿ”ง Fixed wp-config.php Instructions** - Restored missing JavaScript for credential storage toggle display * **๐Ÿ› Fixed Fatal Errors** - Resolved multiple undefined function errors in Mail Logger page * **๐Ÿ” Enhanced Diagnostics** - Added diagnostic information to help troubleshoot mail logging issues ## ๐Ÿท๏ธ Features in v2.0.10 * **๐Ÿ›ก๏ธ WordPress.org Plugin Check Compliance** - Resolved all input validation and sanitization warnings * **๐Ÿ”’ Enhanced Security** - Fixed wp_unslash() issues and removed insecure duplicate form processing * **โšก Improved Code Quality** - Eliminated security vulnerabilities in POST data handling * **๐Ÿงน Code Cleanup** - Removed redundant save_settings() method that bypassed security checks ## ๐Ÿ”ง Features in v2.0.9 * **๐Ÿท๏ธ WordPress.org Ready** - Complete rebrand to "Keyless Auth" for WordPress.org compliance * **๐Ÿ”ง Enhanced Prefixes** - All functions/classes use unique "chrmrtns_kla_" prefixes * **๐Ÿ›ก๏ธ Security Hardening** - Improved nonce verification with proper sanitization * **โšก Performance Optimized** - Converted inline JS/CSS to proper wp_enqueue system * **๐Ÿ“‹ Code Compliance** - Full WordPress.org Plugin Check compliance * **๐ŸŽฏ Simplified Shortcode** - New [keyless-auth] shortcode (was [chrmrtns-passwordless-auth]) ## ๐Ÿ”’ Features in v2.0.8 * **๐Ÿ”’ Security Improvements** - Enhanced output escaping compliance with esc_html_e() and wp_kses() * **๐ŸŽจ Template Preview Security** - Email template previews use controlled HTML allowlists * **๐Ÿ–ฑ๏ธ Button Text Colors** - Fixed button text color controls to prevent blue hover text issues * **๐Ÿ›ก๏ธ WordPress.org Compliance** - Comprehensive escaping improvements for enhanced security ## ๐Ÿ›ก๏ธ Features in v2.0.7 * **๐Ÿ›ก๏ธ WordPress.org Compliance** - Full Plugin Check compliance for WordPress.org submission * **๐Ÿ”’ Security Hardening** - Enhanced output escaping and input validation * **โšก Performance Optimized** - Improved database queries and conditional debug logging * **๐Ÿ“‹ Code Quality** - Complete adherence to WordPress coding and security standards * **๐Ÿ” Enhanced Protection** - Advanced CSRF and timing attack mitigation ## ๐Ÿ”ง Features in v2.0.6 * **๐Ÿ”ง Fixed Placeholder Token Rendering** - Button backgrounds now display correctly in custom templates * **๐Ÿ“ WYSIWYG-Safe Placeholders** - Changed from {{PLACEHOLDER}} to [PLACEHOLDER] format to prevent editor corruption * **๐ŸŽจ Better Email Structure** - Full-width gradient background with 600px content area for professional appearance * **โœ… Reliable Color Replacement** - Template placeholders are properly replaced with actual colors in all scenarios ## โœจ Features in v2.0.5 * **๐Ÿ“ Two-Field Email Template System** - Separate WYSIWYG body content from optional CSS styles * **๐ŸŽจ Enhanced Template Editor** - Body content uses inline styles, CSS styles go in head section * **๐Ÿ”ง WYSIWYG Compatibility** - No more editor corruption of HTML structure or CSS classes * **๐Ÿ“ 2x2 Grid Preview Layout** - Template previews now display in compact grid instead of vertical stack * **๐ŸŽฏ Advanced Customization** - Choose inline-only styles OR use CSS classes with separate stylesheet field ## ๐Ÿ” Features in v2.0.4 * **๐Ÿ” Secure Credential Storage** - Choose between database or wp-config.php storage for SMTP credentials * **๐Ÿ›ก๏ธ Enhanced Security** - wp-config.php option keeps sensitive credentials outside the web root * **โš™๏ธ Flexible Configuration** - Toggle between storage methods with clear visual indicators ## ๐ŸŽฏ Features in v2.0.3 * **๐Ÿ”— Login Link Reliability** - Fixed critical issue where login links weren't processing correctly * **โš™๏ธ Enhanced Hook System** - Improved WordPress hook integration for better compatibility * **๐Ÿš€ Streamlined Code** - Removed debug logging for production-ready performance ## ๐ŸŽฏ Features in v2.0.2 * **๐Ÿท๏ธ Custom Sender Names** - Force custom "From" names for all emails with toggle control * **๐Ÿ“Š Login Success Tracking** - Dynamic counter showing total successful passwordless logins * **๐Ÿ”ง Enhanced Mail Logging** - Fixed compatibility issues with other SMTP plugins ## ๐ŸŽฏ Key Features ### ๐Ÿ—๏ธ **Modular Architecture** Complete code refactoring with clean, maintainable class structure ### ๐Ÿ“ง **SMTP Configuration** Full SMTP support for reliable email delivery with major providers ### ๐Ÿ“ **Email Logging & Monitoring** Track and monitor all emails sent from WordPress ### ๐ŸŽจ **Visual Email Editor** WYSIWYG editor with HTML support for custom templates ### ๐ŸŽจ **Advanced Color Controls** Support for hex, RGB, HSL, and HSLA color formats ### ๐Ÿ‘€ **Template Previews** Live preview of email templates before selection ### ๐Ÿ”— **Link Color Customization** Separate color controls for buttons and text links ### ๐Ÿ”’ **Enhanced Security** Comprehensive nonce verification and input sanitization ## ๐Ÿ”ง How It Works 1. **User enters email/username** instead of password 2. **Secure token generated** and stored with enhanced validation 3. **Beautifully styled email sent** with login button 4. **User clicks button** and is automatically logged in 5. **Token expires** after 10 minutes for maximum security ## ๐Ÿ“ฅ Installation 1. Upload the `keyless-auth` folder to `/wp-content/plugins/` 2. Activate the plugin through the 'Plugins' menu in WordPress 3. Go to **Keyless Auth > Templates** to configure templates and colors 4. Create a page and use the shortcode `[keyless-auth]` ## ๐ŸŽฎ Usage Simply add the shortcode to any page or widget: ``` [keyless-auth] ``` ## โš™๏ธ Configuration ### Email Templates - Choose from predefined templates (German, English, Simple) - Create custom HTML templates with WYSIWYG editor - Live preview before applying changes ### SMTP Settings - Configure SMTP for reliable email delivery - Support for Gmail, Outlook, Mailgun, SendGrid, and more - Automatic port configuration for SSL/TLS - Custom sender name control - Connection testing tools ### Mail Logging - Monitor all emails sent from WordPress - View complete email history with timestamps - Preview email content for troubleshooting - Automatic log cleanup with size limits ## ๐Ÿ”’ Security Features - **Secure token generation** using `wp_hash()` with user ID, timestamp, and salt - **Timing attack protection** with `hash_equals()` - **Token expiration** - 10 minutes maximum - **One-time use** tokens automatically deleted after use - **Enhanced input sanitization** for all form fields - **Comprehensive nonce verification** for all admin actions ## ๐ŸŽจ Customization ### Colors - Button colors with hover states - Link colors with hover states - Support for multiple color formats (hex, RGB, HSL, HSLA) - Color picker and manual input synchronization ### Templates Available placeholders for custom templates: - `{{TO}}` - Recipient email address - `{{LOGIN_URL}}` - Login URL - `{{BUTTON_COLOR}}` - Button color - `{{BUTTON_HOVER_COLOR}}` - Button hover color - `{{LINK_COLOR}}` - Link color - `{{LINK_HOVER_COLOR}}` - Link hover color ## โ“ FAQ ### Is this secure? Yes. Tokens are created using `wp_hash()` based on user ID, timestamp, and WordPress salt. Tokens expire after 10 minutes and can only be used once. ### Can I customize email templates? Absolutely! Go to **Passwordless Auth > PA Settings** to choose from predefined templates or create custom HTML templates using the WYSIWYG editor. ### How do I configure SMTP? Go to **Passwordless Auth > SMTP** to configure settings for providers like Gmail, Outlook, Mailgun, SendGrid, and more. Includes automatic port configuration and connection testing. ### Can I track sent emails? Yes! The Mail Logs feature monitors all emails with timestamps, recipients, subjects, and content preview. Perfect for troubleshooting delivery issues. ### Can I customize the sender name? Absolutely! In SMTP settings, enable "Force From Name" and set a custom sender name for professional, branded emails. ### Can I store SMTP credentials securely? Yes! Choose between database storage or wp-config.php storage. For maximum security, use wp-config.php by adding: ```php define('CHRMRTNS_PA_SMTP_USERNAME', 'your-email@example.com'); define('CHRMRTNS_PA_SMTP_PASSWORD', 'your-smtp-password'); ``` ## ๐Ÿ”„ Changelog ### v2.0.12 - **FIX:** Added plugin action links for quick settings access from WordPress plugin list - **FIX:** Mail logs "View Content" button functionality - Added missing JavaScript functions - **IMPROVEMENT:** Enhanced admin JavaScript with global scope functions for mail logs interaction - **IMPROVEMENT:** Fixed settings link URL to use correct "keyless-auth" slug instead of internal prefix - **NEW:** SMTP cache management - Added "Clear SMTP Cache" button to resolve configuration issues - **IMPROVEMENT:** Enhanced email deliverability - Message-ID domain now matches authenticated sender for better SPF/DKIM/DMARC alignment - **IMPROVEMENT:** Automatic cache clearing - SMTP settings now automatically clear cache when saved - **NEW:** Bulk delete mail logs - Added checkbox selection system with "Select All" for bulk operations - **IMPROVEMENT:** WordPress-style bulk actions dropdown for familiar mail log management experience ### v2.0.11 - **FIX:** SMTP sender email not being used - Added missing `$phpmailer->From` to properly authenticate emails - **FIX:** Mail logging post type registration - Fixed post type name length issue (shortened from 22 to 17 characters) - **FIX:** wp-config.php instructions not displaying - Restored JavaScript and added inline fallback for credential storage toggle - **FIX:** Fatal errors on Mail Logger page - Fixed multiple `esc_attresc_html_e()` typos causing page crashes - **FIX:** Plugin initialization timing - Changed from 'init' to 'plugins_loaded' hook for better component loading - **IMPROVEMENT:** Added diagnostic information box to Mail Logs page for troubleshooting ### v2.0.10 - **SECURITY:** WordPress.org Plugin Check compliance - Fixed all input validation and sanitization warnings - **SECURITY:** Enhanced POST data handling - Added wp_unslash() before all sanitization functions - **SECURITY:** Removed duplicate save_settings() method - Eliminated insecure form processing that bypassed nonce verification - **IMPROVEMENT:** $_SERVER validation - Added proper isset() checks for superglobal access - **IMPROVEMENT:** Code cleanup - Removed redundant form processing methods to prevent security gaps ### v2.0.9 - **BREAKING:** Plugin renamed to "Keyless Auth - Login without Passwords" for WordPress.org compliance - **BREAKING:** Plugin slug changed to "keyless-auth" (old: "passwordless-auth") - **BREAKING:** Text domain changed to "keyless-auth" (old: "passwordless-auth") - **IMPROVEMENT:** All prefixes updated to "chrmrtns_kla_" for uniqueness and compliance - **IMPROVEMENT:** Nonce verification enhanced with proper sanitization (wp_unslash + sanitize_text_field) - **IMPROVEMENT:** Converted all inline JavaScript/CSS to proper wp_enqueue system - **IMPROVEMENT:** Removed WordPress.org directory assets from plugin ZIP - **IMPROVEMENT:** Enhanced WordPress.org Plugin Check compliance - **IMPROVEMENT:** Shortcode changed to [keyless-auth] (old: [chrmrtns-passwordless-auth]) ### v2.0.8 - **IMPROVEMENT:** Enhanced output escaping compliance - All user-facing content now uses proper WordPress escaping functions - **IMPROVEMENT:** Template preview security - Email template previews now use wp_kses with controlled HTML allowlists - **IMPROVEMENT:** Admin interface escaping - Form outputs and translations properly escaped with esc_html_e() and wp_kses() - **IMPROVEMENT:** Email template escaping - All template rendering functions now use proper escaping for security - **IMPROVEMENT:** Button text color functionality - Fixed button text color controls to prevent blue hover text issues - **SECURITY:** WordPress.org Plugin Check compliance - Comprehensive escaping improvements for enhanced security ### v2.0.7 - **COMPLIANCE:** Full WordPress.org Plugin Check compliance - All security and coding standards met - **FIX:** Output escaping - All user-facing content properly escaped for security - **FIX:** Input validation - Enhanced nonce verification and superglobal sanitization - **FIX:** Database queries - Optimized user meta queries for better performance - **FIX:** Debug code - Conditional debug logging only when WP_DEBUG is enabled - **IMPROVEMENT:** Code quality - Added comprehensive phpcs ignore comments for legitimate use cases - **IMPROVEMENT:** Security hardening - Enhanced protection against timing attacks and CSRF - **IMPROVEMENT:** WordPress standards - Full compliance with WordPress coding and security standards ### v2.0.6 - **FIX:** Fixed placeholder token rendering - Button backgrounds now display correctly in custom templates - **IMPROVEMENT:** WYSIWYG-safe placeholders - Changed from {{PLACEHOLDER}} to [PLACEHOLDER] format to prevent editor corruption - **IMPROVEMENT:** Better email structure - Full-width gradient background with 600px content area for professional appearance - **IMPROVEMENT:** Reliable color replacement - Template placeholders are properly replaced with actual colors in all scenarios ### v2.0.5 - **NEW:** Two-field email template system - Separate WYSIWYG body content from optional CSS styles - **NEW:** Enhanced template editor - Body content uses inline styles, CSS styles go in head section - **IMPROVEMENT:** WYSIWYG compatibility - No more editor corruption of HTML structure or CSS classes - **IMPROVEMENT:** 2x2 grid preview layout - Template previews now display in compact grid instead of vertical stack - **IMPROVEMENT:** Advanced customization - Choose inline-only styles OR use CSS classes with separate stylesheet field ### v2.0.4 - **NEW:** Secure credential storage options - Choose between database or wp-config.php storage for SMTP credentials - **NEW:** wp-config.php constants support - Use CHRMRTNS_PA_SMTP_USERNAME and CHRMRTNS_PA_SMTP_PASSWORD constants - **IMPROVEMENT:** Enhanced security - Keep sensitive SMTP credentials outside the web root in wp-config.php - **IMPROVEMENT:** Dynamic field toggles - Visual indicators show which storage method is active and if constants are defined - **IMPROVEMENT:** Better credential management - Automatic detection and validation of wp-config.php constants ### v2.0.3 - **FIX:** Critical login link functionality - Fixed issue where login links weren't processing properly on some WordPress configurations - **IMPROVEMENT:** Enhanced hook system - Changed from 'init' to 'wp_loaded' hook for better login link processing reliability - **IMPROVEMENT:** Code optimization - Removed debug logging for cleaner, production-ready performance - **FIX:** WordPress compatibility - Improved hook timing to ensure login links work across different hosting environments ### v2.0.2 - **NEW:** Custom sender name control with toggle checkbox - **NEW:** Login success tracking with dynamic counter - **NEW:** JavaScript field toggles for better UX - **FIX:** Mail logging compatibility with other SMTP plugins - **FIX:** Improved wp_mail filter handling - **SECURITY:** Proper sanitization for custom sender names ### v2.0.1 - **NEW:** Modular class-based architecture - **NEW:** Complete SMTP configuration system - **NEW:** Email logging and monitoring system - **NEW:** Test email functionality - **SECURITY:** Enhanced nonce verification for all forms - **IMPROVEMENT:** Professional admin interface ## ๐Ÿค Contributing Issues and pull requests are welcome on [GitHub](https://github.com/chrmrtns/passwordless-auth). ## ๐Ÿ“„ License This plugin is licensed under the [GPL v2](https://www.gnu.org/licenses/gpl-2.0.html) or later. ## ๐Ÿ‘จโ€๐Ÿ’ป Author **Chris Martens** - GitHub: [@chrmrtns](https://github.com/chrmrtns) - Plugin URI: [https://github.com/chrmrtns/passwordless-auth](https://github.com/chrmrtns/passwordless-auth) --- โญ **If this plugin helps you, please consider giving it a star on GitHub!**