Feature: One click email login functionality.

[andrewlimaza]

• ENHANCEMENT: Implement a "Login via Email" one click magic link functionality.

All Submissions:

• Have you followed the Contributing guideline?
• Does your code follow the WordPress' coding standards?
• Have you checked to ensure there aren't other open Pull Requests for the same update/change?

How to test the changes in this Pull Request:

1. Pull this PR into your latest development environment.
2. Enable this option under Memberships > Settings > Advanced Settings.
3. Once enabled, log out. You should now see an email login button. Test this flow, if you're on LocalWP use mailpit tool to catch the emails and login links.

Other information:

• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you successfully run tests with your changes locally?

Changelog entry

Enter a summary of all changes on this Pull Request. This will appear in the changelog if accepted.

[Copilot]

Pull request overview

This pull request implements a passwordless "magic link" email login feature for Paid Memberships Pro. When enabled in the advanced settings, users can request a one-time login link sent to their email instead of entering a password, enhancing convenience while maintaining security through time-limited tokens.

Key Changes:

• Added a new passwordless email login system with token generation and validation
• Created email template infrastructure for sending secure login links
• Added admin setting to enable/disable the feature

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 21 comments.

Show a summary per file

File	Description
paid-memberships-pro.php	Loads the email template class and conditionally includes the email-login functionality when enabled
includes/email-login.php	Core implementation of passwordless login including token generation, validation, authentication, and cleanup
classes/email-templates/class-pmpro-email-template-login-link.php	Email template class for sending login links to users
classes/class.pmproemail.php	Adds send_email_login_link() method to the email handler
adminpages/advancedsettings.php	Adds "Passwordless Login" option to advanced settings
css/frontend/pmpro-email-login.css	Styling for the email login button and UI elements

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[dparker1005]

Claude PR Review: #3548 - Feature: One click email login functionality

Summary

This PR adds passwordless/magic link login functionality to Paid Memberships
Pro. When enabled via Advanced Settings, users can request a login link via
email instead of entering a password. The feature includes a new email
template, proper token handling with expiration, and rate limiting.

Code Review

✅ Passed

• PHP syntax check - all files pass
• Security: Token uses hash_hmac('sha256', ...) with proper randomness
• Input sanitization with sanitize_text_field(), sanitize_email()
• Output escaping with esc_html(), esc_attr(), esc_url()
• Nonce verification on form submission
• Token expiration (15 minutes) and one-time use
• Rate limiting (5-minute cooldown per user)
• Code style follows PMPro conventions (pmpro_ prefix, proper text domain)

Testing Results

Settings & Configuration

• ✅ "Passwordless Login?" setting appears in Advanced Settings
• ✅ Default value is "No"
• ✅ Setting changes to "Yes" and saves
• ✅ Setting persists after page reload

Core Functionality - Enabled State

• ✅ "Email Me a Login Link" button appears on wp-login.php
• ✅ "or" separator styling displays correctly
• ✅ Clicking button with valid username shows confirmation message
• ✅ Login form hidden after submission
• ✅ Email received in mailbox with correct subject
• ✅ Email contains clickable login link with token
• ✅ Clicking magic link authenticates user
• ✅ User redirected to correct page after login
• ✅ Token consumed after single use (one-time use)
• ✅ Reusing same token shows "Invalid login link"
• ✅ Frontend PMPro login form shows button
• ✅ Frontend magic login flow works
• ✅ "Login Link" email template appears in Email Templates
• ✅ Template edit page shows !!login_link!! as required variable
• ✅ Test email sends successfully

Core Functionality - Disabled State

• ✅ Button hidden on wp-login.php when disabled
• ✅ "Login Link" email template hidden from list

Security Tests

• ✅ SQL injection in username (' OR 1=1--) - properly rejected
• ✅ XSS in username (<script>alert(1)</script>) - sanitized, shows "field
  empty"
• ✅ Invalid token in URL - shows "Invalid login link"
• ✅ Rate limiting (2 requests in rapid succession) - only 1 email sent

Edge Cases

• ✅ Empty username field - HTML5 validation prevents submission
• ✅ Non-existent user - generic error, no user enumeration
• ✅ Already logged-in user clicks magic link - token ignored, stays logged
  in

Verdict

✅ Approve

Well-implemented feature with solid security practices. All 30+ tests passed
including rate limiting verification, security tests, and edge cases. The
code follows PMPro conventions and properly handles token generation,
expiration, and cleanup.