Login Register Pro module

This week we’ll take a look at LoginRegisterPro — a new module that provides an all-in-one, self contained module for providing new user registration, secure logins, profile editing, and more. It does this all in a manner that is reliable, efficient, comprehensive and secure.

As we continue preparing the ProcessWire core dev branch to become our new master, I've been trying to stay hands-off on new feature additions there as much as possible (till the new master is out), and instead focusing on finishing up modules I've had in development. Last time I told you about the UserActivity module, and this time we’ll look at LoginRegisterPro, which is another module dealing with users; though significantly larger in scale/scope.

LoginRegisterPro is a module I've been working on for more than a year, and finally this month have it ready to share. While I don't have it available for download today I do expect to have a beta release as soon as early next week. If you'd like, send me a message and I'll send you an email once it's ready (there's a form at the bottom of this page).

Introduction

LoginRegisterPro takes care of giving you a well qualified/authenticated user, and you decide what to do with that user. Whether that is using ProcessWire’s access control system to control what they can see, or using the API to control what they can access or achieve, LoginRegisterPro is built to be a very solid foundation for sites and applications working with front-end users.

Background

LoginRegisterPro is a re-imagining of a module called LoginRegister that I built a few years ago for a client with very specific needs. At the client’s suggestion, it was released open source as a starting point or proof-of-concept for those looking to implement login, registration and front-end user profile editing capabilities. Despite being fairly limited in scope and purpose, there was a lot of interest in that module. Since that time, I've received numerous requests to build a Pro version of the module with more enterprise-level features and security, and with commercial support. LoginRegisterPro is the result.

While this module does still share some ideas in common with the original LoginRegister module, it is actually a full rewrite that attempts to cover most of the features that were requested, and with a much stronger foundation. In addition, because this module opens a lot of new possibilities, and everyone has slightly different needs, I wanted to be able to provide the proper level of long-term support that is available with the other Pro modules.

Even without this module, ProcessWire provides a great foundation for building your own front-end user system. I've built several for client projects over the years (as others have too). But they are always expensive and time consuming to build, and there's never been the budget or time to build an enterprise-level set of features. LoginRegisterPro handles all of that, saving you (and your clients) a lot of time and expense, while delivering a level of features, quality, consistency, ease-of-use and security that is consistent with the ProcessWire core, and doesn't leave you wanting more. With LoginRegisterPro, you no longer have to worry about how to safely register, confirm and authenticate front-end users for your sites or applications.

Features

General features

  • Front-end secure login form that uses email address as login name.
  • Front-end secure new registration form with fully configurable fields.
  • Front-end secure profile edit form with fully configurable fields.
  • Email confirmation of new user registrations with randomly generated codes.
  • Users can register on one computer and confirm it on another.
  • Support for optional front-end “forgot password” reset capability.
  • Optional ability for users to delete their own accounts.
  • Optional ability to login user automatically after account confirmation.

Security features

  • Support for logins with two-factor authentication (TFA).
  • Support for Google reCAPTCHA on registration form.
  • Support for blocking emails or IPs in stopforumspam.com database.
  • Support for throttling of logins to block dictionary attacks.
  • Login and registration forms are protected by intelligent honeypots.
  • User must confirm pass to change email, pass, TFA or account deletion.
  • Ability to set which fields should also require password confirmation.
  • Support for email whitelist, useful for company intranets and more.
  • Support for keyword matching blacklists on emails to block registration.
  • Registrations stored in DB, converted to users after email confirmation.
  • All forms use CSRF protection (when not disabled in ProcessWire).
  • Session fingerprinting also remains active when not disabled in ProcessWire.
  • Configurable expiration of non-confirmed registrations.
  • Optionally require new user to re-confirm password before account creation.
  • Many other security improvements relative to original LoginRegister module.

Customization features

  • Ability to assign custom role(s) to new accounts.
  • Ability to control what roles can login on the front-end.
  • Strong, well documented API that keeps you in control of action + output.
  • Ability to customize markup output by the module.
  • Ability to specify WireMail module to use for confirmation emails.
  • Full control over the markup + content of the confirmation emails.
  • Full control over the randomly generated code type and length.
  • 30+ hookable methods to maximize customizability when you need it.

Configuration

There's already a lot of words in this post and not many visuals, so lets just look at a screenshot of the module config screen. This might look like a lot, but this is with all of the options open (they are usually collapsed except when being edited). But as you can see, this module is very configurable and gives you a lot of control over what it does.

Compared to LoginRegister

If you are familiar with the original LoginRegister module, here’s a few of the differences that you will find in LoginRegisterPro. The module is re-imagining of the LoginRegister module, written from the ground up with improvements in nearly every aspect. Below we’ll refer to LoginRegister as LR and LoginRegisterPro as LRPro:

  • LRPro is able to store new user registration data in the database, ensuring the user can complete their registration even if they are on a different computer, or if their original session is no longer active. The older LR module was only able to store registration data in the session. LRPro also lets you control how long unconfirmed registrations exist in the database before they are expired and deleted.

  • LRPro supports 2-factor authentication by way of ProcessWire TFA modules. This is something that LR does not support. Ryan’s open source TFA modules are also supported alongside LoginRegisterPro in the support board.

  • LRPro is able to use Google reCAPTCHA on the registration form as an extra point of confirmation (in addition to confirmation email).

  • LRPro supports login and registration honeypots, as well as new registration validation of email and IP address with stopforumspam.com.

  • LRPro comes with much more detailed documentation and a far stronger API. Nearly everything in LRPro is hookable and customizable, so LRPro is able to accommodate a diversity of front-end user needs.

  • LRPro also goes much further in terms of security to cover much broader use cases than the original LoginRegister module (see security features above).

  • LRPro lets you customize the properties of fields in register and profile forms independently of their usage on the user template (field context).

  • LRPro optionally lets you enable an option for users to delete their own account.

  • LRPro requires that the user enter their existing password for changes to email, password or two-factor authentication, plus it includes the ability to let you configure what other fields should require a password confirmation.

  • LRPro gives you control over the subject, content and markup of confirmation email.

  • LRPro gives you control over the confirmation code type and length used for account registration confirmation.

  • LRPro lets you maintain email whitelists and blacklists for new registrations.

  • LRPro gives you the option to require password confirmation before creating a new account. This ensures that the user that requested the account is always the user that confirms (and creates) it, even if someone else somehow saw their confirmation email.

  • LRPro lets you decide whether a new account confirmation should log the user in automatically or ask them to login.

  • LRPro provides more control over the confirmation email, including the ability to specify what WireMail module should be used for LRPro transactional/confirmation email.

  • LRPro requires the user to enter their existing password before making changes to some fields in their Profile, such as email or password. In addition, you can specify any other fields that should require them to enter their password before changes are allowed.

  • The original LoginRegister module was built for a specific use case and released largely as a proof-of-concept. No major new development for that module is planned, while LoginRegisterPro is a long-term development and support commitment, like the other ProcessWire Pro modules and of course the ProcessWire core.

  • LRPro comes with full support from me, so I'll be here to help you one-on-one with this module.

How it works

LoginRegisterPro operates off of a single Page in your website to render and process forms for Login, Registration and Profile editing. You only have to tell the module where to place its output, and it does the rest.

Guests may register to create a new account. User accounts are not actually created until validated by an email sent to the user. They receive a link containing a confirmation code. When clicked on (or pasted in manually after registration) the user account is then created. (Additional confirmation steps can also be optionally enabled). At this point, the user is now confirmed and can login (or be logged-in automatically).

Once users are logged-in, they are allowed to edit their Profile, which is where they can do things like change their password or email address, enable two-factor authentication, or modify any fields you’ve configured. Outside of that, LoginRegisterPro exists to support your front-end user account needs and it’s up to your configuration of ProcessWire’s access control—or your own logic—to determine what the users can access and do in your site/application.

Users that have accounts created through LoginRegisterPro automatically receive a role named “login-register” or other(s) that you configure. This enables you to assign this role (or roles) for “view” permission on one or more templates, so that certain pages in your website are only visible to users in that role.

Alternatively (or in addition) you might use your own logic in template files. For instance, if you wanted to only display a field named “member_notes” to users that are logged-in, you could do so like this:

if($user->isLoggedIn()) echo $page->member_notes;

LoginRegisterPro takes care of all of the difficult parts of validating, creating and authenticating users on your website, and making sure those users can manage their own account. But it doesn't place any limitations upon what you can do with those logged-in users your own. Whether that is building a website with a subscribers or members section, maintaining users in an online store, managing users for submitting or modifying content in your own forms, or anything else you can imagine — my hope is that LoginRegisterPro provides the foundation you need to accomplish your front-end user needs.

Screenshots

Below are a couple of screenshots that demonstrate how the login and register forms look on this website. Of course, how they actually look will depend entirely on how you style and customize them and what fields you add to your registration form.

Next week I'll be finishing up the documentation for this module and then releasing it, and working on ProcessWire core 3.0.148 RC2. Thanks for reading, have a great weekend, and be sure to check in at ProcessWire Weekly this weekend.

Comments

  • HMCB

    HMCB

    • 6 months ago
    • 303
    The only thing PW needs is a Pro e-commerce module. I know there’s one being developed off Padloper but there’s a certain level of confidence a first-party Pro module provides. If Ryan jumped on board of that project and the group collaborated, we’d have the guts of building anything on top of PW for non-hardcore developers.
  • Holly Valero

    Holly Valero

    • 6 months ago
    • 63
    This is just terrific! I look forward to adding this to my development packages in 2020.
  • Lance Osborne

    Lance Osborne

    • 6 months ago
    • 63
    Will the new module support image uploads, such as for a profile image? That was the biggest limitation that I found with the previous version.
    • Bernhard

      Bernhard

      • 6 months ago
      • 52
      Yes: https://processwire.com/talk/topic/22762-new-post-login-register-pro-module/?do=findComment&comment=194975
  • Manlio Esposito

    Manlio Esposito

    • 6 months ago
    • 21
    It is a really a big time saver module! Great work as usual.
  • James

    James

    • 6 months ago
    • 41
    Can't wait for this module to be released, as I'm sure many PW users are!

    LoginRegister is great, but LRPro storing user registration in the database is a huge improvement, plus profile images! I have half a dozen use cases for this module to work on in 2020 so consider me excited.

  • Mont

    Mont

    • 6 months ago
    • 00
    Looking forward to polished up loginregister
  • Martin

    Martin

    • 6 months ago
    • 01
    great christmas gift, thanks Ryan.
    beta works out of the box without any questions!
 

PrevNew User Activity module

This week we’ll take a quick break from core updates and have a look at a new module called UserActivity, just added to the ProcessWire ProDevTools package. It’s been a holiday week here in the U.S. (Thanksgiving) and the family is home, so there’s not much work getting done this week. Since I… More 

NextNew modules, file validation, and great websites

A look at two new modules released this week: LoginRegisterPro and FileValidatorImage. Discussion on upcoming plans for new FileValidator modules and how they are useful in PW. Plus a brief highlight of two great new ProcessWire-powered websites: Aaron Copland (an American composer) and Sono Motors (an EV startup). More 

Twitter updates

  • ProcessWire 3.0.161 adds support for selector operator stacking, enabling you automatically broaden searches in a single pages.find() call— More
    26 June 2020
  • ProcessWire 3.0.160 adds powerful new text-searching operators, bringing a new level of power to page-finding API calls, especially when it comes to search engine type queries. Post also includes a demo search engine where you can test it all out live— More
    19 June 2020
  • Preview of ProcessWire 3.0.160 with auto-enable of two-factor authentication, new version of TfaEmail and TfaTotp, and new selector operators coming next week. More
    12 June 2020

Latest news

  • ProcessWire Weekly #319
    In the 319th issue of ProcessWire Weekly we're going to check out the latest core updates, introduce a couple of new third party modules, and highlight the downright stunning new website of Studio Pixelgold. Read on!
    Weekly.pw / 21 June 2020
  • Powerful new text-searching abilities in 3.0.160
    In ProcessWire 3.0.160 we’ve got some major upgrades and additions to our text-search abilities. This brings a whole new level of power to $pages->find() and similar API calls, especially when it comes to search engine type queries.
    Blog / 19 June 2020
  • Subscribe to weekly ProcessWire news

“I am currently managing a ProcessWire site with 2 million+ pages. It’s admirably fast, and much, much faster than any other CMS we tested.” —Nickie, Web developer