Feature request — Local API to programmatically log user in without password

[dtinth]

Feature request

It would be really great if payload had this API:

await payload.forceLogin({
  collection: 'users',
  id: '6494a085a0e261e743d51868',
  req,
  res
})

It would establish a cookie session just like payload.login, but it only takes just a user ID instead of a sign-in credentials.

Why

This would make it easier to implement (i.e. duct-tape) additional auth features, such as letting people log in with their Google, Discord or GitHub account (e.g. using OAuth, OpenID Connect, etc) without having to deal with the intricacies of Payload’s internals (such as Passport.js) or advanced Payload features that are less well-documented.

Here’s how we may use it:

app.get('/integrations/github/callback', async (req, res) => {
  // Retrieve the profile and make sure we have an email
  const profile = await getGitHubProfileFromReq(req)
  const email = profile.email
  if (!email) {
    res.status(401).send('Did not receive email permission')
    return
  }

  // Create a local user for the GitHub user, if one doesn’t exist
  const user = await getOrCreateUserByEmail(email)

  // 👇👇👇 This is the requested API.
  //       It should set the cookie just like normal login.
  await payload.forceLogin({
    collection: 'users',
    id: user.id,
    req,
    res
  })

  // Finally, redirect user to the admin page.
  res.redirect('/admin')
})

Current workaround

Right now, for the lack of API to programmatically log in, I work around by force-updating the user’s password and then do some client-side UI automation to log the user in with this new password.

  // Reset the user’s password
  const password = randomBytes(32).toString('hex')
  await payload.update({
    collection: 'users',
    id: user.id,
    data: { password } as any,
  })

  // Redirect to login page with credentials
  res.redirect(`/admin/login#${new URLSearchParams({
    email: (user as any).email,
    password,
  })}`)

I added a React component that would extract the params from the URL and submit the login form (like how a password manager does it).

// payload.config.ts
  admin: {
    user: Users.slug,
    components: {
      afterLogin: [AutoLogin],
    },
  },

export function SSOHack() {
  useEffect(() => {
    getAutoLoginCredentials()
      .then((data) => {
        if (!data) return
        const { email, password } = data
        const emailField =
          document.querySelector<HTMLInputElement>('[name="email"]')
        const passwordField =
          document.querySelector<HTMLInputElement>('[name="password"]')
        const submitButton =
          document.querySelector<HTMLButtonElement>('[type="submit"]')

        if (emailField && passwordField && submitButton) {
          // https://github.com/facebook/react/issues/11488#issuecomment-884790146
          const forceReactInputOnChange = (input: HTMLInputElement) => {
            // @ts-expect-error NOTE: clear the interal value to force an actual change
            input._valueTracker?.setValue('')
            input.dispatchEvent(new Event('input', { bubbles: true }))
          }

          emailField.value = email
          forceReactInputOnChange(emailField)

          passwordField.value = password
          forceReactInputOnChange(passwordField)

          setTimeout(() => {
            submitButton.click()
          }, 100)
        }
      })
  }, [])
  return <></>
}

Although it is very hacky, it accomplishes the task using only Payload’s well-documented API.

Feasibility

The logic required to implement this API already exists in the latter half of the payload.login() function:

payload/src/auth/operations/login.ts

Lines 124 to 230 in 837dccc

	const fieldsToSign = collectionConfig.fields.reduce((signedFields, field: Field) => {
	const result = {
	...signedFields,
	};
	if (!fieldAffectsData(field) && fieldHasSubFields(field)) {
	field.fields.forEach((subField) => {
	if (fieldAffectsData(subField) && subField.saveToJWT) {
	result[subField.name] = user[subField.name];
	}
	});
	}
	if (fieldAffectsData(field) && field.saveToJWT) {
	result[field.name] = user[field.name];
	}
	return result;
	}, {
	email,
	id: user.id,
	collection: collectionConfig.slug,
	});
	await collectionConfig.hooks.beforeLogin.reduce(async (priorHook, hook) => {
	await priorHook;
	user = (await hook({
	user,
	req: args.req,
	})) || user;
	}, Promise.resolve());
	const token = jwt.sign(
	fieldsToSign,
	secret,
	{
	expiresIn: collectionConfig.auth.tokenExpiration,
	},
	);
	if (args.res) {
	const cookieOptions: CookieOptions = {
	path: '/',
	httpOnly: true,
	expires: getCookieExpiration(collectionConfig.auth.tokenExpiration),
	secure: collectionConfig.auth.cookies.secure,
	sameSite: collectionConfig.auth.cookies.sameSite,
	domain: undefined,
	};
	if (collectionConfig.auth.cookies.domain) cookieOptions.domain = collectionConfig.auth.cookies.domain;
	args.res.cookie(`${config.cookiePrefix}-token`, token, cookieOptions);
	}
	req.user = user;
	// /////////////////////////////////////
	// afterLogin - Collection
	// /////////////////////////////////////
	await collectionConfig.hooks.afterLogin.reduce(async (priorHook, hook) => {
	await priorHook;
	user = await hook({
	user,
	req: args.req,
	token,
	}) || user;
	}, Promise.resolve());
	// /////////////////////////////////////
	// afterRead - Fields
	// /////////////////////////////////////
	user = await afterRead({
	depth,
	doc: user,
	entityConfig: collectionConfig,
	overrideAccess,
	req,
	showHiddenFields,
	});
	// /////////////////////////////////////
	// afterRead - Collection
	// /////////////////////////////////////
	await collectionConfig.hooks.afterRead.reduce(async (priorHook, hook) => {
	await priorHook;
	user = await hook({
	req,
	doc: user,
	}) || user;
	}, Promise.resolve());
	// /////////////////////////////////////
	// Return results
	// /////////////////////////////////////
	return {
	token,
	user,
	exp: (jwt.decode(token) as jwt.JwtPayload).exp,
	};

…and duplicated in the resetPassword() function:

payload/src/auth/operations/resetPassword.ts

Lines 84 to 120 in 837dccc

	const fieldsToSign = collectionConfig.fields.reduce((signedFields, field) => {
	if (fieldAffectsData(field) && field.saveToJWT) {
	return {
	...signedFields,
	[field.name]: user[field.name],
	};
	}
	return signedFields;
	}, {
	email: user.email,
	id: user.id,
	collection: collectionConfig.slug,
	});
	const token = jwt.sign(
	fieldsToSign,
	secret,
	{
	expiresIn: collectionConfig.auth.tokenExpiration,
	},
	);
	if (args.res) {
	const cookieOptions = {
	path: '/',
	httpOnly: true,
	expires: getCookieExpiration(collectionConfig.auth.tokenExpiration),
	secure: collectionConfig.auth.cookies.secure,
	sameSite: collectionConfig.auth.cookies.sameSite,
	domain: undefined,
	};
	if (collectionConfig.auth.cookies.domain) cookieOptions.domain = collectionConfig.auth.cookies.domain;
	args.res.cookie(`${config.cookiePrefix}-token`, token, cookieOptions);
	}

By extracting the common logic into an API, not only it becomes more straightforward to extend the auth system, there would also be less duplicate code in Payload’s core.

[IRediTOTO]

I need this too, working on it now

[nightwalker89]

I create a custom endpoint for this to force login with provided email

// forceLoginEndpoint.ts
import payload from 'payload';
import type { Endpoint } from 'payload/config';
import { Field, fieldAffectsData, fieldHasSubFields } from 'payload/types';
import getCookieExpiration from 'payload/dist/utilities/getCookieExpiration';
import jwt from 'jsonwebtoken';

// endpoint: /force-login
export const forceLoginEndpoint: Omit<Endpoint, 'root'> = {
  handler: async (req, res) => {
    // TODO: need extra validation here

    const userCollection = payload.config.admin.user;

    const { email } = req.body;

    const userDocs = await payload.find({
      collection: userCollection,
      where: {
        email: {
          equals: email,
        },
      },
      depth: 0,
      limit: 1,
    });

    // if (userDocs.totalDocs === 0) {
    //   return res.status(400).json({ error: 'User not found.' });
    // }

    const user = userDocs.docs[0];

    // Get the Mongoose user
    const collectionConfig = payload.collections[userCollection].config;

    // Decide which user fields to include in the JWT
    const fieldsToSign = collectionConfig.fields.reduce(
      (signedFields, field: Field) => {
        const result = {
          ...signedFields,
        };

        if (!fieldAffectsData(field) && fieldHasSubFields(field)) {
          field.fields.forEach((subField) => {
            if (fieldAffectsData(subField) && subField.saveToJWT) {
              result[subField.name] = user[subField.name];
            }
          });
        }

        if (fieldAffectsData(field) && field.saveToJWT) {
          result[field.name] = user[field.name];
        }

        return result;
      },
      {
        email: user.email,
        id: user.id,
        collection: collectionConfig.slug,
      } as any,
    );

    // Sign the JWT
    const token = jwt.sign(fieldsToSign, payload.secret, {
      expiresIn: collectionConfig.auth.tokenExpiration,
    });

    // Set cookie
    res.cookie(`${payload.config.cookiePrefix}-token`, token, {
      path: '/',
      httpOnly: true,
      expires: getCookieExpiration(collectionConfig.auth.tokenExpiration),
      secure: collectionConfig.auth.cookies.secure,
      sameSite: collectionConfig.auth.cookies.sameSite,
      domain: collectionConfig.auth.cookies.domain || undefined,
    });

    return res.status(200).json({ token, email, id: user.id });
  },
  method: 'post',
  path: '/force-login',
};

add config in payload.config.ts

export default buildConfig({
endpoints: [forceLoginEndpoint],
})

reference from this plugin https://github.com/thgh/payload-plugin-oauth/blob/main/src/index.ts

Then you can call it like this

curl --location 'http://localhost:3000/api/force-login' \
--header 'Content-Type: application/json' \
--data-raw '{
    "email": "[email protected]"
}'