Access control for custom endpoints

[bfoese]

Documentation Issue

We have the following setup: We have one auth enabled collection "User". All other collections are not auth enabled, but we restrict access to the auto-generated CRUD endpoints via the access: { read: .., create: ...} configuration where we provide functions which check if the user is authenticated for the "User" collection.

Is it possible to somehow limit the access for custom endpoints in collections which are not auth enabled?
The documentation lacks information about this: https://payloadcms.com/docs/rest-api/overview#custom-endpoints.
The request object that was provided to the custom endpoint handler contained no authenticated user object. I assume the user was missing, because Passport would not kick in here to set the user on the request, when the endpoint is configured to not require authentication.

Additional Details

In case it is currently not possible to restrict access to custom endpoints the same way we can do this for the standard CRUD endpoints, this would be feature request.

[DanRibbens]

Hi @bfoese!

Payload's middleware is run on all requests, including the auth middleware that assigns the user to req.user. That includes custom endpoints as long as you don't have root: true. You should be able to use req.user in your handler and then you can pass the req to any local API calls like payload.find( { collection, req, where /*... etc */ }) which will use the requesting users' access.

I suspect that you're not sending credentials in your request made to your custom endpoint. If you're using the fetch api you can add credentials: "include" to the request, read more https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#sending_a_request_with_credentials_included.

Does this help?

[jmikrut]

Hey @bfoese — did you ever solve this? I believe Dan is correct in that you may not be supplying credentials: 'include' within your fetch request, as custom endpoints do indeed go through our auth middleware prior to executing your endpoint logic, so the user object should indeed be present on your req.

I will convert this to a discussion so that we can continue the conversation there!