401 Unauthorized on many requests in prod build

default discord avatar
Jakey
last month
269

Locally, when I run my Payload environment in dev mode, all URLs work perfectly fine.



When I build payload on my server and start it, many actions are coming back as unauthorized.



I am able to log-in fine, but for instance the following requests 401:


- /api/_preferences/locale


- /api/pages?locale=en&depth=0&draft=true&invoke=949a1387-f616-4c8b-a5c0-458aca5bfec6


- /api/_preferences/pages-list


- /api/_preferences/categories-list


- /api/_preferences/media-list



Another detail that I see is that the message response holds a message of "Unauthorized, you must be logged in to make this request.".



Also, I don't see these requests actually being made in dev mode. I see the GET request versions of these requests, which succeed in both environments; but on the server there are also POST versions of these requests which are 401'ing.



hey @thisisnotchris, just fyi, I figured it'd be better to split this off into its own post since it seems its a bit different from the post I was adding onto. I really appreciate the help you've provided thus far. ๐Ÿ™‡โ€โ™‚๏ธ

  • default discord avatar
    Radish Kitten
    last month

    Can you pull up burpsuite and remake your API request?

  • default discord avatar
    Jakey
    last month

    never heard of burpsuite

  • default discord avatar
    Radish Kitten
    last month

    or anyway you can check the values/cookies being used while calling for the endpoint(s)?

  • default discord avatar
    Jakey
    last month

    sure, I'll check those out

  • default discord avatar
    Radish Kitten
    last month

    Yeah network tab inside devtools will do wonders here

  • default discord avatar
    Jakey
    last month

    one of my favorite tools lol



    here's the request headers for one of the requests btw:

    Accept: */*
    Accept-Encoding: gzip, deflate, br
    Accept-Language: en
    Cache-Control: no-cache
    Connection: keep-alive
    Content-Length: 14
    Content-Type: application/json
    Cookie: payload-token=<redacted>
    Host: <redacted>
    Origin: https://<redacted>
    Pragma: no-cache
    Referer: https://<redacted>/admin
    sec-ch-ua: "Chromium";v="112", "Google Chrome";v="112", "Not:A-Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36

    in case it's helpful



    i see a

    payload-token

    cookie as well

  • default discord avatar
    Radish Kitten
    last month

    yeah it's there if you're logged in



    so that's your request. Did that request 401?

  • default discord avatar
    Jakey
    last month

    it did, the response body was

    {"errors":[{"message":"Unauthorized, you must be logged in to make this request."}]}


    response headers

    Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization, Content-Encoding, x-apollo-tracing
    Access-Control-Allow-Methods: PUT, PATCH, POST, GET, DELETE, OPTIONS
    Connection: keep-alive
    Content-Language: en
    Content-Length: 84
    Content-Type: application/json; charset=utf-8
    Date: Tue, 18 Apr 2023 13:04:08 GMT
    ETag: W/"54-VwIDOKGPAda99KAJF2yRyy4FL7I"
    Server: nginx
    Vary: X-HTTP-Method-Override, Accept-Encoding
    X-Powered-By: Express
    X-RateLimit-Limit: 500
    X-RateLimit-Remaining: 472
    X-RateLimit-Reset: 1681823061
  • default discord avatar
    Radish Kitten
    last month

    Are you using any kind of auth right now?



    aside from the default login portal that is



    https://payloadcms.com/docs/authentication/overview
  • default discord avatar
    Jakey
    last month

    i ended up following the example of adding roles to users, but this was an issue prior to that



    was hoping following the guide would do it for me. again, works locally though

  • default discord avatar
    Radish Kitten
    last month

    I wonder if it's a CORS issue somewhere.

  • default discord avatar
    Jakey
    last month

    I set CORS to

    cors: "*",

    to rule that out

  • default discord avatar
    Radish Kitten
    last month

    this is the last thing I'll pitch before running out of ideas. Can you compare /api/access on dev and prod?

  • default discord avatar
    Jakey
    last month

    sure



    let's see...

  • default discord avatar
    Radish Kitten
    last month

    ๐Ÿ‘€

  • default discord avatar
    Jakey
    last month

    both respond with 200 OK...



    the server one has these headers in addition to the normal ones dev has:

    Cache-Control: max-age=2592000
    Cache-Control: public


    Request headers don't appear to have a relevant difference...



    The response bodies are identical. All permission values are set to true.

  • default discord avatar
    Radish Kitten
    last month

    So there's cache control headers set somewhere. This shouldn't impact you, but just in case, can you log out, clear cookie/cache for your prod in the browser, then log in? I'm sure you've done it but I just wanted to check ๐Ÿ™‚



    It's the IT guy in me

  • default discord avatar
    Jakey
    last month

    totally understand. trying that out



    ok.. cleared cache.. cookies... also went ahead and cleared host cache (that sometimes bites me too)..



    logged back in



    still 401'ing



    like, the dashboard loads but when it attempts to make those POST requests, that's when it fails



    still can't create or save anything



    ๐Ÿค”



    one thing i did notice is that the auth cookie didn't go away when I logged out. not sure if that's normal

  • default discord avatar
    Radish Kitten
    last month

    Are the PATCH requests coming through 200?



    these are your save requests

  • default discord avatar
    Jakey
    last month

    attempted to enable api keys on my user to test a save. got a 403 Forbidden this time

  • default discord avatar
    Radish Kitten
    last month

    I'd reset all of the RBAC just to test by default if you're doing okay on prod



    but you did mention you had problems even before implementing rbac right?

  • default discord avatar
    Jakey
    last month

    yeah. I think at one point it was all working fine when I tried allowing everything on the user collection.. but that obviously didn't seem like a good idea



    but that might be a hint i assume



    i'll try that again just to confirm



    interesting



    I set all the access values to

    () => true

    , and it allows me to save, however I still get a bunch of 401's in my network requests like I've been seeing



    still can't add to another collection



    makes me wonder if I need to be setting access control to all collections because in prod-mode it's required or something?



    not sure how you deal with a request like

    /api/_preferences/locale

    though



    feels like something fundamental is off



    guess i could try just removing the cache headers to make it more like dev



    yeah, removing the cache headers didn't change anything ๐Ÿค”

  • default discord avatar
    Radish Kitten
    last month

    @thisisnotchris any ideas? ๐Ÿ˜ฆ

  • default discord avatar
    Jakey
    last month

    just for sanity, i'm going ahead and running just a fresh installation of payload on the server



    just an update:


    - npx create-payload-app w/ blog template
    - yarn build
    - yarn serve
    - updated vhost to point to payload app
    - hanging on cors due to domain not matching server url
    - changed server url, rebuilt and reserved
    - no permissions issues witnessed
    - added locales
    - no permissions issues witnessed
    - added webpack overrides
    - no permissions issues witnessed
    - installed @payloadcms/plugin-form-builder
    - no permissions issues witnessed
    - installed @payloadcms/plugin-cloud-storage
    - no permissions issues witnessed


    based on that, I'm now just simplifying our active repo's configs to see if something in our collection definitions are the problem



    ok, think i'm finally getting somewhere



    it looks like the _preferences document in the control test is populated with details, while in my server instance, it is empty



    trying to figure out how to get it to populate appropriately..



    matching up my dependency versions to the control-test i made...

  • default discord avatar
    notchris
    last month

    Hey all!



    Sorry, i have two accounts (work/personal)



    So i didn't see the ping

  • default discord avatar
    Jakey
    last month

    all good

  • default discord avatar
    notchris
    last month

    Hmmm



    Did you confirm that your CSRF / CORS settings are active?



    I forget where we left off but



    I think when I had these issues, it boiled down to my access control

  • default discord avatar
    Jakey
    last month

    i have a working fresh install with just the stuff i listed above done to it



    ultimately, i'm not sure why the _preferences document isn't being populated



    the 401 unauthorized request seems to be a side-effect of that document not having what it needs

  • default discord avatar
    notchris
    last month

    Lets check out the status in detail



    To see if like, your cookie is being rejected



    We should be able to pinpoint the cause of the 401



    Any context on the cause?



    Also, Payload discord has the voice channels now



    Happy to check out your setup if you want to share

  • default discord avatar
    Jakey
    last month

    sorry, fell into a rabbit hole



    the primary difference between a fresh install (that works) and the repo I'm getting to work is that the _preferences document is not being populated.



    And I don't understand what would cause that. Trying to look at the source code to see where that's supposed to happen



    i've cleared the db completely on the problem repo and reinstalled and it still doesn't like me ๐Ÿ˜ฆ



    matched up the package versions too



    for additional context, what I'm seeing is


    - on page load a GET request is made for a preference (

    /api/_preferences/locale

    for example)


    - That request returns a 200, but the body of its response is

    {"message":"Not Found","value":null}

    - Then the admin client makes a subsequent POST request for that preference at the same path.


    - That request returns a 401.



    Normally, the initial GET request just works and the subsequent request is never made.



    in comparing the data of the fresh install vs the current repo, i see that _preferences is either empty or non-existant; which would explain why the initial get request would just fail (and the subsequent).



    So my thought atm is, if I can understand why that document isn't getting updated, then the rest of the errors will probably make sense too.

  • default discord avatar
    Exo
    last month

    What payload version are you using? Can you check if the _preferences collection has any dangling indexes in the database?

  • default discord avatar
    notchris
    last month

    @Exo Good thought

  • default discord avatar
    Jakey
    last month

    1.7.0 payload version



    what's a dangling index?



    i'm not the most well-versed in mongo..

  • default discord avatar
    notchris
    last month

    Remnants of old fields/indexes



    Sometimes when you re-use a db

  • default discord avatar
    Exo
    last month

    if you use

    mongosh

    or a visual editor to get a direct connection to the mongodb you can see the indexes using db._preferences.getIndexes()

  • default discord avatar
    notchris
    last month

    ^

  • default discord avatar
    Exo
    last month

    these are roughly equivalent to mysql constraints

  • default discord avatar
    Jakey
    last month

    ok

  • default discord avatar
    Exo
    last month

    (very roughly, please never quote me on that lol)

  • default discord avatar
    Jakey
    last month

    i'm using Compass atm

  • default discord avatar
    Exo
    last month

    ah i never used compass, this is like a visual explorer for mongo right?

  • default discord avatar
    Jakey
    last month

    yeah, the mongoDB website provides it



    there is a tab for indexes when i select a document

  • default discord avatar
    Exo
    last month

    yes that sounds good ๐Ÿ™‚



    but it should be on the collection rather, I think



    This overall problem rings a bell for me

  • default discord avatar
    Jakey
    last month

    i selected the collection and filtered by indexes

    Screenshot_2023-04-18_122724.png
  • default discord avatar
    Exo
    last month

    I have seen something like that some time ago, give me some time to figure it out, ill get back to it asap ๐Ÿ™‚



    ah yes see



    indexes 2



    any way you can show them?

  • default discord avatar
    Jakey
    last month
    Screenshot_2023-04-18_122851.png
  • default discord avatar
    Exo
    last month

    mhmmm

    _id_

    should be

    _id

    I think



    what can you see in the validation tab_

  • default discord avatar
    Jakey
    last month

    Here's with the indexes expanded



    validations is empty

    Screenshot_2023-04-18_123009.png
  • default discord avatar
    Exo
    last month

    Ah I found the issue that I was remembering

    https://github.com/payloadcms/payload/issues/1309
  • default discord avatar
    notchris
    last month

    Ah I remember I got that error



    I was logging out users without sending credentials

  • default discord avatar
    Exo
    last month

    might be a jwt/csrf problem, after login you do receive the cookie, right? Did you validate it with a tool like

    https://jwt.io/
  • default discord avatar
    Jakey
    last month

    i do receive a cookie. i'll try the tool there

  • default discord avatar
    notchris
    last month

    Also, I think you may have done this prior, but it would be helpful to see your

    payload config

    server.ts file

    and an example collection



    Just so we can rule out oddities

  • default discord avatar
    Exo
    last month

    I have a feeling the cookie issuer url might not be correct, you said you are changing the vhost at some point and then resolved CORS issues, right?

  • default discord avatar
    Jakey
    last month

    i just have it set as "*" atm



    to rule that out

  • default discord avatar
    notchris
    last month

    I don't think wildcard is allowed though



    Right?



    Doesn't it need to be explicit



    Also, if you're going through a proxy, make sure

    trustProxy

    is enabled in csrf



    via the warning on this page:

    https://payloadcms.com/docs/production/preventing-abuse#cross-site-request-forgery-csrf
  • default discord avatar
    Jakey
    last month
    import { buildConfig } from "payload/config"
    import formBuilder from "@payloadcms/plugin-form-builder"
    import { cloudStorage } from "@payloadcms/plugin-cloud-storage"
    import { s3Adapter } from "@payloadcms/plugin-cloud-storage/s3"
    import path from "path"
    import Users from "./collections/Users"
    import Pages from "./collections/Pages"
    import Categories from "./collections/Categories"
    import Media from "./collections/Media"
    import Nav from "./globals/Nav"
    export default buildConfig({
        serverURL: "https://<redacted>",
        csrf: [
            "https://<redacted>",
        ],
        cors: "*",
        admin: {
            user: Users.slug,
            webpack: (config) => {
                return {
                    ...config,
                    resolve: {
                        ...config.resolve,
                        alias: {
                            ...config.resolve.alias,
                            fs: path.resolve(__dirname, "mocks/emptyObject.js"), 
                        },
                    },
                }
            },
        },
        collections:[Users],
        plugins: [
            cloudStorage({/** <redacted to save past space */}),
            formBuilder({/** <redacted to save past space */}),
        ],
        typescript: {
            outputFile: path.resolve(__dirname, "payload-types.ts"),
        },
        graphQL: {
            schemaOutputFile: path.resolve(__dirname, "generated-schema.graphql"),
        },
        localization: {
            locales: ["en", "es", "de"],
            defaultLocale: "en",
            fallback: true,
        },
    })
  • default discord avatar
    notchris
    last month

    Can you pass an array to cors as well matching csrf?

  • default discord avatar
    Jakey
    last month

    yes

  • default discord avatar
    notchris
    last month

    Ah actually, * should be fine according to Payload



    Either a whitelist array of URLS to allow CORS requests from, or a wildcard string ('*') to accept incoming requests from any domain.


    Not sure if it will do anything, but I do have my rateLimit configured to allow proxy



      rateLimit: {
        trustProxy: true,
        window: 2 * 60 * 1000, // 2 minutes
        max: 2400, // limit each IP per windowMs
      },
  • default discord avatar
    Jakey
    last month

    ok

  • default discord avatar
    Exo
    last month

    ah I would be careful with that, chances are rate limiting is handled by your reverse proxy or provider

  • default discord avatar
    notchris
    last month

    True, maybe as a last resort if nothing else works then



    We are on a balancer at work, but I'm off today so I can't look at our config atm

  • default discord avatar
    Jakey
    last month

    oh for context on that, i'm on a digitalocean droplet using nginx to handle the proxy



    another odd behavior i noticed that different from the fresh install is that when i log out, the token isn't removed

  • default discord avatar
    Exo
    last month

    but I still think the cookie might have the wrong domain, I would take a look at the

    server.ts

    (not payload-config) and see if the express setup is funny, another try would be to include/exclude the used ports, depending on your setup. If nothing works, try to log out the access control step, that would maybe provide more insight, you might even use a custom express middleware to log all incoming requests and confirm the cookies are looking good

  • default discord avatar
    notchris
    last month

    Logging out through the admin panel, right?

  • default discord avatar
    Exo
    last month

    yeah, that is another pointer to the cookie having a wrong domain

  • default discord avatar
    Jakey
    last month

    yeah

  • default discord avatar
    notchris
    last month

    Isn't the domain on the cookie?



    in dev tools

  • default discord avatar
    Jakey
    last month

    yeah, it matches the domain i'm on

  • default discord avatar
    notchris
    last month

    Can you share the details of the 401 error



    or a SS

  • default discord avatar
    Jakey
    last month

    what's an SS?

  • default discord avatar
    notchris
    last month

    lets also check out your nginx config for this domain



    sorry, screenshot

  • default discord avatar
    Jakey
    last month

    this is my server.ts btw. it's very lightly modified from the default

    import express from 'express'
    import payload from 'payload'
    import path from 'path'
    
    require('dotenv').config()
    
    const app = express()
    const port = process.env.PORT || 3000
    
    // Redirect root to Admin panel
    app.get('/', (_, res) => {
        res.redirect('/admin')
    })
    
    const start = async () => {
        // Initialize Payload
        await payload.init({
            secret: process.env.PAYLOAD_SECRET,
            mongoURL: process.env.MONGODB_URI,
            express: app,
            onInit: async () => {
                payload.logger.info(`Payload Admin URL: ${payload.getAdminURL()}`)
            },
        })
    
        // Add your own express routes here
        app.listen(port)
    }
    
    start()


    mainly just make the port configurable

  • default discord avatar
    notchris
    last month

    Thank you, can we also see the nginx redirect for the port?



    should be something like



        location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }
  • default discord avatar
    Jakey
    last month

    atm it's

        location / {
            proxy_pass http://localhost:3001;
            # expires 30d;
            # add_header Pragma public;
            # add_header Cache-Control "public";
    
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $host;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }
  • default discord avatar
    Exo
    last month

    well one simple test to check if it is a csrf related problem is to disable it and try again, unless your site is in production already

  • default discord avatar
    Jakey
    last month

    i've removed the csrf already and it had no effect on the outcome

  • default discord avatar
    Exo
    last month

    3001 is the correct port as per process.env ?

  • default discord avatar
    Jakey
    last month

    it is



    i did mess that up in this process and fixed it ๐Ÿ˜›

  • default discord avatar
    notchris
    last month

    Ah sorry, copied it from an example

  • default discord avatar
    Exo
    last month

    mhmm i still feel that 0 preferences is odd, if we can rule out the cookie



    but I think the best approach at this point is to log the requests

  • default discord avatar
    Jakey
    last month
    Response Headers:
    HTTP/1.1 401 Unauthorized
    Server: nginx
    Date: Tue, 18 Apr 2023 17:44:12 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 84
    Connection: keep-alive
    X-Powered-By: Express
    X-RateLimit-Limit: 500
    X-RateLimit-Remaining: 494
    X-RateLimit-Reset: 1681839934
    Content-Language: en
    Vary: X-HTTP-Method-Override, Accept-Encoding
    Access-Control-Allow-Methods: PUT, PATCH, POST, GET, DELETE, OPTIONS
    Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization, Content-Encoding, x-apollo-tracing
    ETag: W/"54-VwIDOKGPAda99KAJF2yRyy4FL7I"
    
    Request Headers:
    POST /api/_preferences/locale HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate, br
    Accept-Language: en
    Cache-Control: no-cache
    Connection: keep-alive
    Content-Length: 14
    Content-Type: application/json
    Cookie: payload-token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6Iml0LXJlZ2lzdHJhdGlvbnMrYWNhZGVteS1xYUBwYXJhZG93c2tpLmNvbSIsImlkIjoiNjQzZWNhZjgxMGQxMmRjZGEwM2Q5YWRjIiwiY29sbGVjdGlvbiI6InVzZXJzIiwiaWF0IjoxNjgxODM5ODUyLCJleHAiOjE2ODE4NDcwNTJ9.3qwWjaX_xCTopAx1sRa33sFfBrzVYAgOzz6GWLrxq40
    Host: <redacted>
    Origin: https://<redacted>
    Pragma: no-cache
    Referer: https://<redacted>/admin
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
    sec-ch-ua: "Chromium";v="112", "Google Chrome";v="112", "Not:A-Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"


    here's an example of a 401'ing request i'm getting

  • default discord avatar
    Exo
    last month

    and you already dropped users/_preferences collections?

  • default discord avatar
    Jakey
    last month

    i dropped the whole collection multiple times to replicate a fresh install

  • default discord avatar
    notchris
    last month

    i've never seen an email with a + symbol before ๐Ÿ˜ฎ



    which is an alias i guess

  • default discord avatar
    Jakey
    last month

    oh, it's a little gmail trick. it ignores the stuff after the +

  • default discord avatar
    notchris
    last month

    no way that's related right?

  • default discord avatar
    Exo
    last month

    could you try dropping preferences and users again? Just to make sure it is no payload validation conflict here

  • default discord avatar
    Jakey
    last month

    sure

  • default discord avatar
    Exo
    last month

    the email-field comes with it's own validation afaik

  • default discord avatar
    Jakey
    last month

    do i have the naming wrong btw... a document has collections?

  • default discord avatar
    Exo
    last month

    oh and then create first user with a simpler mail ๐Ÿ˜„

  • default discord avatar
    Jakey
    last month

    sure ๐Ÿ™‚

  • default discord avatar
    Exo
    last month

    yeah, a collection has documents ๐Ÿ˜‰ but nobody is judging

  • default discord avatar
    Jakey
    last month

    preferences and users dropped...



    new user created (just my normal work email). preferences doesnt' seem to be repopulating

  • default discord avatar
    Exo
    last month

    can u change the payload admin locale or switch to dark mode for the new user?

  • default discord avatar
    Jakey
    last month

    i can read the user, but can't change preferences



    unable to switch to dark mode

  • default discord avatar
    notchris
    last month

    interesting



    whats your user collection look like?

  • default discord avatar
    Exo
    last month

    well at least we narrowed the problem then ๐Ÿ™‚

  • default discord avatar
    Jakey
    last month
    import { CollectionConfig } from 'payload/types'
    const Users: CollectionConfig = {
        slug: 'users',
        auth: true,
        admin: {
            useAsTitle: 'email',
        },
        access: {
            // Only admins can create users
            read: () => true,
        },
        fields: [
        {
          name: 'name',
          type: 'text',
        }
        ],
    }
    export default Users
  • default discord avatar
    Exo
    last month

    are there any afterCreate or afterLogin or beforeOperation hooks?

  • default discord avatar
    notchris
    last month

    is create and delete true by default?



    can you set all operation types and then try



    (and update)

  • default discord avatar
    Jakey
    last month
    import { CollectionConfig } from 'payload/types';
    
    const Users: CollectionConfig = {
      slug: 'users',
      auth: true,
      admin: {
        useAsTitle: 'email',
      },
      access: {
        read: () => true,
      },
      fields: [
        // Email added by default
        {
          name: 'name',
          type: 'text',
        }
      ],
    };
    
    export default Users;

    this is what is in my fresh install

  • default discord avatar
    notchris
    last month

    and Users.slug is in your admin settings in payload config?

  • default discord avatar
    Jakey
    last month

    yeppers

  • default discord avatar
    notchris
    last month

    @Exo what is going on lol

  • default discord avatar
    Exo
    last month

    I wonder why you include the mockObject in the webpack conf ๐Ÿค”



    other than that it looks fairly simple/normal

  • default discord avatar
    Jakey
    last month

    i ported that stuff to the fresh install and it works fine there

  • default discord avatar
    notchris
    last month

    id take it out if you're not using it

  • default discord avatar
    Jakey
    last month

    it fixes a build problem with the cloud plugin

  • default discord avatar
    Exo
    last month

    did you run generate-types and have that in your tsconfig?

  • default discord avatar
    Jakey
    last month

    i don't think i did



    will do

  • default discord avatar
    Exo
    last month

    I have a feeling that

    Users.slug

    is not working well since the payload update for better ts support, I find myself having to change it a bit for the compiler to be happy, that's seeming odd to me

  • default discord avatar
    Jakey
    last month

    generating doesn't seem to have affected anything

  • default discord avatar
    notchris
    last month

    What if you



    remove your serverUrl



    leave it null

  • default discord avatar
    Jakey
    last month

    aight



    [18:14:51] ERROR (payload): 1: "serverURL" must be a string
  • default discord avatar
    notchris
    last month

    or just not set it



    like remove the prop



    leave csrf though

  • default discord avatar
    Jakey
    last month

    ok

  • default discord avatar
    Exo
    last month

    do you have access to the mongo logs? I think it fails to create the preferences when it needs to

  • default discord avatar
    Jakey
    last month

    hm, i think so

  • default discord avatar
    Exo
    last month

    I'll have to grab some dinner, gonna check back on this later if it is not resolved then ๐Ÿ™‚

  • default discord avatar
    Jakey
    last month

    i really appreciate your guys' help on this ๐Ÿ™‡โ€โ™‚๏ธ

  • default discord avatar
    notchris
    last month

    Hey no problem! We'll get to the bottom of this



    ๐Ÿ˜„

  • default discord avatar
    Jakey
    last month

    here's what i could get from the DO logs for the mongo db server:

    client metadata
    Authentication failed
    No SSL certificate provided by peer
    Connection accepted
    client metadata
    No SSL certificate provided by peer
    client metadata
    No SSL certificate provided by peer
    Connection accepted
    Connection accepted
    Connection ended
    Connection ended
    Connection ended
    Connection ended
    Interrupted operation as its client disconnected
    Connection ended
    Interrupted operation as its client disconnected
    Connection ended
    Connection ended
    Connection ended
    Interrupted operation as its client disconnected
    Authentication succeeded
    Authentication succeeded
    Authentication succeeded
    client metadata
    Authentication failed
    client metadata
    Authentication failed
    Authentication failed
    client metadata
    No SSL certificate provided by peer
    No SSL certificate provided by peer
    No SSL certificate provided by peer
    client metadata
    Connection accepted
    Connection accepted
    Connection accepted
    client metadata
    client metadata
    client metadata
    client metadata
    client metadata
    No SSL certificate provided by peer
    No SSL certificate provided by peer
    No SSL certificate provided by peer
    No SSL certificate provided by peer
    No SSL certificate provided by peer
    No SSL certificate provided by peer
    Connection accepted
    Connection accepted
    Connection accepted
    Connection accepted
    Connection accepted
    Connection accepted


    i've no context for if this is normal or not



    if it helps, I'm also using DO's mongoDB cluster feature for this



    though if it works for the fresh install... seems the code has to be the differing point



    i'm half tempted to just reset this repo from scratch to just use the fresh install and slowly add from there lol

  • default discord avatar
    Exo
    last month

    well this is really frustrating



    I am sorry, I won't pretend to be helpful if I can't do anything more. I feel like I know where the error is coming from, but for me it is unclear how to finally fix it. You tried anything I would try and anything beyond this point from my side would be guessing in the dark :/

  • default discord avatar
    Jakey
    last month

    oh it's alright. I ended up just starting fresh and slowly adding the changes back in. I'm hoping it'll be obvious here soon

  • default discord avatar
    Exo
    last month

    I hope they don't mind the tag, but maybe @jmikrut , @denolfe or @daN can help you with this.


    As this thread is almost 230 messages long let me give them a summary:



    It seems that no

    _preferences

    for the auth enabled session is created. All requests result in 401, csrf and token are looking good, user and preference table were dropped multiple times, mongo logs seem normal. There was a related issue in github which was resolved long ago (payload 1.2)



    Jakey is using current payload version with a fairly standard config.



    Sorry to bother you, but this thread is getting hard to follow and I am all out of ideas :/

  • discord user avatar
    jmikrut
    Payload Team
    last month

    woah



    ok



    let me review a bit

  • default discord avatar
    Jakey
    last month

    huh... yeah it works now that I've started from a fresh installation and added my stuff in piece by piece...



    wtf, lol



    sure enough, the _preferences collection is populated... and everything seems to be working fine.. I'm not sure what might've happened in this process that kicked it into doing that. Def still welcome any thoughts

  • discord user avatar
    jmikrut
    Payload Team
    last month

    wat



    haha



    hmmmm

  • default discord avatar
    Jakey
    last month

    one theory.... maybe the fresh install works fine and a plugin introduced breaks the initial _preferences collection setup



    doesn't appear to be the case... i dropped the document and remade the initial user... no 401's still



    ok, I think I see the issue



    or at least it seems to make sense.



    I had run into issues getting environment variables working in payload.config.ts



    so the work-around I went with was to create separate payload.configs.ts's for each environment ( I pulled in and merged over the differences i needed from the default )



    then i added npm scripts to handle the qa/prod versions of those configs



    so i was building for QA for instance, but serving using the default config



    and i suspect that caused some sort of mismatch in the final build



    testing that theory now...

  • discord user avatar
    jmikrut
    Payload Team
    last month

    ahhhh yes that'd do it



    well



    i showed up late



    haha

  • default discord avatar
    Jakey
    last month

    lol, still appreciated! That's actually probably the better question though



    how

    should

    i be handling environment variables in payload.config.ts. it seems like in some spots it's fine but for the

    cors

    property it bugs out because it's also used on the payload client

  • discord user avatar
    jmikrut
    Payload Team
    last month

    generally we just use

    dotenv


    and make sure to call it in the payload config itself if you use variables within the config



    it's ok to call it twice (once in your server, once in your config)

  • default discord avatar
    Jakey
    last month

    I did try doing that and it caused a build error... but I cannot recall what it was.. I'll have to check try again when my brain recovers lol



    I'll start up another post for that if i run into it again



    thanks for helping me out @notchris @Exo @Radish Kitten @jmikrut !

  • default discord avatar
    notchris
    last month

    Anytime!

  • default discord avatar
    utopico
    2 weeks ago

    Did anybody found a way to solve this issue?



    Got a customer that is not able to edit the content anymore and i really don't know where to look



    I read all the thread and tried some fresh installs that worked the first time but the stopped to work

  • default discord avatar
    Jakey
    2 weeks ago

    Start up another thread and describe your current situation. Feel free to tag me in it. @utopico

Open the post
Continue the discussion in Discord
Like what we're doing?
Star us on GitHub!

Star

Connect with the Payload Community on Discord

Discord

online

Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.