Hey Payload team,
I'm currently hosting my payload server on a google cloud run instance, i am using firebase hosting to point a custom domain to the end point, upon login in with an admin account I get the error "Unauthorized, you must be logged in to make this request. You are not allowed to access this page".
When i use the direct url for the endpoint provided from google cloud run with the same payload admin account it works.
@allanc
My investigation so far... does the
serverURL
need to be the exact domain and not a hosted url? docs found here
https://payloadcms.com/docs/configuration/overview#using-environment-variables-in-your-config
@jmikrut hey sorry for the tag, just needed some help here since the threads going stale 🙂
yes, the serverURL needs to be the actual URL (with https) that you access the Payload admin with
you should also be able to leave it undefined if you don't know the serverURL - BUT if you do leave it undefined, then you need to whitelist the domains you'll be using in the
csrf
property of the Payload config
because we only accept auth cookies from either serverURL or explicitly whitelisted domains in csrf array
for security reasons
cc: @allanc
thank you and appreciate you getting to this question
Thanks @jmikrut, that helped me out also.
of course! 💸
@jmikrut hey adding in the serverURL didn't work, do we have to add it both to
serverURL
and the
csrf
@MRL did it work for you?
All I had to do was add the serverURL in and make sure that matches the URL where you are hosting the application.
do you know if it supports the subdomain
or the actual base domain @MRL
It supports subdomains. So if your url is
https://cms.mywebsite.comthen that is what you need to enter into the serverURL
ah thank you @MRL it still doesnt work for us - maybe it might be something to do with firebase hosting a cloud run instance
Do you have the url set in the .env files?
yep - set in the .env files on cloud run
I'm not super clued up on Firebase hosting but if you can access the logs when it is building, you should be able to see where the serverUrl is pointing to. Or you can check the browser console to see where the API calls are being made to
sweet, for now i just redirected it to the main url on the firebase hosting
so atleast its friendly to remember
that works for now
@MRL thanks
All good 🙂