Simplify your stack and build anything. Or everything.

USE CASES

Headless CMS Enterprise App Builder Headless E-Commerce Digital Asset Management

FEATURES

Multi-Tenancy White Label Localization Access Control Auth

CASE STUDIES

See what others are building with Payload.

Browse Case Studies

Build tomorrow’s web with a modern solution you truly own.

PAYLOAD IS FOR

Developers Marketing teams Enterprise companies Agencies & Consultancies

COMPARE PAYLOAD

Payload vs WordPress Payload vs Contentful Payload vs Sanity Payload vs Strapi Payload vs Directus

AGENCY TESTIMONIAL

"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."

Become a Partner Find a Partner

Code-based nature means you can build on top of it to power anything.

Resources

Documentation Examples Templates GitHub Releases Blog Guides & Tutorials

Community

Roadmap Discord Community Help

Payload Cloud

Deploy your entire stack in one place with Payload Cloud.

Cloud Pricing

It’s time to take back your content infrastructure.

Schedule a Demo

Enterprise Features

SSO AI Auto-Embedding Publishing Workflows Visual Editor Static A/B testing AI features

Customer Stories

Microsoft ASICS Blue Origin Hello Bello Tekton

Featured Customer Story

Microsoft chose Payload to tell the world about AI.

Read the case study Browse all

Community Help

Getting req.user as null after logging in via GraphQL from client.

itzaks2 years ago

1 3

Bug Report

I'm currently logging in on a collection using graphql. Right now the collection setup looks like this.

  auth: true, // Auth is enabled,

  access: {
    read: () => true,
    create: () => true
  },

I'm using an Authorization header on the graphql requests that looks like

{"Authorization": "JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpb(...)"}

Using the token that I got back from logging in via graphql.

When testing it in the graphql playground I'm getting null response on token and user. It seems like req.user is null when I debug the me-operation. Any ideas what I'm doing wrong?

{
  "data": {
    "mePublicUser": {
      "token": null,
      "user": null
    }
  }
}

Selected Answer
jmikrut
2 years ago
HEy @itzaks —

Couple clarifying things for ya quick:

I believe you should only need to specify credentials: 'include' on fetches if you are relying on Payload's HTTP-only cookie to authenticate.

But if you are specifying the Authorization header directly, that will override the HTTP cookie. So it seems to me like you might be trying to do both here.

Anyway, that's just background info.

I just tried to recreate your issue on the Payload demo (https://demo.payloadcms.com/api/graphql-playground) but I can't. I even used Postman to run a meUser directly from the demo's GraphQL endpoint.

I expect something else is amiss here, and it's just a small issue with your setup. If you can create a minimally reproducible repo, I am happy to help diagnose further! Let's keep the convo going in a discussion.
4 replies
itzaks2 years ago
Thanks for clarifying @jmikrut! Makes sense.

When digging down into a bare minimum reproduction, I found that the cause of this issue is another Collection that has a different, custom, authentication strategy.

These following lines are responsible for setting up the auth strategy for my separate ClientUser collection.
```
  auth: {
    disableLocalStrategy: true,
    strategies: [{
      strategy: (ctx) =>
        new MagicLoginStrategy(ctx, 'client-user', process.env.MAGIC_LINK_SECRET),
      name: 'magicLogin'
    }]
  },
```
If I change it to simply auth: true, my me-queries resolve as usual. Any ideas on what I'm doing wrong here?
jmikrut
2 years ago
Honestly it’s probably that auth strategy. Not knowing the specifics, I bet that it hijacks requests and redirects you somewhere if you are not logged in - therefore not allowing our built in auth strategies to run.

One thing I would say is that most auth strategies are not built to authenticate API routes AND UI routes. Probably the cause of why your strategy isn’t working.
itzaks2 years ago
Sounds fair. I wrote the strategy myself so it's probably something to look through then. But I'm curious as to why it affects a collection it shouldn't even be used on?
itzaks2 years ago
I marked it as answered now :-) however I think there is something going on with using multiple auth strategies that could be worth looking in to.
itzaks2 years ago
After some digging I thought it had to do with the response cookie not being set from the server, since I hadn't configured credentials: 'include' on my cors-graphql request, and then I configured the auth to look like this:
```
  auth: {
    cookies: {
      secure: true,
      sameSite: 'none'
    }
  },
```
I now see the cookie payload-token in my response cookies, but still I'm getting null in the me-queries. What am I missing here?
jacobsfletch
2 years ago
Related: #1902