DemoDocsFor EnterpriseCase StudiesCommunityBlog
Like what we’re doing? Star us on GitHub!
Community Help

Getting req.user as null after logging in via GraphQL from client.

itzaks
2 months ago
1 3

Bug Report

I'm currently logging in on a collection using graphql. Right now the collection setup looks like this.

  auth: true, // Auth is enabled,

  access: {
    read: () => true,
    create: () => true
  },

I'm using an Authorization header on the graphql requests that looks like

{"Authorization": "JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpb(...)"}

Using the token that I got back from logging in via graphql.

When testing it in the graphql playground I'm getting null response on token and user. It seems like req.user is null when I debug the me-operation. Any ideas what I'm doing wrong?

{
  "data": {
    "mePublicUser": {
      "token": null,
      "user": null
    }
  }
}
  • jmikrut
    Payload Team
    2 months ago

    HEy @itzaks

    Couple clarifying things for ya quick:

    I believe you should only need to specify credentials: 'include' on fetches if you are relying on Payload's HTTP-only cookie to authenticate.

    But if you are specifying the Authorization header directly, that will override the HTTP cookie. So it seems to me like you might be trying to do both here.

    Anyway, that's just background info.

    I just tried to recreate your issue on the Payload demo (https://demo.payloadcms.com/api/graphql-playground) but I can't. I even used Postman to run a meUser directly from the demo's GraphQL endpoint.

    I expect something else is amiss here, and it's just a small issue with your setup. If you can create a minimally reproducible repo, I am happy to help diagnose further! Let's keep the convo going in a discussion.

    4 replies
  • itzaks
    2 months ago

    Thanks for clarifying @jmikrut! Makes sense.

    When digging down into a bare minimum reproduction, I found that the cause of this issue is another Collection that has a different, custom, authentication strategy.

    These following lines are responsible for setting up the auth strategy for my separate ClientUser collection.

      auth: {
    disableLocalStrategy: true,
    strategies: [{
      strategy: (ctx) =>
        new MagicLoginStrategy(ctx, 'client-user', process.env.MAGIC_LINK_SECRET),
      name: 'magicLogin'
    }]
  },

    If I change it to simply auth: true, my me-queries resolve as usual. Any ideas on what I'm doing wrong here?

  • jmikrut
    Payload Team
    2 months ago

    Honestly it’s probably that auth strategy. Not knowing the specifics, I bet that it hijacks requests and redirects you somewhere if you are not logged in - therefore not allowing our built in auth strategies to run.

    One thing I would say is that most auth strategies are not built to authenticate API routes AND UI routes. Probably the cause of why your strategy isn’t working.

  • itzaks
    2 months ago

    Sounds fair. I wrote the strategy myself so it's probably something to look through then. But I'm curious as to why it affects a collection it shouldn't even be used on?

  • itzaks
    2 months ago

    I marked it as answered now :-) however I think there is something going on with using multiple auth strategies that could be worth looking in to.

  • itzaks
    2 months ago

    After some digging I thought it had to do with the response cookie not being set from the server, since I hadn't configured credentials: 'include' on my cors-graphql request, and then I configured the auth to look like this:

      auth: {
    cookies: {
      secure: true,
      sameSite: 'none'
    }
  },

    I now see the cookie payload-token in my response cookies, but still I'm getting null in the me-queries. What am I missing here?

  • jacobsfletch
    Payload Team
    last month

    Related: #1902

Open the post
Continue the discussion in GitHub
Can't find what you're looking for?
Get help straight from the Payload team with an Enterprise License.Learn More