search

payloadcms / payload

Payload is the open-source, fullstack Next.js framework, giving you instant backend superpowers. Get a full TypeScript backend and admin panel instantly. Use Payload as a headless CMS or for building powerful applications.
https://payloadcms.com
MIT License
24.94k stars 1.59k forks source link

Admin User Verification returns 404 #8470

Closed amifsud02 closed 3 weeks ago

amifsud02 commented 1 month ago

Link to reproduction

No response

Environment Info

Binaries:
  Node: 20.12.1
  npm: 10.8.2
  Yarn: 1.22.22
  pnpm: 8.15.4
Relevant Packages:
  payload: 3.0.0-beta.109
  next: 15.0.0-canary.160
  @payloadcms/db-mongodb: 3.0.0-beta.109
  @payloadcms/email-nodemailer: 3.0.0-beta.109
  @payloadcms/email-resend: 3.0.0-beta.109
  @payloadcms/graphql: 3.0.0-beta.109
  @payloadcms/live-preview: 3.0.0-beta.109
  @payloadcms/live-preview-react: 3.0.0-beta.109
  @payloadcms/next/utilities: 3.0.0-beta.109
  @payloadcms/plugin-cloud: 3.0.0-beta.109
  @payloadcms/plugin-cloud-storage: 3.0.0-beta.109
  @payloadcms/plugin-form-builder: 3.0.0-beta.109
  @payloadcms/plugin-nested-docs: 3.0.0-beta.109
  @payloadcms/plugin-redirects: 3.0.0-beta.109
  @payloadcms/plugin-seo: 3.0.0-beta.109
  @payloadcms/richtext-lexical: 3.0.0-beta.109
  @payloadcms/storage-s3: 3.0.0-beta.109
  @payloadcms/translations: 3.0.0-beta.109
  @payloadcms/ui/shared: 3.0.0-beta.109
  react: 19.0.0-rc-5dcb0097-20240918
  react-dom: 19.0.0-rc-5dcb0097-20240918
Operating System:
  Platform: darwin
  Arch: arm64
  Version: Darwin Kernel Version 23.5.0: Wed May  1 20:16:51 PDT 2024; root:xnu-10063.121.3~5/RELEASE_ARM64_T8103
  Available memory (MB): 8192
  Available CPU cores: 8

Describe the Bug

Admin User Verification link returns 404

GET /admin/users/verify/12714662902e10caa79959550b8cdee31d3a0483 404 in 503ms

Admins are not able to verify their account. Cannot login unless I manually update the verify field in the database or else the admin resets their password.

Reproduction Steps

Email Verification Error (404):

When an admin account is created, a verification email is sent successfully. Upon clicking the verification link, the link leads to a 404 page, suggesting a routing or URL mismatch issue, despite the user record being present.

Password Reset Bypass:

After the password is reset, the user gains access to the platform, bypassing the email verification step.

Development Steps Leading to the Issue

Clone Website Template

Auth is set to true by default.

Tweaked the Auth Config to this:

auth: {
    tokenExpiration: 7 * 60 * 60 * 24, // 7 days
    cookies: {
      sameSite:
        process.env.NODE_ENV === 'production' && !process.env.DISABLE_SECURE_COOKIE
          ? 'None'
          : undefined,

      secure:
        process.env.NODE_ENV === 'production' && !process.env.DISABLE_SECURE_COOKIE
          ? true
          : undefined,

      domain: process.env.COOKIE_DOMAIN,
    },
    forgotPassword: {
      generateEmailSubject: ({ req, user }: GenerateEmailSubjectParams) => {
        return `Reset your password for ${user?.name}`
      },
      generateEmailHTML: async ({ req, token, user }: GenerateEmailHTMLParams) => {
        return render(ResetPasswordEmail({ token }), { pretty: true })
      },
    },
  },

Verify Flag Added:

I added verify: true and verification emails where being sent.

Example Below:

A new account has just been created for you to access Please click on the following link or paste the URL below into your browser to verify your email: http://localhost:3000/admin/users/verify/0a0f611226ddf3e0d10947d3e4d62144f09b529a
After verifying your email, you will be able to log in successfully.

Final User Config:


import { authenticated } from '../../access/authenticated'
import ResetPasswordEmail from '@/templates/emails/reset-password';
import { render } from '@react-email/components';
import { User } from '@/payload-types';

interface GenerateEmailHTMLParams {
  req: PayloadRequest;
  token: string;
  user: User;
}

interface GenerateEmailSubjectParams {
  req: PayloadRequest,
  user: User
}

const Users: CollectionConfig = {
  slug: 'users',
  access: {
    admin: authenticated,
    create: authenticated,
    delete: authenticated,
    read: authenticated,
    update: authenticated,
  },
  admin: {
    defaultColumns: ['name', 'email'],
    useAsTitle: 'name',
  },
  auth: {
    tokenExpiration: 7 * 60 * 60 * 24, // 7 days
    cookies: {
      sameSite:
        process.env.NODE_ENV === 'production' && !process.env.DISABLE_SECURE_COOKIE
          ? 'None'
          : undefined,

      secure:
        process.env.NODE_ENV === 'production' && !process.env.DISABLE_SECURE_COOKIE
          ? true
          : undefined,

      domain: process.env.COOKIE_DOMAIN,
    },
    forgotPassword: {
      generateEmailSubject: ({ req, user }: GenerateEmailSubjectParams) => {
        return `Reset your password for ${user?.name}`
      },
      generateEmailHTML: async ({ req, token, user }: GenerateEmailHTMLParams) => {
        return render(ResetPasswordEmail({ token }), { pretty: true })
      },
    },
    verify: true,
  },
  fields: [
    {
      name: 'name',
      type: 'text',
    },
    {
      name: 'roles',
      type: 'select',
      hasMany: true,
      defaultValue: ['admin'],
      required: true,
      options: ['admin', 'public'],
    },
  ],

  timestamps: true,
}

export default Users

I have tried this both on Development and in Production. Same issue occurs on both.

Adapters and Plugins

db-mongodb

github-actions[bot] commented 3 weeks ago

🚀 This is included in version v3.0.0-beta.112

github-actions[bot] commented 3 weeks ago

This issue has been automatically locked. Please open a new issue if this issue persists with any additional detail.