search

payloadcms / payload

Payload is the open-source, fullstack Next.js framework, giving you instant backend superpowers. Get a full TypeScript backend and admin panel instantly. Use Payload as a headless CMS or for building powerful applications.
https://payloadcms.com
MIT License
24.4k stars 1.54k forks source link

Not found is being displayed within the admin panel styling for non authenticated users #8716

Open karlapsite opened 1 day ago

karlapsite commented 1 day ago

Link to reproduction

https://github.com/karlapsite/payload/tree/fix/create-user-redirection-issue-reproduction

diff

Environment Info

Should be latest n' greatest:

Payload: v3.0.0-beta.114 Node.js: 22.6.0 Next.js: 15.0.0-canary.17

Describe the Bug

I'm playing around with the blank and website templates with a coworker. We're a little confused why navigating in browser to /admin/foobar doesn't forward us to /admin/create-first-user like it does in other cases... I haven't created my first account yet... it seems a little weird to be able to peek at the public collections (or render any semblance of the admin portal at all yet) Clicking on anything does redirect me to /admin/create-first-user

Is this intentional behavior?

If we don't want users to peak the unauthed admin page... is there an easy way to modify the admin not-found template to redirect us somehow? or is there a cleaner place to catch/forward this case?

A similar issue seems to exist after the first account has been created... my expectation was to see the admin portal redirect the user to the login component and prevent them from seeing the admin portal/sidebar.

To my knowledge this isn't a security issue, as the user can only see the names of collections that are public read. Authorized collections won't appear in the sidebar... So this is only disorienting at best

Reproduction Steps

  1. Comment out the devUser in the _community template.
  2. Before creating an account, or logging in:
  3. Navigate to /admin/foobar Image

Adapters and Plugins

No response

karlapsite commented 16 hours ago

@paulpopus I did end up fiddling with the order of operations in packages/next/src/views/Root/index.tsx which you can see here

  1. I wasn't sure if I this was something that made sense to open a PR for.
  2. I didn't have much success running the e2e tests to completion... they appeared to hang.
  3. I'm not sure how to logout in the local _community dev instance... something seems to forward the user through the login experience there, and fairly certain there's a related issue there.
akhrarovsaid commented 16 hours ago

Hey @karlapsite,

So I actually reproduced your issue using the _community folder in the monorepo. You can avoid the default login by commenting out these lines. I don't believe there's an issue there as this is done for a smoother dev experience while working with the test folders.

karlapsite commented 15 hours ago

Thanks for the tip @akhrarovsaid! The specific issue with the dev credentials in my third point is a little nitty-gritty.

I didn't have too much trouble commenting out the devUser to play around with the /create-first-user flow... but once I made my devUser... I wanted to make sure that payload would properly redirect users to the login page... and there was some trouble there.

When using default credentials, I couldn't logout. manually navigating to /admin/logout indicated that I did logout in a toast, but I suspect something in the _community folder auto-logs in the devUser if those specific dev credentials are present. I worked around this by removing the devUser account, and manually creating an account with different credentials. That seems to let me play around with login/logout just fine...

When navigating to /admin/foobar when there is a dev account but the user just isn't logged in... the same issue is present.

After some playing around, It would seem a change like the one I tinkered with could address both sides of this issue.

Separately, my change appears to have awoken some sort of login redirection feature, but it does not appear to work as expected... which might be out-of-scope. I'm unsure if that should be addressed here and now, or if that would be a good candidate for a follow-up issue.

akhrarovsaid commented 15 hours ago

Hey @karlapsite,

Actually you're correct - the test folder has helper functions that triggers auto-login. Have a look below at the root of this functionality which seems to originate from buildConfigWithDefaults present in all the config.ts files in the test folder.

Auto login predicate in buildConfigWithDefaults Login function helper Default credentials

I hope this may help you with your proposed changes and tests. Cheers!

paulpopus commented 11 hours ago

Hey all, thanks for all the investigations here, I wouldnt touch the default login and such. The issue here is actually just that the notFound page is visible within the layout of the admin panel if you are not authenticated. It's not isolated to the create first user flow, so I updated the title

karlapsite commented 10 hours ago

Yep... not trying to change default login... it just gave me a little trouble when debugging both cases.

I'm still curious if reordering redirection and notFound would address the issue.