feat: Add support for other auth strategies

- Merge auth options of collection
- Set default value for id field
- Adjust the logout endpoint to handle local strategy
- Bypass password check for local strategy in PayloadAdapter

Author: CrawlerCode

packages/dev/src/payload-types.ts

@@ -154,6 +154,16 @@ export interface User {
     | null;
   updatedAt: string;
   createdAt: string;
+  enableAPIKey?: boolean | null;
+  apiKey?: string | null;
+  apiKeyIndex?: string | null;
+  resetPasswordToken?: string | null;
+  resetPasswordExpiration?: string | null;
+  salt?: string | null;
+  hash?: string | null;
+  loginAttempts?: number | null;
+  lockUntil?: string | null;
+  password?: string | null;
 }
 /**
  * This interface was referenced by `Config`'s JSON-Schema
@@ -266,6 +276,15 @@ export interface UsersSelect<T extends boolean = true> {
       };
   updatedAt?: T;
   createdAt?: T;
+  enableAPIKey?: T;
+  apiKey?: T;
+  apiKeyIndex?: T;
+  resetPasswordToken?: T;
+  resetPasswordExpiration?: T;
+  salt?: T;
+  hash?: T;
+  loginAttempts?: T;
+  lockUntil?: T;
 }
 /**
  * This interface was referenced by `Config`'s JSON-Schema

packages/dev/src/payload/collections/users.ts

@@ -11,6 +11,12 @@ const Users: CollectionConfig = {
       return user?.roles?.includes("admin") ?? false;
     }, */
   },
+  auth: {
+    useAPIKey: true,
+  },
+  custom: {
+    enableLocalStrategy: true,
+  },
   fields: [
     {
       name: "name",

packages/payload-authjs/src/authjs/PayloadAdapter.ts

@@ -1,11 +1,18 @@
+import crypto from "crypto";
 import type {
   Adapter,
   AdapterAccount,
   AdapterSession,
   AdapterUser,
   VerificationToken as AdapterVerificationToken,
 } from "next-auth/adapters";
-import { type CollectionSlug, getPayload, type Payload, type SanitizedConfig } from "payload";
+import {
+  type CollectionSlug,
+  getPayload,
+  type Payload,
+  type RequiredDataFromCollectionSlug,
+  type SanitizedConfig,
+} from "payload";
 import type { Account, Session, User, VerificationToken } from "./types";
 import { transformObject } from "./utils/transformObject";
 
@@ -57,12 +64,25 @@ export function PayloadAdapter({
     async createUser(user) {
       (await logger).debug({ userId: user.id, user }, `Creating user '${user.id}'`);
 
-      const payloadUser = (await (
-        await payload
-      ).create({
-        collection: userCollectionSlug,
-        data: user,
-      })) as User;
+      let payloadUser: User;
+      if (
+        (await payload).collections[userCollectionSlug]?.config.custom.enableLocalStrategy ===
+          true &&
+        !(user as User).password
+      ) {
+        // If the local strategy is enabled and the user does not have a password, bypass the password check
+        payloadUser = (await createUserAndBypassPasswordCheck(payload, {
+          collection: userCollectionSlug,
+          data: user,
+        })) as User;
+      } else {
+        payloadUser = (await (
+          await payload
+        ).create({
+          collection: userCollectionSlug,
+          data: user,
+        })) as User;
+      }
 
       return toAdapterUser(payloadUser);
     },
@@ -380,16 +400,29 @@ export function PayloadAdapter({
       ).docs.at(0) as User | undefined;
 
       if (!payloadUser) {
-        payloadUser = (await (
-          await payload
-        ).create({
-          collection: userCollectionSlug,
-          data: {
-            id: crypto.randomUUID(),
-            email,
-            verificationTokens: [token],
-          },
-        })) as User;
+        const user = {
+          id: crypto.randomUUID(),
+          email,
+          verificationTokens: [token],
+        };
+
+        if (
+          (await payload).collections[userCollectionSlug]?.config.custom.enableLocalStrategy ===
+          true
+        ) {
+          // If the local strategy is enabled, bypass the password check
+          payloadUser = (await createUserAndBypassPasswordCheck(payload, {
+            collection: userCollectionSlug,
+            data: user,
+          })) as User;
+        } else {
+          payloadUser = (await (
+            await payload
+          ).create({
+            collection: userCollectionSlug,
+            data: user,
+          })) as User;
+        }
       } else {
         payloadUser = (await (
           await payload
@@ -477,3 +510,46 @@ function toAdapterVerificationToken(
     ...transformObject<VerificationToken, Omit<AdapterVerificationToken, "identifier">>(token),
   };
 }
+
+/**
+ * Create a user and bypass the password check
+ * This is because payload requires a password to be set when creating a user
+ *
+ * @see https://github.com/payloadcms/payload/blob/main/packages/payload/src/collections/operations/create.ts#L254
+ * @see https://github.com/payloadcms/payload/blob/main/packages/payload/src/auth/strategies/local/generatePasswordSaltHash.ts
+ */
+const createUserAndBypassPasswordCheck = async (
+  payload: Payload | Promise<Payload>,
+  {
+    collection,
+    data,
+  }: {
+    collection: CollectionSlug;
+    data: RequiredDataFromCollectionSlug<CollectionSlug>;
+  },
+) => {
+  // Generate a random password
+  data.password = crypto.randomBytes(32).toString("hex");
+
+  // Create the user
+  const user = await (
+    await payload
+  ).create({
+    collection,
+    data,
+  });
+
+  // Remove the salt and hash after the user was created
+  await (
+    await payload
+  ).update({
+    collection,
+    id: user.id,
+    data: {
+      salt: null,
+      hash: null,
+    },
+  });
+
+  return user;
+};

packages/payload-authjs/src/payload/AuthjsAuthStrategy.ts

@@ -5,6 +5,8 @@ import type { AuthjsPluginConfig } from "./plugin";
 import { getAllVirtualFields } from "./utils/getAllVirtualFields";
 import { getUserAttributes } from "./utils/getUserAttributes";
 
+export const AUTHJS_STRATEGY_NAME = "Auth.js";
+
 /**
  * Auth.js Authentication Strategy for Payload CMS
  * @see https://payloadcms.com/docs/authentication/custom-strategies
@@ -17,7 +19,7 @@ export function AuthjsAuthStrategy(
   const virtualFields = getAllVirtualFields(collection.fields);
 
   return {
-    name: "Auth.js",
+    name: AUTHJS_STRATEGY_NAME,
     authenticate: async ({ payload }) => {
       // Get session from authjs
       const { auth } = NextAuth(
@@ -67,7 +69,7 @@ export function AuthjsAuthStrategy(
       // Return user to payload cms
       return {
         user: {
-          _strategy: "Auth.js",
+          _strategy: AUTHJS_STRATEGY_NAME,
           collection: collection.slug,
           ...payloadUser,
           ...virtualSessionFields,

packages/payload-authjs/src/payload/collection/endpoints/logout.ts

@@ -1,7 +1,8 @@
 import NextAuth from "next-auth";
 import { NextResponse } from "next/server";
-import type { Endpoint } from "payload";
+import { APIError, type Endpoint, generateExpiredPayloadCookie, headersWithCors } from "payload";
 import { withPayload } from "../../../authjs/withPayload";
+import { AUTHJS_STRATEGY_NAME } from "../../AuthjsAuthStrategy";
 import type { AuthjsPluginConfig } from "../../plugin";
 import { getRequestCollection } from "../../utils/getRequestCollection";
 
@@ -10,30 +11,68 @@ import { getRequestCollection } from "../../utils/getRequestCollection";
  *
  * @see https://payloadcms.com/docs/authentication/operations#logout
  * @see https://github.com/payloadcms/payload/blob/main/packages/payload/src/auth/endpoints/logout.ts
+ * @see https://github.com/payloadcms/payload/blob/main/packages/payload/src/auth/operations/logout.ts
  */
 export const logoutEndpoint: (pluginOptions: AuthjsPluginConfig) => Endpoint = pluginOptions => ({
   method: "post",
   path: "/logout",
   handler: async req => {
-    // Sign out and get cookies from authjs
-    const { signOut } = NextAuth(
-      withPayload(pluginOptions.authjsConfig, {
-        payload: req.payload,
-        userCollectionSlug: pluginOptions.userCollectionSlug,
-      }),
+    const { config: collection } = getRequestCollection(req);
+
+    if (!req.user) {
+      throw new APIError("No User", 400);
+    }
+
+    if (req.user.collection !== collection.slug) {
+      throw new APIError("Incorrect collection", 403);
+    }
+
+    // Create response with cors headers
+    const response = NextResponse.json(
+      {
+        message: req.t("authentication:logoutSuccessful"),
+      },
+      {
+        headers: headersWithCors({
+          headers: new Headers(),
+          req,
+        }),
+      },
     );
-    const { cookies } = await signOut({ redirect: false });
-
-    // Create response with cookies
-    const response = NextResponse.json({
-      message: req.t("authentication:logoutSuccessful"),
-    });
-    for (const cookie of cookies) {
-      response.cookies.set(cookie.name, cookie.value, cookie.options);
+
+    if (req.user._strategy === AUTHJS_STRATEGY_NAME) {
+      // Generate expired cookies using authjs
+      const { signOut } = NextAuth(
+        withPayload(pluginOptions.authjsConfig, {
+          payload: req.payload,
+          userCollectionSlug: pluginOptions.userCollectionSlug,
+        }),
+      );
+      const { cookies } = (await signOut({ redirect: false })) as {
+        cookies: {
+          name: string;
+          value: string;
+          options: object;
+        }[];
+      };
+
+      // Set cookies on response
+      for (const cookie of cookies) {
+        response.cookies.set(cookie.name, cookie.value, cookie.options);
+      }
+    } else {
+      // Generate an expired cookie using payload cms
+      const expiredCookie = generateExpiredPayloadCookie({
+        collectionAuthConfig: collection.auth,
+        config: req.payload.config,
+        cookiePrefix: req.payload.config.cookiePrefix,
+      });
+
+      // Set cookie on response
+      response.headers.set("Set-Cookie", expiredCookie);
     }
 
     // Execute afterLogout hooks
-    const { config: collection } = getRequestCollection(req);
     if (collection.hooks?.afterLogout?.length) {
       for (const hook of collection.hooks.afterLogout) {
         await hook({

packages/payload-authjs/src/payload/collection/index.ts

@@ -38,6 +38,7 @@ export const generateUsersCollection = (
         name: "id",
         type: "text",
         required: true,
+        defaultValue: () => crypto.randomUUID(),
         access: {
           create: () => false,
           update: () => false,
@@ -87,9 +88,13 @@ export const generateUsersCollection = (
   };
 
   // Add auth strategy to users collection
+  const { strategies: authStrategies, ...authOptions } =
+    typeof collection.auth === "object" ? collection.auth : {};
   collection.auth = {
-    disableLocalStrategy: true,
-    strategies: [AuthjsAuthStrategy(collection, pluginOptions)],
+    ...authOptions,
+    strategies: [AuthjsAuthStrategy(collection, pluginOptions), ...(authStrategies ?? [])],
+    // Disable local strategy if not explicitly enabled
+    ...(collection.custom?.enableLocalStrategy === true ? {} : { disableLocalStrategy: true }),
   };
 
   // Add hooks to users collection