feat: disableLocalStrategy with auth fields still enabled (#9579)

Adds configuration options to `auth.disableLocalStrategy` to allow
customization of how payload treats an auth enabled collection.

Two new properties have been added to `disableLocalStrategy`:

- `enableFields` Include auth fields on the collection even though the
local strategy is disabled. Useful when you do not want the database or
types to vary depending on the auth configuration used.
- `optionalPassword`: makes the password field not required

Author: DanRibbens

packages/graphql/src/schema/initCollections.ts

@@ -126,12 +126,20 @@ export function initCollections({ config, graphqlResult }: InitCollectionsGraphQ
 
     const mutationInputFields = [...fields]
 
-    if (collectionConfig.auth && !collectionConfig.auth.disableLocalStrategy) {
+    if (
+      collectionConfig.auth &&
+      (!collectionConfig.auth.disableLocalStrategy ||
+        (typeof collectionConfig.auth.disableLocalStrategy === 'object' &&
+          collectionConfig.auth.disableLocalStrategy.optionalPassword))
+    ) {
       mutationInputFields.push({
         name: 'password',
         type: 'text',
         label: 'Password',
-        required: true,
+        required: !(
+          typeof collectionConfig.auth.disableLocalStrategy === 'object' &&
+          collectionConfig.auth.disableLocalStrategy.optionalPassword
+        ),
       })
     }
 

packages/payload/src/auth/getAuthFields.ts

@@ -15,7 +15,11 @@ export const getBaseAuthFields = (authConfig: IncomingAuthType): Field[] => {
     authFields.push(...apiKeyFields)
   }
 
-  if (!authConfig.disableLocalStrategy) {
+  if (
+    !authConfig.disableLocalStrategy ||
+    (typeof authConfig.disableLocalStrategy === 'object' &&
+      authConfig.disableLocalStrategy.enableFields)
+  ) {
     const emailField = { ...emailFieldConfig }
     let usernameField: TextField | undefined
 

packages/payload/src/auth/operations/forgotPassword.ts

@@ -11,6 +11,7 @@ import type { PayloadRequest, Where } from '../../types/index.js'
 
 import { buildAfterOperation } from '../../collections/operations/utils.js'
 import { APIError } from '../../errors/index.js'
+import { Forbidden } from '../../index.js'
 import { commitTransaction } from '../../utilities/commitTransaction.js'
 import { initTransaction } from '../../utilities/initTransaction.js'
 import { killTransaction } from '../../utilities/killTransaction.js'
@@ -43,15 +44,18 @@ export const forgotPasswordOperation = async <TSlug extends CollectionSlug>(
       ? data.username.toLowerCase().trim()
       : null
 
+  let args = incomingArgs
+
+  if (incomingArgs.collection.config.auth.disableLocalStrategy) {
+    throw new Forbidden(incomingArgs.req.t)
+  }
   if (!sanitizedEmail && !sanitizedUsername) {
     throw new APIError(
       `Missing ${loginWithUsername ? 'username' : 'email'}.`,
       httpStatus.BAD_REQUEST,
     )
   }
 
-  let args = incomingArgs
-
   try {
     const shouldCommit = await initTransaction(args.req)
 
@@ -74,7 +78,6 @@ export const forgotPasswordOperation = async <TSlug extends CollectionSlug>(
 
     const {
       collection: { config: collectionConfig },
-      data,
       disableEmail,
       expiration,
       req: {

packages/payload/src/auth/operations/login.ts

@@ -10,6 +10,7 @@ import type { User } from '../types.js'
 import { buildAfterOperation } from '../../collections/operations/utils.js'
 import { AuthenticationError, LockedAuth, ValidationError } from '../../errors/index.js'
 import { afterRead } from '../../fields/hooks/afterRead/index.js'
+import { Forbidden } from '../../index.js'
 import { killTransaction } from '../../utilities/killTransaction.js'
 import sanitizeInternalFields from '../../utilities/sanitizeInternalFields.js'
 import { getFieldsToSign } from '../getFieldsToSign.js'
@@ -40,6 +41,10 @@ export const loginOperation = async <TSlug extends CollectionSlug>(
 ): Promise<{ user: DataFromCollectionSlug<TSlug> } & Result> => {
   let args = incomingArgs
 
+  if (args.collection.config.auth.disableLocalStrategy) {
+    throw new Forbidden(args.req.t)
+  }
+
   try {
     // /////////////////////////////////////
     // beforeOperation - Collection

packages/payload/src/auth/operations/registerFirstUser.ts

@@ -42,6 +42,10 @@ export const registerFirstUserOperation = async <TSlug extends CollectionSlug>(
     req: { payload },
   } = args
 
+  if (config.auth.disableLocalStrategy) {
+    throw new Forbidden(req.t)
+  }
+
   try {
     const shouldCommit = await initTransaction(req)
 

packages/payload/src/auth/operations/resetPassword.ts

@@ -3,7 +3,7 @@ import httpStatus from 'http-status'
 import type { Collection } from '../../collections/config/types.js'
 import type { PayloadRequest } from '../../types/index.js'
 
-import { APIError } from '../../errors/index.js'
+import { APIError, Forbidden } from '../../errors/index.js'
 import { commitTransaction } from '../../utilities/commitTransaction.js'
 import { initTransaction } from '../../utilities/initTransaction.js'
 import { killTransaction } from '../../utilities/killTransaction.js'
@@ -29,13 +29,6 @@ export type Arguments = {
 }
 
 export const resetPasswordOperation = async (args: Arguments): Promise<Result> => {
-  if (
-    !Object.prototype.hasOwnProperty.call(args.data, 'token') ||
-    !Object.prototype.hasOwnProperty.call(args.data, 'password')
-  ) {
-    throw new APIError('Missing required data.', httpStatus.BAD_REQUEST)
-  }
-
   const {
     collection: { config: collectionConfig },
     data,
@@ -48,6 +41,17 @@ export const resetPasswordOperation = async (args: Arguments): Promise<Result> =
     req,
   } = args
 
+  if (
+    !Object.prototype.hasOwnProperty.call(data, 'token') ||
+    !Object.prototype.hasOwnProperty.call(data, 'password')
+  ) {
+    throw new APIError('Missing required data.', httpStatus.BAD_REQUEST)
+  }
+
+  if (collectionConfig.auth.disableLocalStrategy) {
+    throw new Forbidden(req.t)
+  }
+
   try {
     const shouldCommit = await initTransaction(req)
 

packages/payload/src/auth/operations/unlock.ts

@@ -8,6 +8,7 @@ import type { CollectionSlug } from '../../index.js'
 import type { PayloadRequest, Where } from '../../types/index.js'
 
 import { APIError } from '../../errors/index.js'
+import { Forbidden } from '../../index.js'
 import { commitTransaction } from '../../utilities/commitTransaction.js'
 import { initTransaction } from '../../utilities/initTransaction.js'
 import { killTransaction } from '../../utilities/killTransaction.js'
@@ -44,6 +45,9 @@ export const unlockOperation = async <TSlug extends CollectionSlug>(
       args.data.username.toLowerCase().trim()) ||
     null
 
+  if (collectionConfig.auth.disableLocalStrategy) {
+    throw new Forbidden(req.t)
+  }
   if (!sanitizedEmail && !sanitizedUsername) {
     throw new APIError(
       `Missing ${collectionConfig.auth.loginWithUsername ? 'username' : 'email'}.`,

packages/payload/src/auth/operations/verifyEmail.ts

@@ -3,7 +3,7 @@ import httpStatus from 'http-status'
 import type { Collection } from '../../collections/config/types.js'
 import type { PayloadRequest } from '../../types/index.js'
 
-import { APIError } from '../../errors/index.js'
+import { APIError, Forbidden } from '../../errors/index.js'
 import { commitTransaction } from '../../utilities/commitTransaction.js'
 import { initTransaction } from '../../utilities/initTransaction.js'
 import { killTransaction } from '../../utilities/killTransaction.js'
@@ -16,6 +16,10 @@ export type Args = {
 
 export const verifyEmailOperation = async (args: Args): Promise<boolean> => {
   const { collection, req, token } = args
+
+  if (collection.config.auth.disableLocalStrategy) {
+    throw new Forbidden(req.t)
+  }
   if (!Object.prototype.hasOwnProperty.call(args, 'token')) {
     throw new APIError('Missing required data.', httpStatus.BAD_REQUEST)
   }

packages/payload/src/auth/types.ts

@@ -206,7 +206,16 @@ export interface IncomingAuthType {
   /**
    * Advanced - disable Payload's built-in local auth strategy. Only use this property if you have replaced Payload's auth mechanisms with your own.
    */
-  disableLocalStrategy?: true
+  disableLocalStrategy?:
+    | {
+        /**
+         * Include auth fields on the collection even though the local strategy is disabled.
+         * Useful when you do not want the database or types to vary depending on the auth configuration.
+         */
+        enableFields?: true
+        optionalPassword?: true
+      }
+    | true
   /**
    * Customize the way that the forgotPassword operation functions.
    * @link https://payloadcms.com/docs/authentication/email#forgot-password

packages/payload/src/utilities/configToJSONSchema.ts

@@ -617,7 +617,13 @@ export function entityToJSONSchema(
     })
   }
 
-  if ('auth' in entity && entity.auth && !entity.auth?.disableLocalStrategy) {
+  if (
+    'auth' in entity &&
+    entity.auth &&
+    (!entity.auth?.disableLocalStrategy ||
+      (typeof entity.auth?.disableLocalStrategy === 'object' &&
+        entity.auth.disableLocalStrategy.enableFields))
+  ) {
     entity.flattenedFields.push({
       name: 'password',
       type: 'text',