fix: getFieldsToSign crashes when user missing group/tab fields (#15775)

### What

Fix crash in JWT generation when user documents are missing group or tab
fields

### Why

When a user document was created before group/tab fields were added to
the schema, logging in would crash with "Cannot read properties of
undefined" because `getFieldsToSign` tried to traverse into undefined
fields.

### How

Added nullish coalescing (`?? {}`) to default missing group/tab data to
empty objects, consistent with how `afterRead/promise.ts` handles this
case.

Fixes #15734

Author: PatrikKozak

packages/payload/src/auth/getFieldsToSign.ts

@@ -28,15 +28,16 @@ const traverseFields = ({
       }
       case 'group': {
         if (fieldAffectsData(field)) {
+          const groupData: Record<string, unknown> =
+            (data[field.name] as Record<string, unknown>) ?? {}
           let targetResult
           if (typeof field.saveToJWT === 'string') {
             targetResult = field.saveToJWT
-            result[field.saveToJWT] = data[field.name]
+            result[field.saveToJWT] = groupData
           } else if (field.saveToJWT) {
             targetResult = field.name
-            result[field.name] = data[field.name]
+            result[field.name] = groupData
           }
-          const groupData: Record<string, unknown> = data[field.name] as Record<string, unknown>
           const groupResult = (targetResult ? result[targetResult] : result) as Record<
             string,
             unknown
@@ -59,15 +60,16 @@ const traverseFields = ({
       }
       case 'tab': {
         if (tabHasName(field)) {
+          const tabData: Record<string, unknown> =
+            (data[field.name] as Record<string, unknown>) ?? {}
           let targetResult
           if (typeof field.saveToJWT === 'string') {
             targetResult = field.saveToJWT
-            result[field.saveToJWT] = data[field.name]
+            result[field.saveToJWT] = tabData
           } else if (field.saveToJWT) {
             targetResult = field.name
-            result[field.name] = data[field.name]
+            result[field.name] = tabData
           }
-          const tabData: Record<string, unknown> = data[field.name] as Record<string, unknown>
           const tabResult = (targetResult ? result[targetResult] : result) as Record<
             string,
             unknown

test/auth/int.spec.ts

@@ -10,6 +10,7 @@ import type {
 import crypto from 'crypto'
 import { jwtDecode } from 'jwt-decode'
 import path from 'path'
+import { getFieldsToSign } from 'payload'
 import { email as emailValidation } from 'payload/shared'
 import { fileURLToPath } from 'url'
 import { v4 as uuid } from 'uuid'
@@ -270,6 +271,39 @@ describe('Auth', () => {
         expect(exp).toBeDefined()
       })
 
+      it('should not crash when building JWT for user with missing group/tab fields', () => {
+        const collectionConfig = payload.collections[slug].config
+
+        // Simulate a user document that was created before group/tab fields were added.
+        // Without the fix, getFieldsToSign would crash with:
+        // "TypeError: Cannot read properties of undefined (reading 'saveToJWTString')"
+        // when trying to traverse into groupSaveToJWT.saveToJWTString
+        const userWithMissingFields = {
+          id: '123',
+          email: 'test@example.com',
+          roles: ['user'],
+          // Missing fields: group, groupSaveToJWT, saveToJWTTab, tabSaveToJWTString
+        }
+
+        expect(() => {
+          getFieldsToSign({
+            collectionConfig,
+            email: userWithMissingFields.email,
+            user: userWithMissingFields as any,
+          })
+        }).not.toThrow()
+
+        const result = getFieldsToSign({
+          collectionConfig,
+          email: userWithMissingFields.email,
+          user: userWithMissingFields as any,
+        })
+
+        expect(result.id).toBe(userWithMissingFields.id)
+        expect(result.email).toBe(userWithMissingFields.email)
+        expect(result.collection).toBe(slug)
+      })
+
       it('should allow authentication with an API key with useAPIKey', async () => {
         const apiKey = '0123456789ABCDEFGH'