fix: autoLogin not working if old, invalid token is present (#7456)

AlessioGr · web-flow · commit a063b8146033 · 2024-08-12T12:41:45.000-04:00
diff --git a/packages/payload/src/auth/strategies/jwt.ts b/packages/payload/src/auth/strategies/jwt.ts
@@ -1,6 +1,6 @@
 import jwt from 'jsonwebtoken'
 
-import type { Where } from '../../types/index.js'
+import type { Payload, Where } from '../../types/index.js'
 import type { AuthStrategyFunction, User } from '../index.js'
 
 import { extractJWT } from '../extractJWT.js'
@@ -10,6 +10,62 @@ type JWTToken = {
   id: string
 }
 
+async function autoLogin({
+  isGraphQL,
+  payload,
+}: {
+  isGraphQL: boolean
+  payload: Payload
+}): Promise<{
+  user: User | null
+}> {
+  if (
+    typeof payload?.config?.admin?.autoLogin !== 'object' ||
+    payload.config.admin?.autoLogin.prefillOnly ||
+    !payload?.config?.admin?.autoLogin ||
+    (!payload.config.admin?.autoLogin.email && !payload.config.admin?.autoLogin.username)
+  ) {
+    return { user: null }
+  }
+
+  const collection = payload.collections[payload.config.admin.user]
+
+  const where: Where = {
+    or: [],
+  }
+  if (payload.config.admin?.autoLogin.email) {
+    where.or.push({
+      email: {
+        equals: payload.config.admin?.autoLogin.email,
+      },
+    })
+  } else if (payload.config.admin?.autoLogin.username) {
+    where.or.push({
+      username: {
+        equals: payload.config.admin?.autoLogin.username,
+      },
+    })
+  }
+
+  const user = (
+    await payload.find({
+      collection: collection.config.slug,
+      depth: isGraphQL ? 0 : collection.config.auth.depth,
+      where,
+    })
+  ).docs[0]
+
+  if (!user) {
+    return { user: null }
+  }
+  user.collection = collection.config.slug
+  user._strategy = 'local-jwt'
+
+  return {
+    user: user as User,
+  }
+}
+
 export const JWTAuthentication: AuthStrategyFunction = async ({
   headers,
   isGraphQL = false,
@@ -18,43 +74,11 @@ export const JWTAuthentication: AuthStrategyFunction = async ({
   try {
     const token = extractJWT({ headers, payload })
 
-    if (
-      !token &&
-      typeof payload?.config?.admin?.autoLogin === 'object' &&
-      !payload.config.admin?.autoLogin.prefillOnly &&
-      headers.get('DisableAutologin') !== 'true'
-    ) {
-      const collection = payload.collections[payload.config.admin.user]
-
-      const where: Where = {
-        or: [],
-      }
-      if (payload.config.admin?.autoLogin.email) {
-        where.or.push({
-          email: {
-            equals: payload.config.admin?.autoLogin.email,
-          },
-        })
-      } else if (payload.config.admin?.autoLogin.username) {
-        where.or.push({
-          username: {
-            equals: payload.config.admin?.autoLogin.username,
-          },
-        })
-      }
-
-      const user = (
-        await payload.find({
-          collection: collection.config.slug,
-          depth: isGraphQL ? 0 : collection.config.auth.depth,
-          where,
-        })
-      ).docs[0]
-      user.collection = collection.config.slug
-      user._strategy = 'local-jwt'
-      return {
-        user: user as User,
+    if (!token) {
+      if (headers.get('DisableAutologin') !== 'true') {
+        return await autoLogin({ isGraphQL, payload })
       }
+      return { user: null }
     }
 
     const decodedPayload = jwt.verify(token, payload.secret) as JWTToken & jwt.JwtPayload
@@ -74,9 +98,15 @@ export const JWTAuthentication: AuthStrategyFunction = async ({
         user: user as User,
       }
     } else {
+      if (headers.get('DisableAutologin') !== 'true') {
+        return await autoLogin({ isGraphQL, payload })
+      }
       return { user: null }
     }
   } catch (error) {
+    if (headers.get('DisableAutologin') !== 'true') {
+      return await autoLogin({ isGraphQL, payload })
+    }
     return { user: null }
   }
 }
