Skip to content

feat: auth sessions #12483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 16 commits into from
Jun 27, 2025
Merged

feat: auth sessions #12483

merged 16 commits into from
Jun 27, 2025

Conversation

jmikrut
Copy link
Member

@jmikrut jmikrut commented May 21, 2025
edited by jessrynkar
Loading

Adds full session functionality into Payload's existing local authentication strategy.

It's enabled by default, because this is a more secure pattern that we should enforce. However, we have provided an opt-out pattern for those that want to stick to stateless JWT authentication by passing collectionConfig.auth.useSessions: false.

Todo:

  • @jessrynkar to update the Next.js server functions for refresh and logout to support these new features
  • @jessrynkar resolve build errors

DanRibbens
DanRibbens reviewed May 21, 2025
View reviewed changes
@jmikrut jmikrut marked this pull request as draft May 21, 2025 18:19
DanRibbens
DanRibbens previously approved these changes May 21, 2025
View reviewed changes
DanRibbens
DanRibbens previously approved these changes May 30, 2025
View reviewed changes
Copy link
Contributor

@DanRibbens DanRibbens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

@DanRibbens DanRibbens marked this pull request as ready for review May 30, 2025 16:27
@denolfe
Copy link
Member

denolfe commented Jun 2, 2025

Setting useSessions: false doesn't appear to be getting respected.

denolfe and others added 2 commits June 23, 2025 11:20
@denolfe
chore: merge main
6b31ef2
@JarrodMFlesch @r1tsuu @denolfe
ci: adjust neverBuiltDependencies in test/package.json (#12896)
1ef5c24 
Fixes an issue introduced with
4831f66
that prevents CI from running the built code

---------

Co-authored-by: Sasha <64744993+r1tsuu@users.noreply.github.com>
@denolfe
Copy link
Member

denolfe commented Jun 26, 2025

Needs to be retested after merging main

DanRibbens
DanRibbens approved these changes Jun 26, 2025
View reviewed changes
Copy link
Contributor

@DanRibbens DanRibbens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! We just need to edit that description before merging and be explicit about the migration as some may consider it a breaking change unless you opt out.

@denolfe denolfe merged commit 26d709d into main Jun 27, 2025
75 of 77 checks passed
@denolfe denolfe deleted the feat/sessions branch June 27, 2025 13:13
@github-actions GitHub Actions
Copy link
Contributor

🚀 This is included in version v3.44.0

@HarleySalas
Copy link
Contributor

Thank you! Payload auth felt like stateless auth trying to roleplay as stateful auth for me. I'm very happy to see this change!

@yonnic
Copy link

yonnic commented Jul 4, 2025

guys really ?? why introducing breaking changes ? this session option should be off by default !

now i have a broken production with users not able to login, i see no migration for mongodb ?!?
so i turned off the sessions

This is a bad practice, not everyone is reading release notes on every commit.

mydansun
mydansun reviewed Jul 10, 2025
View reviewed changes
packages/payload/src/auth/operations/refresh.ts
id: user.id,
collection: collectionConfig.slug,
data: {
...user,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @jmikrut @DanRibbens

It looks like this update happens directly without respecting the beforeChange hook on the apiKey field:

payload/packages/payload/src/auth/baseFields/apiKey.ts

Line 31 in 14612b4

beforeChange: [encryptKey],

This might be related to the following issue as well:
#13063

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jessrynkar jessrynkar jessrynkar left review comments

@DanRibbens DanRibbens DanRibbens approved these changes

+1 more reviewer

@mydansun mydansun mydansun left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
created-by: Payload team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@jmikrut @denolfe @HarleySalas @yonnic @DanRibbens @mydansun @jessrynkar @JarrodMFlesch