Help with Authorization and Access Control

[domwebber]

Hi, I can't seem to get Payload to work on DigitalOcean App Platform as expected - it seems as though the user in the request object isn't getting passed to the access functions for update and I can't figure out why as my same access control logic is working for the read access function.

From console logging it seems that req.user is undefined for some reason on update but not on read - I've tried removing my access control logic entirely from one of the collections and that has no effect. I was thinking that it could've been cookies with csrf, but I'm pretty sure that is all set - and if I go to the requested API URL it seems to work.

Here's what I'm working with: Turborepo, Sentry's NodeJS SDK added to the express app, port set via environment variables using DigitalOcean's ${_self.PRIVATE_PORT}, MongoDB on Atlas, S3-compatible storage also with DigitalOcean. It builds on DigitalOcean alright, just got the mentioned issues with access control. I'm using payload v1.8.2 but previously v1.6.19 but I've read through the changelog and didn't see anything that I thought would affect my use case.

Anyone got any ideas? Theres definitely a chance that I've configured something weird in my DigitalOcean App Spec but its been a lot of head scratching.

# DigitalOcean App Spec
alerts:
- rule: DEPLOYMENT_FAILED
- rule: DOMAIN_FAILED
envs:
# Some Environment config set here :)
name: exampleapp-cms
region: lon
services:
- build_command: yarn run build --filter=cms --no-cache
  environment_slug: node-js
  github:
    branch: main
    repo: # Omitted
    deploy_on_push: false
  instance_count: 1
  instance_size_slug: basic-xxs
  http_port: 443
  name: exampleapp-apps-cms
  routes:
  - path: /
  run_command: yarn run serve --filter=cms --no-cache

// payload.config.ts
/// imports omitted btw

function getServerURL({
  hostname,
  port,
}: {
  hostname?: string;
  port?: number | string;
}): string {
  // This function seems to output as expected
  const serverUrl = `${
    typeof hostname !== "undefined" && hostname.endsWith("/")
      ? hostname.slice(0, -1)
      : hostname || "http://localhost"
  }${port ? `:${port}` : ""}`;
  return serverUrl;
}

const storageAdapter = s3Adapter({
  bucket: process.env.S3_BUCKET,
  acl: "private",
  config: {
    endpoint: process.env.S3_ENDPOINT,
    forcePathStyle: false,
    region: process.env.S3_REGION,
    credentials: {
      accessKeyId: process.env.S3_ACCESS_KEY_ID,
      secretAccessKey: process.env.S3_SECRET_ACCESS_KEY,
    },
  },
});

export default buildConfig({
  debug: true,
  serverURL: getServerURL({
    hostname: process.env.PAYLOAD_PUBLIC_SERVER_URL,
    port: process.env.PAYLOAD_PUBLIC_PORT,
  }),
  cors: "*",
  csrf: [
    getServerURL({
      hostname: process.env.PAYLOAD_PUBLIC_SERVER_URL,
      port: process.env.PAYLOAD_PUBLIC_PORT,
    }),
    "http://localhost",
  ],
  admin: {
    user: Users.slug,
    avatar: "gravatar",
    meta: {
      favicon: "/favicon.ico",
      titleSuffix: "- Exampleapp",
    },
    components: {
      afterDashboard: [AfterDashboard],
      afterLogin: [AfterLogin],
      graphics: {
        Icon,
        Logo,
      },
    },
  },
  collections: [
    ContactSubmission,
    Page,
    Media,
    Service,
    Person,
    Users,
    Condition,
    Testimonial,
    FrequentlyAskedQuestion,
    ReusableLink,
    // Add Collections Here
  ],
  globals: [
    General,
    MainNavigation,
    FooterNavigation,
    // Add Globals Here
  ],
  typescript: {
    outputFile: path.resolve(__dirname, "payload-types.ts"),
  },
  graphQL: {
    schemaOutputFile: path.resolve(__dirname, "generated-schema.graphql"),
  },
  plugins: [
    seo({
      collections: [Page.slug],
      uploadsCollection: Media.slug,
      generateURL: ({ doc /*, locale */ }) => {
        const baseURL = "https://example.com";
        if (
          typeof doc !== "object" ||
          !("fields" in doc) ||
          typeof doc.fields !== "object" ||
          !("slug" in doc.fields) ||
          typeof doc.fields.slug !== "object" ||
          !("value" in doc.fields.slug) ||
          typeof doc.fields.slug !== "string"
        ) {
          return baseURL;
        }

        const slug =
          "fields" in doc && "slug" in doc.fields && "value" in doc.fields.slug
            ? (doc.fields.slug as { value: string }).value
            : "";
        const slugTrimmed = slug.endsWith("/") ? slug.slice(0, -1) : slug;

        return `${baseURL}/${slugTrimmed}`;
      },
    }),
    cloudStorage({
      collections: {
        media: {
          adapter: storageAdapter,
        },
      },
    }),
  ],
  rateLimit: {
    window: 15 * 60 * 1000, // 15 Minutes (in Milliseconds)
    max: 500, // Maximum of 500 requests in the window
    trustProxy: true,
  },
});

Thank you in advance, I've tried so many random things to try and fix this - my next step would be to start from scratch and gradually add the collections back in...

The access control logic

import { FieldAccess } from "payload/types";
import { User } from "payload/generated-types";
import { Access } from "payload/types";

const roles = {
  public: 0,
  subscriber: 10,
  admin: 20,
  superAdmin: 30,
};

export default function roleOf(user?: User): keyof typeof roles | null {
  // Check whether there is a user
  if (!user) {
    return "public";
  }

  // Check whether the user has an assigned role
  if (!("role" in user) || !user.role) {
    // Default to public
    return "public";
  }

  // Check whether the assigned role is an accepted value (for edge cases and changes)
  if (!Object.keys(roles).includes(user.role)) {
    // Fallback to public
    return "public";
  }

  return user.role;
}

export default function hasCollectionAccessRole(requiredRole: keyof typeof roles): Access<any, User> { // eslint-disable-line
  return ({ req: { user } }) => {
    // Deny all if required role doesn't exist or have a given priority
    if (!(requiredRole in roles) || typeof roles[requiredRole] !== "number") {
      return false;
    }

    // Determine the required role's priority
    const requiredRolePriority = roles[requiredRole];

    // Determine the role of the current user
    const userRole = roleOf(user);
    console.log("Found user role:", userRole);

    // Deny if the user's role doesn't exist (we shouldn't get here using roleOf)
    if (!(userRole in roles) || typeof roles[userRole] !== "number") {
      return false;
    }

    const userRolePriority = roles[userRole];

    // Determine access based on priority-based precedence
    if (userRolePriority >= requiredRolePriority) {
      return true;
    }

    // Deny as a fallback and default
    return false;
  };
}

export default function hasFieldAccessRole(
  requiredRole: keyof typeof roles
): FieldAccess<{ id: string }, unknown, User> {
  return ({ req: { user } }) => {
    // Deny all if required role doesn't exist or have a given priority
    if (!(requiredRole in roles) || typeof roles[requiredRole] !== "number") {
      return false;
    }

    // Determine the required role's priority
    const requiredRolePriority = roles[requiredRole];

    // Determine the role of the current user
    const userRole = roleOf(user);

    // Deny if the user's role doesn't exist (we shouldn't get here using roleOf)
    if (!(userRole in roles) || typeof roles[userRole] !== "number") {
      return false;
    }

    const userRolePriority = roles[userRole];

    // Determine access based on priority-based precedence
    if (userRolePriority >= requiredRolePriority) {
      return true;
    }

    // Deny as a fallback and default
    return false;
  };
}