payloadcms
diff --git a/‎packages/payload/src/auth/operations/login.ts‎
Lines changed: 171 additions & 154 deletions b/‎packages/payload/src/auth/operations/login.ts‎
Lines changed: 171 additions & 154 deletions
@@ -15,15 +15,15 @@ import {
   ValidationError,
 } from '../../errors/index.js'
 import { afterRead } from '../../fields/hooks/afterRead/index.js'
-import { Forbidden } from '../../index.js'
+import { commitTransaction, Forbidden, initTransaction } from '../../index.js'
 import { appendNonTrashedFilter } from '../../utilities/appendNonTrashedFilter.js'
 import { killTransaction } from '../../utilities/killTransaction.js'
 import { sanitizeInternalFields } from '../../utilities/sanitizeInternalFields.js'
 import { getFieldsToSign } from '../getFieldsToSign.js'
 import { getLoginOptions } from '../getLoginOptions.js'
 import { isUserLocked } from '../isUserLocked.js'
 import { jwtSign } from '../jwt.js'
-import { addSessionToUser } from '../sessions.js'
+import { addSessionToUser, revokeSession } from '../sessions.js'
 import { authenticateLocalStrategy } from '../strategies/local/authenticate.js'
 import { incrementLoginAttempts } from '../strategies/local/incrementLoginAttempts.js'
 import { resetLoginAttempts } from '../strategies/local/resetLoginAttempts.js'
@@ -77,176 +77,179 @@ export const loginOperation = async <TSlug extends CollectionSlug>(
     throw new Forbidden(args.req.t)
   }
 
-  try {
-    // /////////////////////////////////////
-    // beforeOperation - Collection
-    // /////////////////////////////////////
-
-    args = await buildBeforeOperation({
-      args,
-      collection: args.collection.config,
-      operation: 'login',
+  // /////////////////////////////////////
+  // beforeOperation - Collection
+  // /////////////////////////////////////
+
+  args = await buildBeforeOperation({
+    args,
+    collection: args.collection.config,
+    operation: 'login',
+  })
+
+  const {
+    collection: { config: collectionConfig },
+    data,
+    depth,
+    overrideAccess,
+    req,
+    req: {
+      fallbackLocale,
+      locale,
+      payload,
+      payload: { secret },
+    },
+    showHiddenFields,
+  } = args
+
+  // /////////////////////////////////////
+  // Login
+  // /////////////////////////////////////
+
+  const { email: unsanitizedEmail, password } = data
+  const loginWithUsername = collectionConfig.auth.loginWithUsername
+
+  const sanitizedEmail =
+    typeof unsanitizedEmail === 'string' ? unsanitizedEmail.toLowerCase().trim() : null
+  const sanitizedUsername =
+    'username' in data && typeof data?.username === 'string'
+      ? data.username.toLowerCase().trim()
+      : null
+
+  const { canLoginWithEmail, canLoginWithUsername } = getLoginOptions(loginWithUsername)
+
+  // cannot login with email, did not provide username
+  if (!canLoginWithEmail && !sanitizedUsername) {
+    throw new ValidationError({
+      collection: collectionConfig.slug,
+      errors: [{ message: req.i18n.t('validation:required'), path: 'username' }],
     })
+  }
 
-    const {
-      collection: { config: collectionConfig },
-      data,
-      depth,
-      overrideAccess,
-      req,
-      req: {
-        fallbackLocale,
-        locale,
-        payload,
-        payload: { secret },
-      },
-      showHiddenFields,
-    } = args
-
-    // /////////////////////////////////////
-    // Login
-    // /////////////////////////////////////
-
-    const { email: unsanitizedEmail, password } = data
-    const loginWithUsername = collectionConfig.auth.loginWithUsername
-
-    const sanitizedEmail =
-      typeof unsanitizedEmail === 'string' ? unsanitizedEmail.toLowerCase().trim() : null
-    const sanitizedUsername =
-      'username' in data && typeof data?.username === 'string'
-        ? data.username.toLowerCase().trim()
-        : null
+  // cannot login with username, did not provide email
+  if (!canLoginWithUsername && !sanitizedEmail) {
+    throw new ValidationError({
+      collection: collectionConfig.slug,
+      errors: [{ message: req.i18n.t('validation:required'), path: 'email' }],
+    })
+  }
 
-    const { canLoginWithEmail, canLoginWithUsername } = getLoginOptions(loginWithUsername)
+  // can login with either email or username, did not provide either
+  if (!sanitizedUsername && !sanitizedEmail) {
+    throw new ValidationError({
+      collection: collectionConfig.slug,
+      errors: [
+        { message: req.i18n.t('validation:required'), path: 'email' },
+        { message: req.i18n.t('validation:required'), path: 'username' },
+      ],
+    })
+  }
 
-    // cannot login with email, did not provide username
-    if (!canLoginWithEmail && !sanitizedUsername) {
-      throw new ValidationError({
-        collection: collectionConfig.slug,
-        errors: [{ message: req.i18n.t('validation:required'), path: 'username' }],
-      })
-    }
+  // did not provide password for login
+  if (typeof password !== 'string' || password.trim() === '') {
+    throw new ValidationError({
+      collection: collectionConfig.slug,
+      errors: [{ message: req.i18n.t('validation:required'), path: 'password' }],
+    })
+  }
 
-    // cannot login with username, did not provide email
-    if (!canLoginWithUsername && !sanitizedEmail) {
-      throw new ValidationError({
-        collection: collectionConfig.slug,
-        errors: [{ message: req.i18n.t('validation:required'), path: 'email' }],
-      })
-    }
+  let whereConstraint: Where = {}
+  const emailConstraint: Where = {
+    email: {
+      equals: sanitizedEmail,
+    },
+  }
+  const usernameConstraint: Where = {
+    username: {
+      equals: sanitizedUsername,
+    },
+  }
 
-    // can login with either email or username, did not provide either
-    if (!sanitizedUsername && !sanitizedEmail) {
-      throw new ValidationError({
-        collection: collectionConfig.slug,
-        errors: [
-          { message: req.i18n.t('validation:required'), path: 'email' },
-          { message: req.i18n.t('validation:required'), path: 'username' },
+  if (canLoginWithEmail && canLoginWithUsername && (sanitizedUsername || sanitizedEmail)) {
+    if (sanitizedUsername) {
+      whereConstraint = {
+        or: [
+          usernameConstraint,
+          {
+            email: {
+              equals: sanitizedUsername,
+            },
+          },
         ],
-      })
+      }
+    } else {
+      whereConstraint = {
+        or: [
+          emailConstraint,
+          {
+            username: {
+              equals: sanitizedEmail,
+            },
+          },
+        ],
+      }
     }
+  } else if (canLoginWithEmail && sanitizedEmail) {
+    whereConstraint = emailConstraint
+  } else if (canLoginWithUsername && sanitizedUsername) {
+    whereConstraint = usernameConstraint
+  }
 
-    // did not provide password for login
-    if (typeof password !== 'string' || password.trim() === '') {
-      throw new ValidationError({
-        collection: collectionConfig.slug,
-        errors: [{ message: req.i18n.t('validation:required'), path: 'password' }],
-      })
-    }
+  // Exclude trashed users
+  whereConstraint = appendNonTrashedFilter({
+    enableTrash: collectionConfig.trash,
+    trash: false,
+    where: whereConstraint,
+  })
 
-    let whereConstraint: Where = {}
-    const emailConstraint: Where = {
-      email: {
-        equals: sanitizedEmail,
-      },
-    }
-    const usernameConstraint: Where = {
-      username: {
-        equals: sanitizedUsername,
-      },
-    }
+  let user = (await payload.db.findOne<TypedUser>({
+    collection: collectionConfig.slug,
+    req,
+    where: whereConstraint,
+  })) as TypedUser
 
-    if (canLoginWithEmail && canLoginWithUsername && (sanitizedUsername || sanitizedEmail)) {
-      if (sanitizedUsername) {
-        whereConstraint = {
-          or: [
-            usernameConstraint,
-            {
-              email: {
-                equals: sanitizedUsername,
-              },
-            },
-          ],
-        }
-      } else {
-        whereConstraint = {
-          or: [
-            emailConstraint,
-            {
-              username: {
-                equals: sanitizedEmail,
-              },
-            },
-          ],
-        }
-      }
-    } else if (canLoginWithEmail && sanitizedEmail) {
-      whereConstraint = emailConstraint
-    } else if (canLoginWithUsername && sanitizedUsername) {
-      whereConstraint = usernameConstraint
-    }
+  checkLoginPermission({
+    loggingInWithUsername: Boolean(canLoginWithUsername && sanitizedUsername),
+    req,
+    user,
+  })
 
-    // Exclude trashed users
-    whereConstraint = appendNonTrashedFilter({
-      enableTrash: collectionConfig.trash,
-      trash: false,
-      where: whereConstraint,
-    })
+  user.collection = collectionConfig.slug
+  user._strategy = 'local-jwt'
 
-    let user = (await payload.db.findOne<TypedUser>({
-      collection: collectionConfig.slug,
-      req,
-      where: whereConstraint,
-    })) as TypedUser
+  const authResult = await authenticateLocalStrategy({ doc: user, password })
+  user = sanitizeInternalFields(user)
 
-    checkLoginPermission({
-      loggingInWithUsername: Boolean(canLoginWithUsername && sanitizedUsername),
-      req,
-      user,
-    })
+  const maxLoginAttemptsEnabled = args.collection.config.auth.maxLoginAttempts > 0
 
-    user.collection = collectionConfig.slug
-    user._strategy = 'local-jwt'
-
-    const authResult = await authenticateLocalStrategy({ doc: user, password })
-    user = sanitizeInternalFields(user)
-
-    const maxLoginAttemptsEnabled = args.collection.config.auth.maxLoginAttempts > 0
-
-    if (!authResult) {
-      if (maxLoginAttemptsEnabled) {
-        await incrementLoginAttempts({
-          collection: collectionConfig,
-          payload: req.payload,
-          req,
-          user,
-        })
-
-        // Re-check login permissions and max attempts after incrementing attempts, in case parallel updates occurred
-        checkLoginPermission({
-          loggingInWithUsername: Boolean(canLoginWithUsername && sanitizedUsername),
-          req,
-          user,
-        })
-      }
+  if (!authResult) {
+    if (maxLoginAttemptsEnabled) {
+      await incrementLoginAttempts({
+        collection: collectionConfig,
+        payload: req.payload,
+        user,
+      })
 
-      throw new AuthenticationError(req.t)
+      // Re-check login permissions and max attempts after incrementing attempts, in case parallel updates occurred
+      checkLoginPermission({
+        loggingInWithUsername: Boolean(canLoginWithUsername && sanitizedUsername),
+        req,
+        user,
+      })
     }
 
-    if (collectionConfig.auth.verify && user._verified === false) {
-      throw new UnverifiedEmail({ t: req.t })
-    }
+    throw new AuthenticationError(req.t)
+  }
+
+  if (collectionConfig.auth.verify && user._verified === false) {
+    throw new UnverifiedEmail({ t: req.t })
+  }
 
+  // Authentication successful - start transaction for remaining operations
+  const shouldCommit = await initTransaction(args.req)
+  let sid: string | undefined
+
+  try {
     /*
      * Correct password accepted - re‑check that the account didn't
      * get locked by parallel bad attempts in the meantime.
@@ -277,12 +280,13 @@ export const loginOperation = async <TSlug extends CollectionSlug>(
       user,
     }
 
-    const { sid } = await addSessionToUser({
+    const session = await addSessionToUser({
       collectionConfig,
       payload,
       req,
       user,
     })
+    sid = session.sid
 
     if (sid) {
       fieldsToSignArgs.sid = sid
@@ -392,12 +396,25 @@ export const loginOperation = async <TSlug extends CollectionSlug>(
       result,
     })
 
+    if (shouldCommit) {
+      await commitTransaction(req)
+    }
+
     // /////////////////////////////////////
     // Return results
     // /////////////////////////////////////
 
     return result
   } catch (error: unknown) {
+    if (sid) {
+      await revokeSession({
+        collectionConfig,
+        payload,
+        req,
+        sid,
+        user,
+      })
+    }
     await killTransaction(args.req)
     throw error
   }