fix: cherry picks lockUntil fix from #6052 (#7213)

packages/payload/src/auth/isLocked.ts

@@ -1,2 +1,5 @@
-const isLocked = (date: number): boolean => !!(date && date > Date.now())
+const isLocked = (date: number): boolean => {
+  if (!date) return false
+  return date > Date.now()
+}
 export default isLocked

packages/payload/src/auth/operations/login.ts

@@ -182,7 +182,7 @@ export const loginOperation = async <TSlug extends CollectionSlug>(
       throw new AuthenticationError(req.t, Boolean(canLoginWithUsername && sanitizedUsername))
     }
 
-    if (user && isLocked(user.lockUntil)) {
+    if (user && isLocked(new Date(user.lockUntil).getTime())) {
       throw new LockedAuth(req.t)
     }
 

test/auth/int.spec.ts

@@ -460,11 +460,25 @@ describe('Auth', () => {
           await tryLogin()
           await tryLogin()
 
-          await payload.update({
+          const loginAfterLimit = await restClient
+            .POST(`/${slug}/login`, {
+              body: JSON.stringify({
+                email: userEmail,
+                password,
+              }),
+              headers: {
+                Authorization: `JWT ${token}`,
+                'Content-Type': 'application/json',
+              },
+              method: 'post',
+            })
+            .then((res) => res.json())
+
+          expect(loginAfterLimit.errors.length).toBeGreaterThan(0)
+
+          const lockedUser = await payload.find({
             collection: slug,
-            data: {
+            showHiddenFields: true,
-              lockUntil: Date.now() - 605 * 1000,
-            },
             where: {
               email: {
                 equals: userEmail,
@@ -472,6 +486,25 @@ describe('Auth', () => {
             },
           })
 
+          expect(lockedUser.docs[0].loginAttempts).toBe(2)
+          expect(lockedUser.docs[0].lockUntil).toBeDefined()
+
+          const manuallyReleaseLock = new Date(Date.now() - 605 * 1000)
+          const userLockElapsed = await payload.update({
+            collection: slug,
+            data: {
+              lockUntil: manuallyReleaseLock,
+            },
+            showHiddenFields: true,
+            where: {
+              email: {
+                equals: userEmail,
+              },
+            },
+          })
+
+          expect(userLockElapsed.docs[0].lockUntil).toEqual(manuallyReleaseLock.toISOString())
+
           // login
           await restClient.POST(`/${slug}/login`, {
             body: JSON.stringify({