fix(ui): public users unable to log out (#10188)

Fixes #10180. When logged in as an unauthorized user who cannot access the admin panel, the user is unable to log out through the prompted `/admin/logout` page. This was because that page was using an incorrect API endpoint, reading from `admin.user` instead of `user.collection` when formatting the route. This page was also able to get stuck in an infinite loading state when attempting to log out without any user at all. Now, public users can properly log out and then back in with another user who might have access. The messaging around this was also misleading. Instead of displaying the "Unauthorized, you must be logged in to make this request" message, we now display a new "Unauthorized, this user does not have access to the admin panel" message for added clarity.
2024-12-26 22:52:00 -05:00
parent 5613a7ebe1
commit f3aebe3263
52 changed files with 825 additions and 739 deletions
--- a/test/auth/int.spec.ts
+++ b/test/auth/int.spec.ts
@@ -13,6 +13,7 @@ import {
  apiKeysSlug,
  namedSaveToJWTValue,
  partialDisableLocaleStrategiesSlug,
+  publicUsersSlug,
  saveToJWTKey,
  slug,
 } from './shared.js'
@@ -276,7 +277,7 @@ describe('Auth', () => {

      it('should allow verification of a user', async () => {
        const emailToVerify = 'verify@me.com'
-        const response = await restClient.POST(`/public-users`, {
+        const response = await restClient.POST(`/${publicUsersSlug}`, {
          body: JSON.stringify({
            email: emailToVerify,
            password,
@@ -290,7 +291,7 @@ describe('Auth', () => {
        expect(response.status).toBe(201)

        const userResult = await payload.find({
-          collection: 'public-users',
+          collection: publicUsersSlug,
          limit: 1,
          showHiddenFields: true,
          where: {
@@ -306,13 +307,13 @@ describe('Auth', () => {
        expect(_verificationToken).toBeDefined()

        const verificationResponse = await restClient.POST(
-          `/public-users/verify/${_verificationToken}`,
+          `/${publicUsersSlug}/verify/${_verificationToken}`,
        )

        expect(verificationResponse.status).toBe(200)

        const afterVerifyResult = await payload.find({
-          collection: 'public-users',
+          collection: publicUsersSlug,
          limit: 1,
          showHiddenFields: true,
          where: {
@@ -782,24 +783,24 @@ describe('Auth', () => {
  describe('API Key', () => {
    it('should authenticate via the correct API key user', async () => {
      const usersQuery = await payload.find({
-        collection: 'api-keys',
+        collection: apiKeysSlug,
      })

      const [user1, user2] = usersQuery.docs

      const success = await restClient
-        .GET(`/api-keys/${user2.id}`, {
+        .GET(`/${apiKeysSlug}/${user2.id}`, {
          headers: {
-            Authorization: `api-keys API-Key ${user2.apiKey}`,
+            Authorization: `${apiKeysSlug} API-Key ${user2.apiKey}`,
          },
        })
        .then((res) => res.json())

      expect(success.apiKey).toStrictEqual(user2.apiKey)

-      const fail = await restClient.GET(`/api-keys/${user1.id}`, {
+      const fail = await restClient.GET(`/${apiKeysSlug}/${user1.id}`, {
        headers: {
-          Authorization: `api-keys API-Key ${user2.apiKey}`,
+          Authorization: `${apiKeysSlug} API-Key ${user2.apiKey}`,
        },
      })

@@ -809,7 +810,7 @@ describe('Auth', () => {
    it('should not remove an API key from a user when updating other fields', async () => {
      const apiKey = uuid()
      const user = await payload.create({
-        collection: 'api-keys',
+        collection: apiKeysSlug,
        data: {
          apiKey,
          enableAPIKey: true,
@@ -818,14 +819,14 @@ describe('Auth', () => {

      const updatedUser = await payload.update({
        id: user.id,
-        collection: 'api-keys',
+        collection: apiKeysSlug,
        data: {
          enableAPIKey: true,
        },
      })

      const userResult = await payload.find({
-        collection: 'api-keys',
+        collection: apiKeysSlug,
        where: {
          id: {
            equals: user.id,
@@ -857,7 +858,7 @@ describe('Auth', () => {

      // use the api key in a fetch to assert that it is disabled
      const response = await restClient
-        .GET(`/api-keys/me`, {
+        .GET(`/${apiKeysSlug}/me`, {
          headers: {
            Authorization: `${apiKeysSlug} API-Key ${apiKey}`,
          },
@@ -888,7 +889,7 @@ describe('Auth', () => {

      // use the api key in a fetch to assert that it is disabled
      const response = await restClient
-        .GET(`/api-keys/me`, {
+        .GET(`/${apiKeysSlug}/me`, {
          headers: {
            Authorization: `${apiKeysSlug} API-Key ${apiKey}`,
          },