docs: new and improve lexical docs, hoist up all headings (#6639)

2024-06-05 17:08:15 -04:00
parent aee3ee21d1
commit 19f8cbcf76
84 changed files with 1215 additions and 1122 deletions
--- a/docs/authentication/config.mdx
+++ b/docs/authentication/config.mdx
@@ -13,7 +13,7 @@ To enable Authentication on a collection, define an `auth` property and set it t
 ## Options

 | Option                     | Description                                                                                                                                                                                                                         |
-| -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+|----------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | **`useAPIKey`**            | Payload Authentication provides for API keys to be set on each user within an Authentication-enabled Collection. [More](/docs/authentication/config#api-keys)                                                                       |
 | **`tokenExpiration`**      | How long (in seconds) to keep the user logged in. JWTs and HTTP-only cookies will both expire at the same time.                                                                                                                     |
 | **`maxLoginAttempts`**     | Only allow a user to attempt logging in X amount of times. Automatically locks out a user from authenticating if this limit is passed. Set to `0` to disable.                                                                       |
--- a/docs/authentication/operations.mdx
+++ b/docs/authentication/operations.mdx
@@ -8,7 +8,7 @@ keywords: authentication, config, configuration, documentation, Content Manageme

 Enabling Authentication on a Collection automatically exposes additional auth-based operations in the Local, REST, and GraphQL APIs.

-### Access
+## Access

 The Access operation returns what a logged in user can and can't do with the collections and globals that are registered via your config. This data can be immensely helpful if your app needs to show and hide certain features based on access control, as the Payload Admin panel does.

@@ -69,7 +69,7 @@ query {

 Document access can also be queried on a collection/global basis. Access on a global can queried like `http://localhost:3000/api/global-slug/access`, Collection document access can be queried like `http://localhost:3000/api/collection-slug/access/:id`.

-### Me
+## Me

 Returns either a logged in user with token or null when there is no logged in user.

@@ -105,7 +105,7 @@ query {
 }
 ```

-### Login
+## Login

 Accepts an `email` and `password`. On success, it will return the logged in user as well as a token that can be used to authenticate. In the GraphQL and REST APIs, this operation also automatically sets an HTTP-only cookie including the user's token. If you pass an Express `res` to the Local API operation, Payload will set a cookie there as well.

@@ -166,7 +166,7 @@ const result = await payload.login({
 })
 ```

-### Logout
+## Logout

 As Payload sets HTTP-only cookies, logging out cannot be done by just removing a cookie in JavaScript, as HTTP-only cookies are inaccessible by JS within the browser. So, Payload exposes a `logout` operation to delete the token in a safe way.

@@ -189,7 +189,7 @@ mutation {
 }
 ```

-### Refresh
+## Refresh

 Allows for "refreshing" JWTs. If your user has a token that is about to expire, but the user is still active and using the app, you might want to use the `refresh` operation to receive a new token by sending the operation the token that is about to expire.

@@ -244,7 +244,7 @@ mutation {
  `token` arg.
 </Banner>

-### Verify by Email
+## Verify by Email

 If your collection supports email verification, the Verify operation will be exposed which accepts a verification token and sets the user's `_verified` property to `true`, thereby allowing the user to authenticate with the Payload API.

@@ -276,7 +276,7 @@ const result = await payload.verifyEmail({
 })
 ```

-### Unlock
+## Unlock

 If a user locks themselves out and you wish to deliberately unlock them, you can utilize the Unlock operation. The Admin panel features an Unlock control automatically for all collections that feature max login attempts, but you can programmatically unlock users as well by using the Unlock operation.

@@ -309,7 +309,7 @@ const result = await payload.unlock({
 })
 ```

-### Forgot Password
+## Forgot Password

 Payload comes with built-in forgot password functionality. Submitting an email address to the Forgot Password operation will generate an email and send it to the respective email address with a link to reset their password.

@@ -361,7 +361,7 @@ const token = await payload.forgotPassword({
  use the token to "reset" their password.
 </Banner>

-### Reset Password
+## Reset Password

 After a user has "forgotten" their password and a token is generated, that token can be used to send to the reset password operation along with a new password which will allow the user to reset their password securely.

--- a/docs/authentication/overview.mdx
+++ b/docs/authentication/overview.mdx
@@ -30,7 +30,7 @@ _Admin panel screenshot depicting an Admins Collection with Auth enabled_

 By default, Payload provides you with a `User` collection that supports Authentication, which is used to access the Admin panel. But, you can add support to one or many Collections of your own. For more information on how to customize, override, or remove the default `User` collection, [click here](/docs/admin/overview#the-admin-user-collection).

-### Enabling Auth on a collection
+## Enabling Auth on a collection

 Every Payload Collection can opt-in to supporting Authentication by specifying the `auth` property on the Collection's config to either `true` or to an object containing `auth` options.

@@ -71,11 +71,11 @@ export const Admins: CollectionConfig = {

 Once enabled, each document that is created within the Collection can be thought of as a `user` - who can make use of commonly required authentication functions such as logging in / out, resetting their password, and more.

-### Logging in / out, resetting password, etc.
+## Logging in / out, resetting password, etc.

 [Click here](/docs/authentication/operations) for a list of all automatically-enabled Auth operations, including `login`, `logout`, `refresh`, and others.

-### Token-based auth
+## Token-based auth

 Successfully logging in returns a `JWT` (JSON web token) which is how a user will identify themselves to Payload. By providing this JWT via either an HTTP-only cookie or an `Authorization: JWT` or `Authorization: Bearer` header, Payload will automatically identify the user and add its user JWT data to the Express `req`, which is available throughout Payload including within access control, hooks, and more.

@@ -89,15 +89,15 @@ You can specify what data gets encoded to the JWT token by setting `saveToJWT` t
  property.
 </Banner>

-### HTTP-only cookies
+## HTTP-only cookies

 Payload `login`, `logout`, and `refresh` operations make use of HTTP-only cookies for authentication purposes. HTTP-only cookies are a highly secure method of storing identifiable data on a user's device so that Payload can automatically recognize a returning user until their cookie expires. They are totally protected from common XSS attacks and cannot be read at all via JavaScript in the browser.

-##### Automatic browser inclusion
+#### Automatic browser inclusion

 Modern browsers automatically include `http-only` cookies when making requests directly to URLs—meaning that if you are running your API on http://example.com, and you have logged in and visit http://example.com/test-page, your browser will automatically include the Payload authentication cookie for you.

-##### Using Fetch or other HTTP APIs
+#### Using Fetch or other HTTP APIs

 However, if you use `fetch` or similar APIs to retrieve Payload resources from its REST or GraphQL API, you need to specify to include credentials (cookies).

@@ -121,7 +121,7 @@ For more about how to automatically include cookies in requests from your app to
  will still show HTTP-only cookies, even when JavaScript running on the page can't.
 </Banner>

-### CSRF Protection
+## CSRF Protection

 CSRF (cross-site request forgery) attacks are common and dangerous. By using an HTTP-only cookie, Payload removes many XSS vulnerabilities, however, CSRF attacks can still be possible.

@@ -159,7 +159,7 @@ const config = buildConfig({
 export default config
 ```

-### Identifying users via the Authorization Header
+## Identifying users via the Authorization Header

 In addition to authenticating via an HTTP-only cookie, you can also identify users via the `Authorization` header on an HTTP request.