From a80f5b65eceb01080157a658e47bc3762878bf3f Mon Sep 17 00:00:00 2001
From: Alessio Gravili <alessio@gravili.de>
Date: Mon, 23 Sep 2024 16:46:43 -0400
Subject: [PATCH] fix: safely access user in auth operations (#8381)

---
 packages/payload/src/auth/operations/login.ts   | 5 +++--
 packages/payload/src/auth/operations/me.ts      | 5 ++++-
 packages/payload/src/auth/operations/refresh.ts | 5 ++++-
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/packages/payload/src/auth/operations/login.ts b/packages/payload/src/auth/operations/login.ts
index ecd03b170..cab9f68c7 100644
--- a/packages/payload/src/auth/operations/login.ts
+++ b/packages/payload/src/auth/operations/login.ts
@@ -173,13 +173,14 @@ export const loginOperation = async <TSlug extends CollectionSlug>(
       req,
       where: whereConstraint,
     })
-    user.collection = collectionConfig.slug
 
     if (!user || (args.collection.config.auth.verify && user._verified === false)) {
       throw new AuthenticationError(req.t, Boolean(canLoginWithUsername && sanitizedUsername))
     }
 
-    if (user && isLocked(new Date(user.lockUntil).getTime())) {
+    user.collection = collectionConfig.slug
+
+    if (isLocked(new Date(user.lockUntil).getTime())) {
       throw new LockedAuth(req.t)
     }
 
diff --git a/packages/payload/src/auth/operations/me.ts b/packages/payload/src/auth/operations/me.ts
index f34d4763d..425006613 100644
--- a/packages/payload/src/auth/operations/me.ts
+++ b/packages/payload/src/auth/operations/me.ts
@@ -37,7 +37,10 @@ export const meOperation = async (args: Arguments): Promise<MeOperationResult> =
       req,
       showHiddenFields: false,
     })) as User
-    user.collection = collection.config.slug
+
+    if (user) {
+      user.collection = collection.config.slug
+    }
 
     if (req.user.collection !== collection.config.slug) {
       return {
diff --git a/packages/payload/src/auth/operations/refresh.ts b/packages/payload/src/auth/operations/refresh.ts
index 6d27ffe5e..945786645 100644
--- a/packages/payload/src/auth/operations/refresh.ts
+++ b/packages/payload/src/auth/operations/refresh.ts
@@ -75,7 +75,10 @@ export const refreshOperation = async (incomingArgs: Arguments): Promise<Result>
       depth: isGraphQL ? 0 : args.collection.config.auth.depth,
       req: args.req,
     })
-    user.collection = args.req.user.collection
+
+    if (user) {
+      user.collection = args.req.user.collection
+    }
 
     let result: Result