fix: safely access user in auth operations (#8381)

packages/payload/src/auth/operations/login.ts

@@ -173,13 +173,14 @@ export const loginOperation = async <TSlug extends CollectionSlug>(
       req,
       where: whereConstraint,
     })
-    user.collection = collectionConfig.slug
 
     if (!user || (args.collection.config.auth.verify && user._verified === false)) {
       throw new AuthenticationError(req.t, Boolean(canLoginWithUsername && sanitizedUsername))
     }
 
-    if (user && isLocked(new Date(user.lockUntil).getTime())) {
+    user.collection = collectionConfig.slug
+
+    if (isLocked(new Date(user.lockUntil).getTime())) {
       throw new LockedAuth(req.t)
     }
 

packages/payload/src/auth/operations/me.ts

@@ -37,7 +37,10 @@ export const meOperation = async (args: Arguments): Promise<MeOperationResult> =
       req,
       showHiddenFields: false,
     })) as User
+
+    if (user) {
       user.collection = collection.config.slug
+    }
 
     if (req.user.collection !== collection.config.slug) {
       return {

packages/payload/src/auth/operations/refresh.ts

@@ -75,7 +75,10 @@ export const refreshOperation = async (incomingArgs: Arguments): Promise<Result>
       depth: isGraphQL ? 0 : args.collection.config.auth.depth,
       req: args.req,
     })
+
+    if (user) {
       user.collection = args.req.user.collection
+    }
 
     let result: Result