Custom authentication function accessing cookies / headers.

[lukas-mertens]

I am trying to implement a custom sso authentication and for that I have to read and validate a cookie. This is what I have got and what I believe should work:

import type { AccessArgs } from 'payload'

import type { User } from '@/payload-types'
import * as jwt from 'jose'
import { parseCookies } from 'payload'

type isAuthenticated = (args: AccessArgs<User>) => Promise<boolean>

async function verifySessionCookie(token: string, secret: string) {
  const secretKey = new TextEncoder().encode(secret)
  return await jwt.jwtVerify<{
    id: string
    email: string
    collection: string
    iat: number
    exp: number
  }>(token, secretKey)
}

export const adminOrFrontendUserAuthenticated: isAuthenticated = async ({req: {headers, user}}) => {
  let authenticated = false
  if (user) {
    authenticated = true
  } else {
    const cookies = parseCookies(headers)
    console.log('cookies', cookies)
    const token = cookies.get('__my-sso-session-token')
    console.log('token', token)
    const jwtSecret = process.env.APP_AUTH_SECRET as string
    if (token) {
      const payload = (await verifySessionCookie(token, jwtSecret)).payload
      authenticated = Boolean(payload)
    }
  }

  if (!authenticated) {
    return true // TODO : change back to redirect
    // redirect('/auth/signin')
  } else {
    return true
  }
}

The relevant part is

    const cookies = parseCookies(headers)
    console.log('cookies', cookies)
    const token = cookies.get('__my-sso-session-token')
    console.log('token', token)

My problem: headers seems to be empty even though I can validate that it actually does include headers via the browser dev tools, the cookie is there and set correctly. It seems to me as if payloadcms doesn't pass the headers down into access functions via the req object, is that possible? Or how can I access cookies?

The result from the log statements is:

cookies Map(0) {}
token undefined

EDIT: I now found out the local api is the problem. The req object passed to my function is created by the createLocalReq of payload cms. How should I approach getting headers in an authenticated function instead?