Auth unique email

[dylankuipers]

Link to reproduction

Not relevant

To Reproduce

User collection with "auth: true" and have multiple projects in the same Payload instance.

Describe the Bug

Hi, so I am using a plugin for Payload to have multiple projects in one Payload instance. I use the tenancy plugin for this (1). With this plugin you can have the user's accounts for each project in the same collection, but with a different tenant ID.

I have noticed that while using this plugin, it is impossible to have an account with the same email. Imagine you have two projects and they both have their own website. Right now if you were to make an account on both websites with the same email it is impossible to do. This is because payload forces the email to be unique while using "auth: true" in the collection. As this forces an email and password field.

I have tried to overwrite the email field and set the unique value to false. Though I haven't been successful. I would like to make a custom check myself to check whether the email is unique per tenant ID (from the tenant plugin). Although, I am unable to create this check since payload forces the email field to be unique while using "auth: true". And as far as I know it is impossible to overwrite. It would be ideal if there is a way to turn the unique email field off or if I were to be able to overwrite it.

We have tried reporting this issue to the plugin creator (2), without success, we decided to make an issue for payload instead.

(1) Multi tenant plugin: https://github.com/joas8211/payload-tenancy
(2) Issue at plugin: joas8211/payload-tenancy#23

Payload Version

1.15.6

[ChrisGV04]

Hey @dylankuipers! I believe that the email being a unique field is actually the best thing to do overall, because when you log in, you need to be able to find the correct document for that email which contains the password.

If you allow multiple users with the same email, now you can't identify which website's user account to actually log in as.

In my opinion, to allow that kind of behavior you should create a custom authentication strategy that uses both email and website to identify the correct user and log in to the appropriate website. That way, you could send the website as part of the log in fields or read it from the HTTP headers.

{
  "email": "[email protected]",
  "website": "website1.com",
  "password": "password"
}

Forcing unique: true on the email is not a bug nor an issue, but rather a strategy that's best suited for most use cases. Maybe you can try creating custom authentication strategy.

[dylankuipers]

Thanks for your response @ChrisGV04,

If you're using the tenancy plugin it automatically creates a custom ID for each of your tenants that is also displayed in the user collection. I would use that to determine which site someone is trying to log in to. Although, I am unable to do this as the email field is forced unique. (Which also pretty much makes the plugin useless as people wouldn't be able to make accounts on two different websites of yours)

The only way to go around this is to make a new instance of Payload for each of your websites, but this costs money and makes things more complicated. As now you have to manage multiple instances rather than just one.

I realised this isn't a bug after posting so my bad about that. And while I do agree with you that I could make a custom authentication strategy, I can't really do that. As the plugin forces one of the collections to be auth: true to determine which collection to add the tenant ID to, but if you have auth: true it forces the email field. Unless if I were to make a separate collection for the users & admins?

[silveltman]

I would think that something like the following would be possible:

const collection: CollectionConfig = {
  slug: 'users',
  auth: true,
  fields: [
    {
      name: 'email',
      unique: false
    }
  ],
};

I would expect this to be possible based on the nature of payload OR if not possible a TS error would be nice. Not a bug though indeed.