Skip to content

User login fails when user has hasMany relationships (tenants, custom relationships) in 3.72.0 #15243

New issue
New issue
Open
Open
User login fails when user has hasMany relationships (tenants, custom relationships) in 3.72.0#15243
@c2s-admin

Description

@c2s-admin
c2s-admin
opened on Jan 17, 2026

Description

User login fails with "The email or password provided is incorrect" when the user has certain relationships, even though the password is correct. This regression was introduced somewhere between 3.69.0 and 3.72.0.

Reproduction Steps

  1. Create a fresh user with just email and password → Login works
  2. Add relationships to the user (e.g., tenants from multi-tenant plugin or custom hasMany relationships) → Login fails
  3. Rollback to 3.69.0 → Login works again

Detailed Test Results

Scenario 3.69.0 3.72.0
User with only email/password ✅ Works ✅ Works
User with isSuperAdmin: true ✅ Works ✅ Works
User with tenants (multi-tenant plugin) ✅ Works ❌ Fails
User with custom hasMany relationship ✅ Works ❌ Fails
User with both tenants + hasMany ✅ Works ❌ Fails

Important Finding

The bug occurs even when relationships are added directly via SQL (bypassing Payload's API entirely). This suggests the issue is in the login/password verification query, not in the update/create hooks.

-- Adding these relationships breaks login in 3.72.0:
INSERT INTO users_tenants ("_order", "_parent_id", "id", "tenant_id")
SELECT row_number() OVER (), {user_id}, gen_random_uuid()::text, id FROM tenants;

INSERT INTO users_rels ("order", parent_id, path, youtube_channels_id)
SELECT row_number() OVER (), {user_id}, 'youtubeChannels', id FROM youtube_channels;

After these SQL inserts (no Payload API involved), the same user that could login before now fails with "incorrect password".

Environment

  • Payload Version: 3.72.0 (bug), 3.69.0 (works)
  • Database: PostgreSQL 17.6 via PgBouncer (transaction mode)
  • Node.js: 22.x
  • Next.js: 15.x
  • Plugin: @payloadcms/plugin-multi-tenant 3.72.0

Users Collection Config (relevant parts)

// Custom hasMany relationship that triggers the bug
{
  name: 'youtubeChannels',
  type: 'relationship',
  relationTo: 'youtube-channels',
  hasMany: true,
}

// Multi-tenant plugin adds 'tenants' field automatically

Workaround

Rollback to Payload 3.69.0 - login works correctly with all relationships.

Suspected Cause

The password verification query in 3.72.0 may be doing a JOIN or subquery on relationship tables that's interfering with the password hash comparison. The fact that adding relationships via raw SQL (completely bypassing Payload) still breaks login strongly suggests this is a query-level issue in the authentication flow.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions