From 57fe652dfaeadded0e7bf7740ea946e17b7c13f3 Mon Sep 17 00:00:00 2001
From: Martin Porwoll <martin.porwoll@complexcaresolutions.de>
Date: Tue, 9 Dec 2025 08:46:45 +0000
Subject: [PATCH] fix: support Payload Admin Panel multipart/form-data login
 format
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Payload Admin Panel sends login credentials as a _payload JSON field
within multipart/form-data, not as separate email/password fields.
This fix adds support for parsing the _payload field while maintaining
backwards compatibility with direct FormData fields and JSON body.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 src/app/(payload)/api/users/login/route.ts | 38 ++++++++++++++++++++--
 1 file changed, 36 insertions(+), 2 deletions(-)

diff --git a/src/app/(payload)/api/users/login/route.ts b/src/app/(payload)/api/users/login/route.ts
index 5515092..b79648c 100644
--- a/src/app/(payload)/api/users/login/route.ts
+++ b/src/app/(payload)/api/users/login/route.ts
@@ -84,8 +84,42 @@ export async function POST(req: NextRequest): Promise<NextResponse> {
   const payload = await getPayload({ config: configPromise })
 
   try {
-    const body = await req.json()
-    const { email, password } = body
+    // Parse body - unterstütze JSON und FormData (Admin Panel sendet FormData)
+    let email: string | undefined
+    let password: string | undefined
+
+    const contentType = req.headers.get('content-type') || ''
+
+    if (contentType.includes('multipart/form-data')) {
+      const formData = await req.formData()
+
+      // Payload Admin Panel sendet Daten als _payload JSON-Feld
+      const payloadField = formData.get('_payload')
+      if (payloadField) {
+        try {
+          const payloadData = JSON.parse(payloadField.toString())
+          email = payloadData.email
+          password = payloadData.password
+        } catch {
+          // Falls _payload kein gültiges JSON ist, ignorieren
+        }
+      }
+
+      // Fallback: Direkte FormData-Felder (für curl/Tests)
+      if (!email || !password) {
+        email = formData.get('email')?.toString()
+        password = formData.get('password')?.toString()
+      }
+    } else if (contentType.includes('application/x-www-form-urlencoded')) {
+      const formData = await req.formData()
+      email = formData.get('email')?.toString()
+      password = formData.get('password')?.toString()
+    } else {
+      // Default: JSON
+      const body = await req.json()
+      email = body.email
+      password = body.password
+    }
 
     // Validierung
     if (!email || !password) {