Cross-site navigation (e.g. email links) logs out authenticated users in 3.79.1

[avee87]

Describe the Bug

Since 3.79.1, clicking a link to a Payload-authenticated route from an external source (such as email client or another site) causes login state to be lost on the first load.

This was likely introduced in #15751 and issue doesn't reproduce in 3.79.0 and earlier.

This probably happens because code doesn't handle secFetchSite === 'navigate' here: https://github.com/payloadcms/payload/blob/main/packages/payload/src/auth/extractJWT.ts#L46-L49

Suggested fix:

if (                                                                                                                                
  secFetchSite === 'same-origin' ||                                                                                               
  secFetchSite === 'same-site' ||
  secFetchSite === 'none' ||                                                                                                        
  secFetchMode === 'navigate'
) {                                                                                                                                 
  return cookieToken;                                                                                                             
}

Link to the code that reproduces this issue

https://github.com/avee87/payload-cross-site-navigation-issue

Reproduction Steps

With setup from https://github.com/avee87/payload-cross-site-navigation-issue:

• Go to http://localhost:3000/admin and log into account
• Verify that http://localhost:3000/logged-in opens correctly
• Email yourself a link to http://localhost:3000/logged-in and open with an email client (i.e., Gmail) in the same browser
• Observe that clicking the link lands on http://localhost/login

Which area(s) are affected?

area: core

Environment Info

Binaries:
  Node: 24.14.0
  npm: 11.9.0
  Yarn: N/A
  pnpm: 10.32.1
Relevant Packages:
  payload: 3.80.0
  next: 16.2.0
  @payloadcms/db-sqlite: 3.80.0
  @payloadcms/drizzle: 3.80.0
  @payloadcms/graphql: 3.80.0
  @payloadcms/next/utilities: 3.80.0
  @payloadcms/richtext-lexical: 3.80.0
  @payloadcms/translations: 3.80.0
  @payloadcms/ui/shared: 3.80.0
  react: 19.2.4
  react-dom: 19.2.4
Operating System:
  Platform: darwin
  Arch: arm64
  Version: Darwin Kernel Version 24.6.0: Wed Nov  5 21:32:56 PST 2025; root:xnu-11417.140.69.705.2~1/RELEASE_ARM64_T8103
  Available memory (MB): 16384
  Available CPU cores: 8

[grahamorrell]

I am also running into this issue when users are logging in via Microsoft OAuth login. Slightly different scenario, but it looks like the Microsoft login callback has these headers :

• origin: null
• secFetchSite: 'cross-site'
• referer: 'https://login.microsoftonline.com/'

which fails the new checks. I've had to rollback to a pre 3.79.1 version in the meantime.

[amroweh2]

have a similar issue as well... if i add this to my /etc/hosts:

127.0.0.1   payload.local

and update my payload config with the correct CORS/serverUrl...etc.
it passes the login (can see 'Authentication Passed' and a token sent back)
but never goes to the admin page, instead, goes back to the login page

Also had to go back to 3.79.0

[grahamorrell]

I resolved my issue (with the OAuth callbacks) by setting the redirectURL not to my authenticated page, but to an unauthenticated route handler. This unauthenticated page then does a client side redirect to my authenticated page. The Payload auth check then fires but now sees it as a "same site" request rather than a "cross site" request and it passes.

[n-a-t-j-b]

Same issue when using lan pc to test a dev site published on an http://ip/ - 3.79.0 resolves.