#Getting a 403 forbidden on the admin page even though I’m authed

Here is my access

import { Access } from 'payload';

export const adminOnly: Access = ({ req }) => {
const user = req.user;
if (user?.collection === 'admins') {
return true;
}

return false;
};

I can say the problem probably stems from this

cookies: {
domain: process.env.NODE_ENV === 'production' ? 'api.domain.com' : 'localhost',
},

I’m setting the domain of the cookie for my admin collection to be a subdomain of the domain I’m using

So I can throw my front end on www and then have a clean looking mono repo, but this all works. I can access the token from my fronted, I can log into and navigate my admin panel but I cannot do anything on the admin panel like create something or delete something. It just doesn’t work.

I’ve logged my user in the access and it’s null of course. So what I think is happening is that for some reason, even tho the request contains the payload-token the access finds the user to be null. And throws a 403 forbidden

So i've discovered that it had to do with my csrf config.

since i was had not put my api.domain.com in just domain.com in. I guess payload didnt recoginize that the req.user was defined? idrk why but adjusting my csrf config worked