fix(client): skip basic auth for payload paths so SDK works server-side

#345 widened the middleware matcher to include /admin and /v1 (needed so
the admin panel and Payload REST receive the x-current-path header that
gates the authjs strategy and breaks the /admin unauthorized loop).
Side effect: the basic-auth gate that previously only fronted the app
shell now also fronts /v1, so any server-to-self SDK call goes through
the gate and gets 401 — login (authorize -> sdk.login) and verify-email
(server action -> sdk.verifyEmail) both broke on envs with basic auth.

Skip the basic-auth check for Payload paths inside middleware. The
matcher stays inclusive so x-current-path is still forwarded and the
loop fix is preserved; only the gate is bypassed for /admin and /v1.

Also reverts the verify-email server action to the SDK now that the
underlying middleware regression is fixed — keeps a consistent
SDK-everywhere pattern instead of mixing Local API in one spot.

Author: mbarrenechea

client/src/app/(frontend)/[locale]/(app)/auth/verify-email/actions.ts

@@ -1,8 +1,6 @@
 "use server";
 
-import { getPayload } from "payload";
-
-import config from "@/payload.config";
+import { sdk } from "@/services/sdk";
 
 export type VerifyEmailResult =
   | { success: true }
@@ -14,13 +12,14 @@ export async function verifyEmailAction(token: string): Promise<VerifyEmailResul
   }
 
   try {
-    const payload = await getPayload({ config });
-    await payload.verifyEmail({ collection: "users", token });
+    await sdk.verifyEmail({
+      collection: "users",
+      token,
+    });
     return { success: true };
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
-    const status = (error as { status?: number } | null)?.status;
-    const isInvalid = status === 403 || /invalid/i.test(message);
+    const isInvalid = /invalid/i.test(message) || /403/.test(message);
 
     console.error("[verify-email] verification failed", {
       reason: isInvalid ? "invalid" : "unknown",

client/src/middleware.ts

@@ -21,15 +21,19 @@ export default async function middleware(req: NextRequest) {
     return NextResponse.next();
   }
 
-  if (!isAuthenticated(req)) {
+  const pathname = req.nextUrl.pathname;
+
+  // Skip basic auth for Payload paths (/admin, /v1) so server-to-self REST
+  // calls from NextAuth / server actions aren't blocked by the gate. The
+  // matcher still includes these paths so x-current-path is forwarded
+  // downstream, which the authjs strategy needs for the /admin loop fix.
+  if (!isPayloadPath(pathname) && !isAuthenticated(req)) {
     return new NextResponse("Authentication required", {
       status: 401,
       headers: { "WWW-Authenticate": "Basic" },
     });
   }
 
-  const pathname = req.nextUrl.pathname;
-
   // Forward the pathname so downstream auth strategies can detect admin-context
   // requests (Payload admin + REST). Without this, the Users authjs strategy would
   // authenticate non-admin users on /admin and trigger Payload's Unauthorized loop.