From be66b16a08254889b40275764b3debad4dff020d Mon Sep 17 00:00:00 2001 From: Alan Grainger Date: Sun, 3 Nov 2024 20:28:37 +0100 Subject: [PATCH] Expire asset decryption tokens --- .github/workflows/ci.yaml | 3 +-- Dockerfile | 3 ++- app/src/immich.ts | 4 +++- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index ebd62e7..1b3700c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -4,7 +4,7 @@ on: workflow_dispatch: push: tags: - - 'v*' # Only on version tags like v1.0, v2.0, etc. + - 'v*' env: IMAGE_NAME: ${{ github.repository }} @@ -12,7 +12,6 @@ env: jobs: build-and-push-image: runs-on: ubuntu-latest - # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job. permissions: contents: read packages: write diff --git a/Dockerfile b/Dockerfile index c2e7062..7ab5a07 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,7 +17,8 @@ ENV APP_VERSION=${PACKAGE_VERSION} ENV NODE_ENV=production # Build without type checking, as we have removed the Typescript -# dev-dependencies above to save space in the final build +# dev-dependencies above to save space in the final build. +# Type checking is done in the repo before building the image. RUN npx tsc --noCheck HEALTHCHECK --interval=30s --start-period=10s --timeout=5s CMD node /app/healthcheck.js || exit 1 diff --git a/app/src/immich.ts b/app/src/immich.ts index ab0fa94..cb7972c 100644 --- a/app/src/immich.ts +++ b/app/src/immich.ts @@ -219,7 +219,9 @@ class Immich { /** * When loading assets from a password-protected link, make the decryption key valid for a * short time. If the visitor loads the share link again, it will renew that expiry time. - * This prevents people from sharing the image links and bypassing password protection. + * Even though the recipient already knows the password, this is just in case - for example + * to protect against the password-protected link being revoked, but the asset links still + * being valid. */ encryptPassword (password: string) { return encrypt(JSON.stringify({