Expire asset decryption tokens

.github/workflows/ci.yaml

@@ -4,7 +4,7 @@ on:
   workflow_dispatch:
   push:
     tags:
-      - 'v*' # Only on version tags like v1.0, v2.0, etc.
+      - 'v*'
 
 env:
   IMAGE_NAME: ${{ github.repository }}
@@ -12,7 +12,6 @@ env:
 jobs:
   build-and-push-image:
     runs-on: ubuntu-latest
-    # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
     permissions:
       contents: read
       packages: write

Dockerfile

@@ -17,7 +17,8 @@ ENV APP_VERSION=${PACKAGE_VERSION}
 ENV NODE_ENV=production
 
 # Build without type checking, as we have removed the Typescript
-# dev-dependencies above to save space in the final build
+# dev-dependencies above to save space in the final build.
+# Type checking is done in the repo before building the image.
 RUN npx tsc --noCheck
 
 HEALTHCHECK --interval=30s --start-period=10s --timeout=5s CMD node /app/healthcheck.js || exit 1

app/src/immich.ts

@@ -219,7 +219,9 @@ class Immich {
   /**
    * When loading assets from a password-protected link, make the decryption key valid for a
    * short time. If the visitor loads the share link again, it will renew that expiry time.
-   * This prevents people from sharing the image links and bypassing password protection.
+   * Even though the recipient already knows the password, this is just in case - for example
+   * to protect against the password-protected link being revoked, but the asset links still
+   * being valid.
    */
   encryptPassword (password: string) {
     return encrypt(JSON.stringify({