1
0
Fork 0
mirror of https://github.com/immich-app/immich.git synced 2024-12-29 15:11:58 +00:00

feat(server): move authentication to tokens stored in the database (#1381)

* chore: add typeorm commands to npm and set default database config values

* feat: move to server side authentication tokens

* fix: websocket should emit error and disconnect on error thrown by the server

* refactor: rename cookie-auth-strategy to user-auth-strategy

* feat: user tokens and API keys now use SHA256 hash for performance improvements

* test: album e2e test remove unneeded module import

* infra: truncate api key table as old keys will no longer work with new hash algorithm

* fix(server): e2e tests (#1435)

* fix: root module paths

* chore: linting

* chore: rename user-auth to strategy.ts and make validate return AuthUserDto

* fix: we should always send HttpOnly for our auth cookies

* chore: remove now unused crypto functions and jwt dependencies

* fix: return the extra fields for AuthUserDto in auth service validate

---------

Co-authored-by: Jason Rasmussen <jrasm91@gmail.com>
This commit is contained in:
Zack Pollard 2023-01-27 20:50:07 +00:00 committed by GitHub
parent 9be71f603e
commit 3f2513a717
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
61 changed files with 373 additions and 517 deletions

View file

@ -10,9 +10,6 @@ REDIS_HOSTNAME=immich-redis-test
# Upload File Config # Upload File Config
UPLOAD_LOCATION=./upload UPLOAD_LOCATION=./upload
# JWT SECRET
JWT_SECRET=randomstringthatissolongandpowerfulthatnoonecanguess
# MAPBOX # MAPBOX
## ENABLE_MAPBOX is either true of false -> if true, you have to provide MAPBOX_KEY ## ENABLE_MAPBOX is either true of false -> if true, you have to provide MAPBOX_KEY
ENABLE_MAPBOX=false ENABLE_MAPBOX=false

View file

@ -30,16 +30,6 @@ REDIS_HOSTNAME=immich_redis
UPLOAD_LOCATION=absolute_location_on_your_machine_where_you_want_to_store_the_backup UPLOAD_LOCATION=absolute_location_on_your_machine_where_you_want_to_store_the_backup
###################################################################################
# JWT SECRET
#
# This JWT_SECRET is used to sign the authentication keys for user login
# You should set it to a long randomly generated value
# You can use this command to generate one: openssl rand -base64 128
###################################################################################
JWT_SECRET=
################################################################################### ###################################################################################
# Reverse Geocoding # Reverse Geocoding
# #

View file

@ -24,7 +24,7 @@ All the services are packaged to run as with single Docker Compose command.
1. Clone the project repo. 1. Clone the project repo.
2. Run `cp docker/example.env docker/.env`. 2. Run `cp docker/example.env docker/.env`.
3. Edit `docker/.env` to provide values for the required variables `UPLOAD_LOCATION` and `JWT_SECRET`. 3. Edit `docker/.env` to provide values for the required variable `UPLOAD_LOCATION`.
4. From the root directory, run: 4. From the root directory, run:
```bash title="Start development server" ```bash title="Start development server"

View file

@ -63,15 +63,6 @@ UPLOAD_LOCATION=absolute_location_on_your_machine_where_you_want_to_store_the_ba
LOG_LEVEL=simple LOG_LEVEL=simple
###################################################################################
# JWT SECRET
###################################################################################
# This JWT_SECRET is used to sign the authentication keys for user login
# You should set it to a long randomly generated value
# You can use this command to generate one: openssl rand -base64 128
JWT_SECRET=
################################################################################### ###################################################################################
# Reverse Geocoding # Reverse Geocoding
#################################################################################### ####################################################################################
@ -102,11 +93,6 @@ PUBLIC_LOGIN_PAGE_MESSAGE="My Family Photos and Videos Backup Server"
- Populate custom database information if necessary. - Populate custom database information if necessary.
- Populate `UPLOAD_LOCATION` with your preferred location for storing backup assets. - Populate `UPLOAD_LOCATION` with your preferred location for storing backup assets.
- Populate a secret value for `JWT_SECRET`. You can use the command below to generate a secure key:
```bash title="Command to generate secure JWT_SECRET key"
openssl rand -base64 128
```
### Step 3 - Start the containers ### Step 3 - Start the containers

View file

@ -40,11 +40,6 @@ Install Immich using Portainer's Stack feature.
* Populate custom database information if necessary. * Populate custom database information if necessary.
* Populate `UPLOAD_LOCATION` with your preferred location for storing backup assets. * Populate `UPLOAD_LOCATION` with your preferred location for storing backup assets.
* Populate a secret value for `JWT_SECRET`. You can use the command below to generate a secure key:
```bash title="Generate secure JWT_SECRET key"
openssl rand -base64 128
```
11. Click on "**Deploy the stack**". 11. Click on "**Deploy the stack**".

View file

@ -55,7 +55,6 @@ alt="Select Plugins > Compose.Manager > Add New Stack > Label it Immich"
6. Select the cog ⚙️ next to Immich, click "**Edit Stack**", then click "**Env File**" 6. Select the cog ⚙️ next to Immich, click "**Edit Stack**", then click "**Env File**"
7. Past the entire contents of the [Immich example.env](https://raw.githubusercontent.com/immich-app/immich/main/docker/example.env) file into the Unraid editor, then **before saving** edit the following: 7. Past the entire contents of the [Immich example.env](https://raw.githubusercontent.com/immich-app/immich/main/docker/example.env) file into the Unraid editor, then **before saving** edit the following:
- `JWT_SECRET`: Generate a unique secret and paste the value here > Can be generated by either typing `openssl rand -base64 128` in your terminal or copying from [uuidgenerator](https://www.uuidgenerator.net/version1)
- `UPLOAD_LOCATION`: Create a folder in your Images Unraid share and place the **absolute** location here > For example my _"images"_ share has a folder within it called _"immich"_. If I browse to this directory in the terminal and type `pwd` the output is `/mnt/user/images/immich`. This is the exact value I need to enter as my `UPLOAD_LOCATION` - `UPLOAD_LOCATION`: Create a folder in your Images Unraid share and place the **absolute** location here > For example my _"images"_ share has a folder within it called _"immich"_. If I browse to this directory in the terminal and type `pwd` the output is `/mnt/user/images/immich`. This is the exact value I need to enter as my `UPLOAD_LOCATION`
<img <img

View file

@ -45,12 +45,6 @@ populate_upload_location() {
replace_env_value "UPLOAD_LOCATION" $upload_location replace_env_value "UPLOAD_LOCATION" $upload_location
} }
generate_jwt_secret() {
echo "Generating JWT_SECRET value..."
jwt_secret=$(openssl rand -base64 128)
replace_env_value "JWT_SECRET" $jwt_secret
}
start_docker_compose() { start_docker_compose() {
echo "Starting Immich's docker containers" echo "Starting Immich's docker containers"
@ -92,5 +86,4 @@ create_immich_directory
download_docker_compose_file download_docker_compose_file
download_dot_env_file download_dot_env_file
populate_upload_location populate_upload_location
generate_jwt_secret
start_docker_compose start_docker_compose

View file

@ -19,8 +19,7 @@ export class CommunicationGateway implements OnGatewayConnection, OnGatewayDisco
async handleConnection(client: Socket) { async handleConnection(client: Socket) {
try { try {
this.logger.log(`New websocket connection: ${client.id}`); this.logger.log(`New websocket connection: ${client.id}`);
const user = await this.authService.validate(client.request.headers);
const user = await this.authService.validateSocket(client);
if (user) { if (user) {
client.join(user.id); client.join(user.id);
} else { } else {
@ -28,7 +27,8 @@ export class CommunicationGateway implements OnGatewayConnection, OnGatewayDisco
client.disconnect(); client.disconnect();
} }
} catch (e) { } catch (e) {
// Logger.error(`Error establish websocket conneciton ${e}`, 'HandleWebscoketConnection'); client.emit('error', 'unauthorized');
client.disconnect();
} }
} }
} }

View file

@ -1,7 +1,6 @@
import { immichAppConfig } from '@app/common/config'; import { immichAppConfig } from '@app/common/config';
import { MiddlewareConsumer, Module, NestModule } from '@nestjs/common'; import { MiddlewareConsumer, Module, NestModule } from '@nestjs/common';
import { AssetModule } from './api-v1/asset/asset.module'; import { AssetModule } from './api-v1/asset/asset.module';
import { ImmichJwtModule } from './modules/immich-jwt/immich-jwt.module';
import { DeviceInfoModule } from './api-v1/device-info/device-info.module'; import { DeviceInfoModule } from './api-v1/device-info/device-info.module';
import { ConfigModule } from '@nestjs/config'; import { ConfigModule } from '@nestjs/config';
import { ServerInfoModule } from './api-v1/server-info/server-info.module'; import { ServerInfoModule } from './api-v1/server-info/server-info.module';
@ -23,6 +22,9 @@ import {
SystemConfigController, SystemConfigController,
UserController, UserController,
} from './controllers'; } from './controllers';
import { PublicShareStrategy } from './modules/immich-auth/strategies/public-share.strategy';
import { APIKeyStrategy } from './modules/immich-auth/strategies/api-key.strategy';
import { UserAuthStrategy } from './modules/immich-auth/strategies/user-auth.strategy';
@Module({ @Module({
imports: [ imports: [
@ -34,8 +36,6 @@ import {
AssetModule, AssetModule,
ImmichJwtModule,
DeviceInfoModule, DeviceInfoModule,
ServerInfoModule, ServerInfoModule,
@ -64,7 +64,7 @@ import {
SystemConfigController, SystemConfigController,
UserController, UserController,
], ],
providers: [], providers: [UserAuthStrategy, APIKeyStrategy, PublicShareStrategy],
}) })
export class AppModule implements NestModule { export class AppModule implements NestModule {
// TODO: check if consumer is needed or remove // TODO: check if consumer is needed or remove

View file

@ -1,7 +1,7 @@
import { UseGuards } from '@nestjs/common'; import { UseGuards } from '@nestjs/common';
import { AdminRolesGuard } from '../middlewares/admin-role-guard.middleware'; import { AdminRolesGuard } from '../middlewares/admin-role-guard.middleware';
import { RouteNotSharedGuard } from '../middlewares/route-not-shared-guard.middleware'; import { RouteNotSharedGuard } from '../middlewares/route-not-shared-guard.middleware';
import { AuthGuard } from '../modules/immich-jwt/guards/auth.guard'; import { AuthGuard } from '../modules/immich-auth/guards/auth.guard';
interface AuthenticatedOptions { interface AuthenticatedOptions {
admin?: boolean; admin?: boolean;

View file

@ -4,5 +4,8 @@ declare global {
namespace Express { namespace Express {
// eslint-disable-next-line @typescript-eslint/no-empty-interface // eslint-disable-next-line @typescript-eslint/no-empty-interface
interface User extends AuthUserDto {} interface User extends AuthUserDto {}
export interface Request {
user: AuthUserDto;
}
} }
} }

View file

@ -40,9 +40,6 @@ async function bootstrap() {
.addBearerAuth({ .addBearerAuth({
type: 'http', type: 'http',
scheme: 'Bearer', scheme: 'Bearer',
bearerFormat: 'JWT',
name: 'JWT',
description: 'Enter JWT token',
in: 'header', in: 'header',
}) })
.addServer('/api') .addServer('/api')

View file

@ -1,8 +1,8 @@
import { Injectable } from '@nestjs/common'; import { Injectable } from '@nestjs/common';
import { AuthGuard as PassportAuthGuard } from '@nestjs/passport'; import { AuthGuard as PassportAuthGuard } from '@nestjs/passport';
import { API_KEY_STRATEGY } from '../strategies/api-key.strategy'; import { API_KEY_STRATEGY } from '../strategies/api-key.strategy';
import { JWT_STRATEGY } from '../strategies/jwt.strategy'; import { AUTH_COOKIE_STRATEGY } from '../strategies/user-auth.strategy';
import { PUBLIC_SHARE_STRATEGY } from '../strategies/public-share.strategy'; import { PUBLIC_SHARE_STRATEGY } from '../strategies/public-share.strategy';
@Injectable() @Injectable()
export class AuthGuard extends PassportAuthGuard([PUBLIC_SHARE_STRATEGY, JWT_STRATEGY, API_KEY_STRATEGY]) {} export class AuthGuard extends PassportAuthGuard([PUBLIC_SHARE_STRATEGY, AUTH_COOKIE_STRATEGY, API_KEY_STRATEGY]) {}

View file

@ -0,0 +1,24 @@
import { Injectable, UnauthorizedException } from '@nestjs/common';
import { PassportStrategy } from '@nestjs/passport';
import { AuthService, AuthUserDto, UserService } from '@app/domain';
import { Strategy } from 'passport-custom';
import { Request } from 'express';
export const AUTH_COOKIE_STRATEGY = 'auth-cookie';
@Injectable()
export class UserAuthStrategy extends PassportStrategy(Strategy, AUTH_COOKIE_STRATEGY) {
constructor(private userService: UserService, private authService: AuthService) {
super();
}
async validate(request: Request): Promise<AuthUserDto> {
const authUser = await this.authService.validate(request.headers);
if (!authUser) {
throw new UnauthorizedException('Incorrect token provided');
}
return authUser;
}
}

View file

@ -1,9 +0,0 @@
import { Module } from '@nestjs/common';
import { APIKeyStrategy } from './strategies/api-key.strategy';
import { JwtStrategy } from './strategies/jwt.strategy';
import { PublicShareStrategy } from './strategies/public-share.strategy';
@Module({
providers: [JwtStrategy, APIKeyStrategy, PublicShareStrategy],
})
export class ImmichJwtModule {}

View file

@ -1,24 +0,0 @@
import { AuthService, AuthUserDto, JwtPayloadDto, jwtSecret } from '@app/domain';
import { Injectable } from '@nestjs/common';
import { PassportStrategy } from '@nestjs/passport';
import { ExtractJwt, Strategy, StrategyOptions } from 'passport-jwt';
export const JWT_STRATEGY = 'jwt';
@Injectable()
export class JwtStrategy extends PassportStrategy(Strategy, JWT_STRATEGY) {
constructor(private authService: AuthService) {
super({
jwtFromRequest: ExtractJwt.fromExtractors([
(req) => authService.extractJwtFromCookie(req.cookies),
(req) => authService.extractJwtFromHeader(req.headers),
]),
ignoreExpiration: false,
secretOrKey: jwtSecret,
} as StrategyOptions);
}
async validate(payload: JwtPayloadDto): Promise<AuthUserDto> {
return this.authService.validatePayload(payload);
}
}

View file

@ -5,10 +5,10 @@ import { clearDb, getAuthUser, authCustom } from './test-utils';
import { InfraModule } from '@app/infra'; import { InfraModule } from '@app/infra';
import { AlbumModule } from '../src/api-v1/album/album.module'; import { AlbumModule } from '../src/api-v1/album/album.module';
import { CreateAlbumDto } from '../src/api-v1/album/dto/create-album.dto'; import { CreateAlbumDto } from '../src/api-v1/album/dto/create-album.dto';
import { ImmichJwtModule } from '../src/modules/immich-jwt/immich-jwt.module';
import { AuthUserDto } from '../src/decorators/auth-user.decorator'; import { AuthUserDto } from '../src/decorators/auth-user.decorator';
import { AuthService, DomainModule, UserService } from '@app/domain'; import { AuthService, DomainModule, UserService } from '@app/domain';
import { DataSource } from 'typeorm'; import { DataSource } from 'typeorm';
import { AppModule } from '../src/app.module';
function _createAlbum(app: INestApplication, data: CreateAlbumDto) { function _createAlbum(app: INestApplication, data: CreateAlbumDto) {
return request(app.getHttpServer()).post('/album').send(data); return request(app.getHttpServer()).post('/album').send(data);
@ -21,7 +21,7 @@ describe('Album', () => {
describe('without auth', () => { describe('without auth', () => {
beforeAll(async () => { beforeAll(async () => {
const moduleFixture: TestingModule = await Test.createTestingModule({ const moduleFixture: TestingModule = await Test.createTestingModule({
imports: [DomainModule.register({ imports: [InfraModule] }), AlbumModule, ImmichJwtModule], imports: [DomainModule.register({ imports: [InfraModule] }), AppModule],
}).compile(); }).compile();
app = moduleFixture.createNestApplication(); app = moduleFixture.createNestApplication();

View file

@ -1,5 +1,6 @@
{ {
"moduleFileExtensions": ["js", "json", "ts"], "moduleFileExtensions": ["js", "json", "ts"],
"modulePaths": ["<rootDir>", "<rootDir>../../../"],
"rootDir": ".", "rootDir": ".",
"testEnvironment": "node", "testEnvironment": "node",
"testRegex": ".e2e-spec.ts$", "testRegex": ".e2e-spec.ts$",

View file

@ -2,7 +2,7 @@ import { CanActivate, ExecutionContext } from '@nestjs/common';
import { TestingModuleBuilder } from '@nestjs/testing'; import { TestingModuleBuilder } from '@nestjs/testing';
import { DataSource } from 'typeorm'; import { DataSource } from 'typeorm';
import { AuthUserDto } from '../src/decorators/auth-user.decorator'; import { AuthUserDto } from '../src/decorators/auth-user.decorator';
import { AuthGuard } from '../src/modules/immich-jwt/guards/auth.guard'; import { AuthGuard } from '../src/modules/immich-auth/guards/auth.guard';
type CustomAuthCallback = () => AuthUserDto; type CustomAuthCallback = () => AuthUserDto;

View file

@ -3,11 +3,11 @@ import { INestApplication } from '@nestjs/common';
import request from 'supertest'; import request from 'supertest';
import { clearDb, authCustom } from './test-utils'; import { clearDb, authCustom } from './test-utils';
import { InfraModule } from '@app/infra'; import { InfraModule } from '@app/infra';
import { ImmichJwtModule } from '../src/modules/immich-jwt/immich-jwt.module';
import { DomainModule, CreateUserDto, UserService, AuthUserDto } from '@app/domain'; import { DomainModule, CreateUserDto, UserService, AuthUserDto } from '@app/domain';
import { DataSource } from 'typeorm'; import { DataSource } from 'typeorm';
import { UserController } from '../src/controllers'; import { UserController } from '../src/controllers';
import { AuthService } from '@app/domain'; import { AuthService } from '@app/domain';
import { AppModule } from '../src/app.module';
function _createUser(userService: UserService, data: CreateUserDto) { function _createUser(userService: UserService, data: CreateUserDto) {
return userService.createUser(data); return userService.createUser(data);
@ -25,7 +25,7 @@ describe('User', () => {
describe('without auth', () => { describe('without auth', () => {
beforeAll(async () => { beforeAll(async () => {
const moduleFixture: TestingModule = await Test.createTestingModule({ const moduleFixture: TestingModule = await Test.createTestingModule({
imports: [DomainModule.register({ imports: [InfraModule] }), ImmichJwtModule], imports: [DomainModule.register({ imports: [InfraModule] }), AppModule],
controllers: [UserController], controllers: [UserController],
}).compile(); }).compile();

View file

@ -2722,8 +2722,6 @@
"scheme": "Bearer", "scheme": "Bearer",
"bearerFormat": "JWT", "bearerFormat": "JWT",
"type": "http", "type": "http",
"name": "JWT",
"description": "Enter JWT token",
"in": "header" "in": "header"
} }
}, },

View file

@ -1,20 +1,5 @@
import { Logger } from '@nestjs/common';
import { ConfigModuleOptions } from '@nestjs/config'; import { ConfigModuleOptions } from '@nestjs/config';
import Joi from 'joi'; import Joi from 'joi';
import { createSecretKey, generateKeySync } from 'node:crypto';
const jwtSecretValidator: Joi.CustomValidator<string> = (value) => {
const key = createSecretKey(value, 'base64');
const keySizeBits = (key.symmetricKeySize ?? 0) * 8;
if (keySizeBits < 128) {
const newKey = generateKeySync('hmac', { length: 256 }).export().toString('base64');
Logger.warn('The current JWT_SECRET key is insecure. It should be at least 128 bits long!');
Logger.warn(`Here is a new, securely generated key that you can use instead: ${newKey}`);
}
return value;
};
const WHEN_DB_URL_SET = Joi.when('DB_URL', { const WHEN_DB_URL_SET = Joi.when('DB_URL', {
is: Joi.exist(), is: Joi.exist(),
@ -31,7 +16,6 @@ export const immichAppConfig: ConfigModuleOptions = {
DB_PASSWORD: WHEN_DB_URL_SET, DB_PASSWORD: WHEN_DB_URL_SET,
DB_DATABASE_NAME: WHEN_DB_URL_SET, DB_DATABASE_NAME: WHEN_DB_URL_SET,
DB_URL: Joi.string().optional(), DB_URL: Joi.string().optional(),
JWT_SECRET: Joi.string().required().custom(jwtSecretValidator),
DISABLE_REVERSE_GEOCODING: Joi.boolean().optional().valid(true, false).default(false), DISABLE_REVERSE_GEOCODING: Joi.boolean().optional().valid(true, false).default(false),
REVERSE_GEOCODING_PRECISION: Joi.number().optional().valid(0, 1, 2, 3).default(3), REVERSE_GEOCODING_PRECISION: Joi.number().optional().valid(0, 1, 2, 3).default(3),
LOG_LEVEL: Joi.string().optional().valid('simple', 'verbose', 'debug', 'log', 'warn', 'error').default('log'), LOG_LEVEL: Joi.string().optional().valid('simple', 'verbose', 'debug', 'log', 'warn', 'error').default('log'),

View file

@ -10,7 +10,7 @@ export interface IKeyRepository {
* Includes the hashed `key` for verification * Includes the hashed `key` for verification
* @param id * @param id
*/ */
getKey(id: number): Promise<APIKeyEntity | null>; getKey(hashedToken: string): Promise<APIKeyEntity | null>;
getById(userId: string, id: number): Promise<APIKeyEntity | null>; getById(userId: string, id: number): Promise<APIKeyEntity | null>;
getByUserId(userId: string): Promise<APIKeyEntity[]>; getByUserId(userId: string): Promise<APIKeyEntity[]>;
} }

View file

@ -1,6 +1,6 @@
import { APIKeyEntity } from '@app/infra/db/entities'; import { APIKeyEntity } from '@app/infra/db/entities';
import { BadRequestException, UnauthorizedException } from '@nestjs/common'; import { BadRequestException, UnauthorizedException } from '@nestjs/common';
import { authStub, entityStub, newCryptoRepositoryMock, newKeyRepositoryMock } from '../../test'; import { authStub, userEntityStub, newCryptoRepositoryMock, newKeyRepositoryMock } from '../../test';
import { ICryptoRepository } from '../auth'; import { ICryptoRepository } from '../auth';
import { IKeyRepository } from './api-key.repository'; import { IKeyRepository } from './api-key.repository';
import { APIKeyService } from './api-key.service'; import { APIKeyService } from './api-key.service';
@ -10,10 +10,10 @@ const adminKey = Object.freeze({
name: 'My Key', name: 'My Key',
key: 'my-api-key (hashed)', key: 'my-api-key (hashed)',
userId: authStub.admin.id, userId: authStub.admin.id,
user: entityStub.admin, user: userEntityStub.admin,
} as APIKeyEntity); } as APIKeyEntity);
const token = Buffer.from('1:my-api-key', 'utf8').toString('base64'); const token = Buffer.from('my-api-key', 'utf8').toString('base64');
describe(APIKeyService.name, () => { describe(APIKeyService.name, () => {
let sut: APIKeyService; let sut: APIKeyService;
@ -38,7 +38,7 @@ describe(APIKeyService.name, () => {
userId: authStub.admin.id, userId: authStub.admin.id,
}); });
expect(cryptoMock.randomBytes).toHaveBeenCalled(); expect(cryptoMock.randomBytes).toHaveBeenCalled();
expect(cryptoMock.hash).toHaveBeenCalled(); expect(cryptoMock.hashSha256).toHaveBeenCalled();
}); });
it('should not require a name', async () => { it('should not require a name', async () => {
@ -52,7 +52,7 @@ describe(APIKeyService.name, () => {
userId: authStub.admin.id, userId: authStub.admin.id,
}); });
expect(cryptoMock.randomBytes).toHaveBeenCalled(); expect(cryptoMock.randomBytes).toHaveBeenCalled();
expect(cryptoMock.hash).toHaveBeenCalled(); expect(cryptoMock.hashSha256).toHaveBeenCalled();
}); });
}); });
@ -126,8 +126,7 @@ describe(APIKeyService.name, () => {
await expect(sut.validate(token)).rejects.toBeInstanceOf(UnauthorizedException); await expect(sut.validate(token)).rejects.toBeInstanceOf(UnauthorizedException);
expect(keyMock.getKey).toHaveBeenCalledWith(1); expect(keyMock.getKey).toHaveBeenCalledWith('bXktYXBpLWtleQ== (hashed)');
expect(cryptoMock.compareSync).not.toHaveBeenCalled();
}); });
it('should validate the token', async () => { it('should validate the token', async () => {
@ -135,8 +134,7 @@ describe(APIKeyService.name, () => {
await expect(sut.validate(token)).resolves.toEqual(authStub.admin); await expect(sut.validate(token)).resolves.toEqual(authStub.admin);
expect(keyMock.getKey).toHaveBeenCalledWith(1); expect(keyMock.getKey).toHaveBeenCalledWith('bXktYXBpLWtleQ== (hashed)');
expect(cryptoMock.compareSync).toHaveBeenCalledWith('my-api-key', 'my-api-key (hashed)');
}); });
}); });
}); });

View file

@ -1,4 +1,3 @@
import { UserEntity } from '@app/infra/db/entities';
import { BadRequestException, Inject, Injectable, UnauthorizedException } from '@nestjs/common'; import { BadRequestException, Inject, Injectable, UnauthorizedException } from '@nestjs/common';
import { AuthUserDto, ICryptoRepository } from '../auth'; import { AuthUserDto, ICryptoRepository } from '../auth';
import { IKeyRepository } from './api-key.repository'; import { IKeyRepository } from './api-key.repository';
@ -14,15 +13,13 @@ export class APIKeyService {
) {} ) {}
async create(authUser: AuthUserDto, dto: APIKeyCreateDto): Promise<APIKeyCreateResponseDto> { async create(authUser: AuthUserDto, dto: APIKeyCreateDto): Promise<APIKeyCreateResponseDto> {
const key = this.crypto.randomBytes(24).toString('base64').replace(/\W/g, ''); const secret = this.crypto.randomBytes(32).toString('base64').replace(/\W/g, '');
const entity = await this.repository.create({ const entity = await this.repository.create({
key: await this.crypto.hash(key, 10), key: this.crypto.hashSha256(secret),
name: dto.name || 'API Key', name: dto.name || 'API Key',
userId: authUser.id, userId: authUser.id,
}); });
const secret = Buffer.from(`${entity.id}:${key}`, 'utf8').toString('base64');
return { secret, apiKey: mapKey(entity) }; return { secret, apiKey: mapKey(entity) };
} }
@ -60,13 +57,10 @@ export class APIKeyService {
} }
async validate(token: string): Promise<AuthUserDto> { async validate(token: string): Promise<AuthUserDto> {
const [_id, key] = Buffer.from(token, 'base64').toString('utf8').split(':'); const hashedToken = this.crypto.hashSha256(token);
const id = Number(_id); const keyEntity = await this.repository.getKey(hashedToken);
if (keyEntity?.user) {
if (id && key) { const user = keyEntity.user;
const entity = await this.repository.getKey(id);
if (entity?.user && entity?.key && this.crypto.compareSync(key, entity.key)) {
const user = entity.user as UserEntity;
return { return {
id: user.id, id: user.id,
@ -76,7 +70,6 @@ export class APIKeyService {
isAllowUpload: true, isAllowUpload: true,
}; };
} }
}
throw new UnauthorizedException('Invalid API Key'); throw new UnauthorizedException('Invalid API Key');
} }

View file

@ -1,7 +0,0 @@
import { JwtModuleOptions } from '@nestjs/jwt';
import { jwtSecret } from './auth.constant';
export const jwtConfig: JwtModuleOptions = {
secret: jwtSecret,
signOptions: { expiresIn: '30d' },
};

View file

@ -1,4 +1,3 @@
export const jwtSecret = process.env.JWT_SECRET;
export const IMMICH_ACCESS_COOKIE = 'immich_access_token'; export const IMMICH_ACCESS_COOKIE = 'immich_access_token';
export const IMMICH_AUTH_TYPE_COOKIE = 'immich_auth_type'; export const IMMICH_AUTH_TYPE_COOKIE = 'immich_auth_type';
export enum AuthType { export enum AuthType {

View file

@ -4,8 +4,9 @@ import { ISystemConfigRepository } from '../system-config';
import { SystemConfigCore } from '../system-config/system-config.core'; import { SystemConfigCore } from '../system-config/system-config.core';
import { AuthType, IMMICH_ACCESS_COOKIE, IMMICH_AUTH_TYPE_COOKIE } from './auth.constant'; import { AuthType, IMMICH_ACCESS_COOKIE, IMMICH_AUTH_TYPE_COOKIE } from './auth.constant';
import { ICryptoRepository } from './crypto.repository'; import { ICryptoRepository } from './crypto.repository';
import { JwtPayloadDto } from './dto/jwt-payload.dto';
import { LoginResponseDto, mapLoginResponse } from './response-dto'; import { LoginResponseDto, mapLoginResponse } from './response-dto';
import { IUserTokenRepository, UserTokenCore } from '@app/domain';
import cookieParser from 'cookie';
export type JwtValidationResult = { export type JwtValidationResult = {
status: boolean; status: boolean;
@ -13,11 +14,14 @@ export type JwtValidationResult = {
}; };
export class AuthCore { export class AuthCore {
private userTokenCore: UserTokenCore;
constructor( constructor(
private cryptoRepository: ICryptoRepository, private cryptoRepository: ICryptoRepository,
configRepository: ISystemConfigRepository, configRepository: ISystemConfigRepository,
userTokenRepository: IUserTokenRepository,
private config: SystemConfig, private config: SystemConfig,
) { ) {
this.userTokenCore = new UserTokenCore(cryptoRepository, userTokenRepository);
const configCore = new SystemConfigCore(configRepository); const configCore = new SystemConfigCore(configRepository);
configCore.config$.subscribe((config) => (this.config = config)); configCore.config$.subscribe((config) => (this.config = config));
} }
@ -33,8 +37,8 @@ export class AuthCore {
let accessTokenCookie = ''; let accessTokenCookie = '';
if (isSecure) { if (isSecure) {
accessTokenCookie = `${IMMICH_ACCESS_COOKIE}=${loginResponse.accessToken}; Secure; Path=/; Max-Age=${maxAge}; SameSite=Strict;`; accessTokenCookie = `${IMMICH_ACCESS_COOKIE}=${loginResponse.accessToken}; HttpOnly; Secure; Path=/; Max-Age=${maxAge}; SameSite=Strict;`;
authTypeCookie = `${IMMICH_AUTH_TYPE_COOKIE}=${authType}; Secure; Path=/; Max-Age=${maxAge}; SameSite=Strict;`; authTypeCookie = `${IMMICH_AUTH_TYPE_COOKIE}=${authType}; HttpOnly; Secure; Path=/; Max-Age=${maxAge}; SameSite=Strict;`;
} else { } else {
accessTokenCookie = `${IMMICH_ACCESS_COOKIE}=${loginResponse.accessToken}; HttpOnly; Path=/; Max-Age=${maxAge}; SameSite=Strict;`; accessTokenCookie = `${IMMICH_ACCESS_COOKIE}=${loginResponse.accessToken}; HttpOnly; Path=/; Max-Age=${maxAge}; SameSite=Strict;`;
authTypeCookie = `${IMMICH_AUTH_TYPE_COOKIE}=${authType}; HttpOnly; Path=/; Max-Age=${maxAge}; SameSite=Strict;`; authTypeCookie = `${IMMICH_AUTH_TYPE_COOKIE}=${authType}; HttpOnly; Path=/; Max-Age=${maxAge}; SameSite=Strict;`;
@ -42,9 +46,8 @@ export class AuthCore {
return [accessTokenCookie, authTypeCookie]; return [accessTokenCookie, authTypeCookie];
} }
public createLoginResponse(user: UserEntity, authType: AuthType, isSecure: boolean) { public async createLoginResponse(user: UserEntity, authType: AuthType, isSecure: boolean) {
const payload: JwtPayloadDto = { userId: user.id, email: user.email }; const accessToken = await this.userTokenCore.createToken(user);
const accessToken = this.generateToken(payload);
const response = mapLoginResponse(user, accessToken); const response = mapLoginResponse(user, accessToken);
const cookie = this.getCookies(response, authType, isSecure); const cookie = this.getCookies(response, authType, isSecure);
return { response, cookie }; return { response, cookie };
@ -54,12 +57,12 @@ export class AuthCore {
if (!user || !user.password) { if (!user || !user.password) {
return false; return false;
} }
return this.cryptoRepository.compareSync(inputPassword, user.password); return this.cryptoRepository.compareBcrypt(inputPassword, user.password);
} }
extractJwtFromHeader(headers: IncomingHttpHeaders) { extractTokenFromHeader(headers: IncomingHttpHeaders) {
if (!headers.authorization) { if (!headers.authorization) {
return null; return this.extractTokenFromCookie(cookieParser.parse(headers.cookie || ''));
} }
const [type, accessToken] = headers.authorization.split(' '); const [type, accessToken] = headers.authorization.split(' ');
@ -70,11 +73,7 @@ export class AuthCore {
return accessToken; return accessToken;
} }
extractJwtFromCookie(cookies: Record<string, string>) { extractTokenFromCookie(cookies: Record<string, string>) {
return cookies?.[IMMICH_ACCESS_COOKIE] || null; return cookies?.[IMMICH_ACCESS_COOKIE] || null;
} }
private generateToken(payload: JwtPayloadDto) {
return this.cryptoRepository.signJwt({ ...payload });
}
} }

View file

@ -3,13 +3,13 @@ import { BadRequestException, UnauthorizedException } from '@nestjs/common';
import { generators, Issuer } from 'openid-client'; import { generators, Issuer } from 'openid-client';
import { Socket } from 'socket.io'; import { Socket } from 'socket.io';
import { import {
authStub, userEntityStub,
entityStub,
loginResponseStub, loginResponseStub,
newCryptoRepositoryMock, newCryptoRepositoryMock,
newSystemConfigRepositoryMock, newSystemConfigRepositoryMock,
newUserRepositoryMock, newUserRepositoryMock,
systemConfigStub, systemConfigStub,
userTokenEntityStub,
} from '../../test'; } from '../../test';
import { ISystemConfigRepository } from '../system-config'; import { ISystemConfigRepository } from '../system-config';
import { IUserRepository } from '../user'; import { IUserRepository } from '../user';
@ -17,6 +17,9 @@ import { AuthType, IMMICH_ACCESS_COOKIE, IMMICH_AUTH_TYPE_COOKIE } from './auth.
import { AuthService } from './auth.service'; import { AuthService } from './auth.service';
import { ICryptoRepository } from './crypto.repository'; import { ICryptoRepository } from './crypto.repository';
import { SignUpDto } from './dto'; import { SignUpDto } from './dto';
import { IUserTokenRepository } from '@app/domain';
import { newUserTokenRepositoryMock } from '../../test/user-token.repository.mock';
import { IncomingHttpHeaders } from 'http';
const email = 'test@immich.com'; const email = 'test@immich.com';
const sub = 'my-auth-user-sub'; const sub = 'my-auth-user-sub';
@ -47,6 +50,7 @@ describe('AuthService', () => {
let cryptoMock: jest.Mocked<ICryptoRepository>; let cryptoMock: jest.Mocked<ICryptoRepository>;
let userMock: jest.Mocked<IUserRepository>; let userMock: jest.Mocked<IUserRepository>;
let configMock: jest.Mocked<ISystemConfigRepository>; let configMock: jest.Mocked<ISystemConfigRepository>;
let userTokenMock: jest.Mocked<IUserTokenRepository>;
let callbackMock: jest.Mock; let callbackMock: jest.Mock;
let create: (config: SystemConfig) => AuthService; let create: (config: SystemConfig) => AuthService;
@ -76,8 +80,9 @@ describe('AuthService', () => {
cryptoMock = newCryptoRepositoryMock(); cryptoMock = newCryptoRepositoryMock();
userMock = newUserRepositoryMock(); userMock = newUserRepositoryMock();
configMock = newSystemConfigRepositoryMock(); configMock = newSystemConfigRepositoryMock();
userTokenMock = newUserTokenRepositoryMock();
create = (config) => new AuthService(cryptoMock, configMock, userMock, config); create = (config) => new AuthService(cryptoMock, configMock, userMock, userTokenMock, config);
sut = create(systemConfigStub.enabled); sut = create(systemConfigStub.enabled);
}); });
@ -106,13 +111,15 @@ describe('AuthService', () => {
}); });
it('should successfully log the user in', async () => { it('should successfully log the user in', async () => {
userMock.getByEmail.mockResolvedValue(entityStub.user1); userMock.getByEmail.mockResolvedValue(userEntityStub.user1);
userTokenMock.create.mockResolvedValue(userTokenEntityStub.userToken);
await expect(sut.login(fixtures.login, CLIENT_IP, true)).resolves.toEqual(loginResponseStub.user1password); await expect(sut.login(fixtures.login, CLIENT_IP, true)).resolves.toEqual(loginResponseStub.user1password);
expect(userMock.getByEmail).toHaveBeenCalledTimes(1); expect(userMock.getByEmail).toHaveBeenCalledTimes(1);
}); });
it('should generate the cookie headers (insecure)', async () => { it('should generate the cookie headers (insecure)', async () => {
userMock.getByEmail.mockResolvedValue(entityStub.user1); userMock.getByEmail.mockResolvedValue(userEntityStub.user1);
userTokenMock.create.mockResolvedValue(userTokenEntityStub.userToken);
await expect(sut.login(fixtures.login, CLIENT_IP, false)).resolves.toEqual(loginResponseStub.user1insecure); await expect(sut.login(fixtures.login, CLIENT_IP, false)).resolves.toEqual(loginResponseStub.user1insecure);
expect(userMock.getByEmail).toHaveBeenCalledTimes(1); expect(userMock.getByEmail).toHaveBeenCalledTimes(1);
}); });
@ -131,7 +138,7 @@ describe('AuthService', () => {
await sut.changePassword(authUser, dto); await sut.changePassword(authUser, dto);
expect(userMock.getByEmail).toHaveBeenCalledWith(authUser.email, true); expect(userMock.getByEmail).toHaveBeenCalledWith(authUser.email, true);
expect(cryptoMock.compareSync).toHaveBeenCalledWith('old-password', 'hash-password'); expect(cryptoMock.compareBcrypt).toHaveBeenCalledWith('old-password', 'hash-password');
}); });
it('should throw when auth user email is not found', async () => { it('should throw when auth user email is not found', async () => {
@ -147,7 +154,7 @@ describe('AuthService', () => {
const authUser = { email: 'test@imimch.com' } as UserEntity; const authUser = { email: 'test@imimch.com' } as UserEntity;
const dto = { password: 'old-password', newPassword: 'new-password' }; const dto = { password: 'old-password', newPassword: 'new-password' };
cryptoMock.compareSync.mockReturnValue(false); cryptoMock.compareBcrypt.mockReturnValue(false);
userMock.getByEmail.mockResolvedValue({ userMock.getByEmail.mockResolvedValue({
email: 'test@immich.com', email: 'test@immich.com',
@ -161,8 +168,6 @@ describe('AuthService', () => {
const authUser = { email: 'test@imimch.com' } as UserEntity; const authUser = { email: 'test@imimch.com' } as UserEntity;
const dto = { password: 'old-password', newPassword: 'new-password' }; const dto = { password: 'old-password', newPassword: 'new-password' };
cryptoMock.compareSync.mockReturnValue(false);
userMock.getByEmail.mockResolvedValue({ userMock.getByEmail.mockResolvedValue({
email: 'test@immich.com', email: 'test@immich.com',
password: '', password: '',
@ -212,52 +217,64 @@ describe('AuthService', () => {
}); });
}); });
describe('validateSocket', () => { describe('validate - socket connections', () => {
it('should validate using authorization header', async () => { it('should validate using authorization header', async () => {
userMock.get.mockResolvedValue(entityStub.user1); userMock.get.mockResolvedValue(userEntityStub.user1);
const client = { handshake: { headers: { authorization: 'Bearer jwt-token' } } }; userTokenMock.get.mockResolvedValue(userTokenEntityStub.userToken);
await expect(sut.validateSocket(client as Socket)).resolves.toEqual(entityStub.user1); const client = { request: { headers: { authorization: 'Bearer auth_token' } } };
await expect(sut.validate((client as Socket).request.headers)).resolves.toEqual(userEntityStub.user1);
}); });
}); });
describe('validatePayload', () => { describe('validate - api request', () => {
it('should throw if no user is found', async () => { it('should throw if no user is found', async () => {
userMock.get.mockResolvedValue(null); userMock.get.mockResolvedValue(null);
await expect(sut.validatePayload({ email: 'a', userId: 'test' })).rejects.toBeInstanceOf(UnauthorizedException); await expect(sut.validate({ email: 'a', userId: 'test' })).rejects.toBeInstanceOf(UnauthorizedException);
}); });
it('should return an auth dto', async () => { it('should return an auth dto', async () => {
userMock.get.mockResolvedValue(entityStub.admin); userMock.get.mockResolvedValue(userEntityStub.user1);
await expect(sut.validatePayload({ email: 'a', userId: 'test' })).resolves.toEqual(authStub.admin); userTokenMock.get.mockResolvedValue(userTokenEntityStub.userToken);
await expect(
sut.validate({ cookie: 'immich_access_token=auth_token', email: 'a', userId: 'test' }),
).resolves.toEqual(userEntityStub.user1);
}); });
}); });
describe('extractJwtFromCookie', () => { describe('extractTokenFromHeader - Cookie', () => {
it('should extract the access token', () => { it('should extract the access token', () => {
const cookie = { [IMMICH_ACCESS_COOKIE]: 'signed-jwt', [IMMICH_AUTH_TYPE_COOKIE]: 'password' }; const cookie: IncomingHttpHeaders = {
expect(sut.extractJwtFromCookie(cookie)).toEqual('signed-jwt'); cookie: `${IMMICH_ACCESS_COOKIE}=signed-jwt;${IMMICH_AUTH_TYPE_COOKIE}=password`,
};
expect(sut.extractTokenFromHeader(cookie)).toEqual('signed-jwt');
}); });
it('should work with no cookies', () => { it('should work with no cookies', () => {
expect(sut.extractJwtFromCookie(undefined as any)).toBeNull(); const cookie: IncomingHttpHeaders = {
cookie: undefined,
};
expect(sut.extractTokenFromHeader(cookie)).toBeNull();
}); });
it('should work on empty cookies', () => { it('should work on empty cookies', () => {
expect(sut.extractJwtFromCookie({})).toBeNull(); const cookie: IncomingHttpHeaders = {
cookie: '',
};
expect(sut.extractTokenFromHeader(cookie)).toBeNull();
}); });
}); });
describe('extractJwtFromHeader', () => { describe('extractTokenFromHeader - Bearer Auth', () => {
it('should extract the access token', () => { it('should extract the access token', () => {
expect(sut.extractJwtFromHeader({ authorization: `Bearer signed-jwt` })).toEqual('signed-jwt'); expect(sut.extractTokenFromHeader({ authorization: `Bearer signed-jwt` })).toEqual('signed-jwt');
}); });
it('should work without the auth header', () => { it('should work without the auth header', () => {
expect(sut.extractJwtFromHeader({})).toBeNull(); expect(sut.extractTokenFromHeader({})).toBeNull();
}); });
it('should ignore basic auth', () => { it('should ignore basic auth', () => {
expect(sut.extractJwtFromHeader({ authorization: `Basic stuff` })).toBeNull(); expect(sut.extractTokenFromHeader({ authorization: `Basic stuff` })).toBeNull();
}); });
}); });
}); });

View file

@ -7,20 +7,20 @@ import {
Logger, Logger,
UnauthorizedException, UnauthorizedException,
} from '@nestjs/common'; } from '@nestjs/common';
import * as cookieParser from 'cookie';
import { IncomingHttpHeaders } from 'http'; import { IncomingHttpHeaders } from 'http';
import { Socket } from 'socket.io';
import { OAuthCore } from '../oauth/oauth.core'; import { OAuthCore } from '../oauth/oauth.core';
import { INITIAL_SYSTEM_CONFIG, ISystemConfigRepository } from '../system-config'; import { INITIAL_SYSTEM_CONFIG, ISystemConfigRepository } from '../system-config';
import { IUserRepository, UserCore, UserResponseDto } from '../user'; import { IUserRepository, UserCore } from '../user';
import { AuthType, jwtSecret } from './auth.constant'; import { AuthType } from './auth.constant';
import { AuthCore } from './auth.core'; import { AuthCore } from './auth.core';
import { ICryptoRepository } from './crypto.repository'; import { ICryptoRepository } from './crypto.repository';
import { AuthUserDto, ChangePasswordDto, JwtPayloadDto, LoginCredentialDto, SignUpDto } from './dto'; import { AuthUserDto, ChangePasswordDto, LoginCredentialDto, SignUpDto } from './dto';
import { AdminSignupResponseDto, LoginResponseDto, LogoutResponseDto, mapAdminSignupResponse } from './response-dto'; import { AdminSignupResponseDto, LoginResponseDto, LogoutResponseDto, mapAdminSignupResponse } from './response-dto';
import { IUserTokenRepository, UserTokenCore } from '@app/domain/user-token';
@Injectable() @Injectable()
export class AuthService { export class AuthService {
private userTokenCore: UserTokenCore;
private authCore: AuthCore; private authCore: AuthCore;
private oauthCore: OAuthCore; private oauthCore: OAuthCore;
private userCore: UserCore; private userCore: UserCore;
@ -31,11 +31,14 @@ export class AuthService {
@Inject(ICryptoRepository) private cryptoRepository: ICryptoRepository, @Inject(ICryptoRepository) private cryptoRepository: ICryptoRepository,
@Inject(ISystemConfigRepository) configRepository: ISystemConfigRepository, @Inject(ISystemConfigRepository) configRepository: ISystemConfigRepository,
@Inject(IUserRepository) userRepository: IUserRepository, @Inject(IUserRepository) userRepository: IUserRepository,
@Inject(INITIAL_SYSTEM_CONFIG) initialConfig: SystemConfig, @Inject(IUserTokenRepository) userTokenRepository: IUserTokenRepository,
@Inject(INITIAL_SYSTEM_CONFIG)
initialConfig: SystemConfig,
) { ) {
this.authCore = new AuthCore(cryptoRepository, configRepository, initialConfig); this.userTokenCore = new UserTokenCore(cryptoRepository, userTokenRepository);
this.authCore = new AuthCore(cryptoRepository, configRepository, userTokenRepository, initialConfig);
this.oauthCore = new OAuthCore(configRepository, initialConfig); this.oauthCore = new OAuthCore(configRepository, initialConfig);
this.userCore = new UserCore(userRepository); this.userCore = new UserCore(userRepository, cryptoRepository);
} }
public async login( public async login(
@ -49,7 +52,7 @@ export class AuthService {
let user = await this.userCore.getByEmail(loginCredential.email, true); let user = await this.userCore.getByEmail(loginCredential.email, true);
if (user) { if (user) {
const isAuthenticated = await this.authCore.validatePassword(loginCredential.password, user); const isAuthenticated = this.authCore.validatePassword(loginCredential.password, user);
if (!isAuthenticated) { if (!isAuthenticated) {
user = null; user = null;
} }
@ -81,7 +84,7 @@ export class AuthService {
throw new UnauthorizedException(); throw new UnauthorizedException();
} }
const valid = await this.authCore.validatePassword(password, user); const valid = this.authCore.validatePassword(password, user);
if (!valid) { if (!valid) {
throw new BadRequestException('Wrong password'); throw new BadRequestException('Wrong password');
} }
@ -112,49 +115,28 @@ export class AuthService {
} }
} }
async validateSocket(client: Socket): Promise<UserResponseDto | null> { public async validate(headers: IncomingHttpHeaders): Promise<AuthUserDto> {
try { const tokenValue = this.extractTokenFromHeader(headers);
const headers = client.handshake.headers; if (!tokenValue) {
const accessToken = throw new UnauthorizedException('No access token provided in request');
this.extractJwtFromCookie(cookieParser.parse(headers.cookie || '')) || this.extractJwtFromHeader(headers); }
if (accessToken) { const hashedToken = this.cryptoRepository.hashSha256(tokenValue);
const payload = await this.cryptoRepository.verifyJwtAsync<JwtPayloadDto>(accessToken, { secret: jwtSecret }); const user = await this.userTokenCore.getUserByToken(hashedToken);
if (payload?.userId && payload?.email) {
const user = await this.userCore.get(payload.userId);
if (user) { if (user) {
return user; return {
} ...user,
} isPublicUser: false,
} isAllowUpload: true,
} catch (e) { isAllowDownload: true,
return null; isShowExif: true,
} };
return null;
} }
async validatePayload(payload: JwtPayloadDto) { throw new UnauthorizedException('Invalid access token provided');
const { userId } = payload;
const user = await this.userCore.get(userId);
if (!user) {
throw new UnauthorizedException('Failure to validate JWT payload');
} }
const authUser = new AuthUserDto(); extractTokenFromHeader(headers: IncomingHttpHeaders) {
authUser.id = user.id; return this.authCore.extractTokenFromHeader(headers);
authUser.email = user.email;
authUser.isAdmin = user.isAdmin;
authUser.isPublicUser = false;
authUser.isAllowUpload = true;
return authUser;
}
extractJwtFromCookie(cookies: Record<string, string>) {
return this.authCore.extractJwtFromCookie(cookies);
}
extractJwtFromHeader(headers: IncomingHttpHeaders) {
return this.authCore.extractJwtFromHeader(headers);
} }
} }

View file

@ -1,11 +1,8 @@
import { JwtSignOptions, JwtVerifyOptions } from '@nestjs/jwt';
export const ICryptoRepository = 'ICryptoRepository'; export const ICryptoRepository = 'ICryptoRepository';
export interface ICryptoRepository { export interface ICryptoRepository {
randomBytes(size: number): Buffer; randomBytes(size: number): Buffer;
hash(data: string | Buffer, saltOrRounds: string | number): Promise<string>; hashSha256(data: string): string;
compareSync(data: Buffer | string, encrypted: string): boolean; hashBcrypt(data: string | Buffer, saltOrRounds: string | number): Promise<string>;
signJwt(payload: string | Buffer | object, options?: JwtSignOptions): string; compareBcrypt(data: string | Buffer, encrypted: string): boolean;
verifyJwtAsync<T extends object = any>(token: string, options?: JwtVerifyOptions): Promise<T>;
} }

View file

@ -1,4 +1,3 @@
export * from './auth.config';
export * from './auth.constant'; export * from './auth.constant';
export * from './auth.service'; export * from './auth.service';
export * from './crypto.repository'; export * from './crypto.repository';

View file

@ -13,7 +13,6 @@ const providers: Provider[] = [
SystemConfigService, SystemConfigService,
UserService, UserService,
ShareService, ShareService,
{ {
provide: INITIAL_SYSTEM_CONFIG, provide: INITIAL_SYSTEM_CONFIG,
inject: [SystemConfigService], inject: [SystemConfigService],

View file

@ -9,3 +9,4 @@ export * from './share';
export * from './system-config'; export * from './system-config';
export * from './tag'; export * from './tag';
export * from './user'; export * from './user';
export * from './user-token';

View file

@ -3,17 +3,20 @@ import { BadRequestException } from '@nestjs/common';
import { generators, Issuer } from 'openid-client'; import { generators, Issuer } from 'openid-client';
import { import {
authStub, authStub,
entityStub, userEntityStub,
loginResponseStub, loginResponseStub,
newCryptoRepositoryMock, newCryptoRepositoryMock,
newSystemConfigRepositoryMock, newSystemConfigRepositoryMock,
newUserRepositoryMock, newUserRepositoryMock,
systemConfigStub, systemConfigStub,
userTokenEntityStub,
} from '../../test'; } from '../../test';
import { ICryptoRepository } from '../auth'; import { ICryptoRepository } from '../auth';
import { OAuthService } from '../oauth'; import { OAuthService } from '../oauth';
import { ISystemConfigRepository } from '../system-config'; import { ISystemConfigRepository } from '../system-config';
import { IUserRepository } from '../user'; import { IUserRepository } from '../user';
import { IUserTokenRepository } from '@app/domain';
import { newUserTokenRepositoryMock } from '../../test/user-token.repository.mock';
const email = 'user@immich.com'; const email = 'user@immich.com';
const sub = 'my-auth-user-sub'; const sub = 'my-auth-user-sub';
@ -35,6 +38,7 @@ describe('OAuthService', () => {
let userMock: jest.Mocked<IUserRepository>; let userMock: jest.Mocked<IUserRepository>;
let cryptoMock: jest.Mocked<ICryptoRepository>; let cryptoMock: jest.Mocked<ICryptoRepository>;
let configMock: jest.Mocked<ISystemConfigRepository>; let configMock: jest.Mocked<ISystemConfigRepository>;
let userTokenMock: jest.Mocked<IUserTokenRepository>;
let callbackMock: jest.Mock; let callbackMock: jest.Mock;
let create: (config: SystemConfig) => OAuthService; let create: (config: SystemConfig) => OAuthService;
@ -60,8 +64,9 @@ describe('OAuthService', () => {
cryptoMock = newCryptoRepositoryMock(); cryptoMock = newCryptoRepositoryMock();
configMock = newSystemConfigRepositoryMock(); configMock = newSystemConfigRepositoryMock();
userMock = newUserRepositoryMock(); userMock = newUserRepositoryMock();
userTokenMock = newUserTokenRepositoryMock();
create = (config) => new OAuthService(cryptoMock, configMock, userMock, config); create = (config) => new OAuthService(cryptoMock, configMock, userMock, userTokenMock, config);
sut = create(systemConfigStub.disabled); sut = create(systemConfigStub.disabled);
}); });
@ -106,23 +111,25 @@ describe('OAuthService', () => {
it('should link an existing user', async () => { it('should link an existing user', async () => {
sut = create(systemConfigStub.noAutoRegister); sut = create(systemConfigStub.noAutoRegister);
userMock.getByEmail.mockResolvedValue(entityStub.user1); userMock.getByEmail.mockResolvedValue(userEntityStub.user1);
userMock.update.mockResolvedValue(entityStub.user1); userMock.update.mockResolvedValue(userEntityStub.user1);
userTokenMock.create.mockResolvedValue(userTokenEntityStub.userToken);
await expect(sut.login({ url: 'http://immich/auth/login?code=abc123' }, true)).resolves.toEqual( await expect(sut.login({ url: 'http://immich/auth/login?code=abc123' }, true)).resolves.toEqual(
loginResponseStub.user1oauth, loginResponseStub.user1oauth,
); );
expect(userMock.getByEmail).toHaveBeenCalledTimes(1); expect(userMock.getByEmail).toHaveBeenCalledTimes(1);
expect(userMock.update).toHaveBeenCalledWith(entityStub.user1.id, { oauthId: sub }); expect(userMock.update).toHaveBeenCalledWith(userEntityStub.user1.id, { oauthId: sub });
}); });
it('should allow auto registering by default', async () => { it('should allow auto registering by default', async () => {
sut = create(systemConfigStub.enabled); sut = create(systemConfigStub.enabled);
userMock.getByEmail.mockResolvedValue(null); userMock.getByEmail.mockResolvedValue(null);
userMock.getAdmin.mockResolvedValue(entityStub.user1); userMock.getAdmin.mockResolvedValue(userEntityStub.user1);
userMock.create.mockResolvedValue(entityStub.user1); userMock.create.mockResolvedValue(userEntityStub.user1);
userTokenMock.create.mockResolvedValue(userTokenEntityStub.userToken);
await expect(sut.login({ url: 'http://immich/auth/login?code=abc123' }, true)).resolves.toEqual( await expect(sut.login({ url: 'http://immich/auth/login?code=abc123' }, true)).resolves.toEqual(
loginResponseStub.user1oauth, loginResponseStub.user1oauth,
@ -135,7 +142,8 @@ describe('OAuthService', () => {
it('should use the mobile redirect override', async () => { it('should use the mobile redirect override', async () => {
sut = create(systemConfigStub.override); sut = create(systemConfigStub.override);
userMock.getByOAuthId.mockResolvedValue(entityStub.user1); userMock.getByOAuthId.mockResolvedValue(userEntityStub.user1);
userTokenMock.create.mockResolvedValue(userTokenEntityStub.userToken);
await sut.login({ url: `app.immich:/?code=abc123` }, true); await sut.login({ url: `app.immich:/?code=abc123` }, true);
@ -147,7 +155,7 @@ describe('OAuthService', () => {
it('should link an account', async () => { it('should link an account', async () => {
sut = create(systemConfigStub.enabled); sut = create(systemConfigStub.enabled);
userMock.update.mockResolvedValue(entityStub.user1); userMock.update.mockResolvedValue(userEntityStub.user1);
await sut.link(authStub.user1, { url: 'http://immich/user-settings?code=abc123' }); await sut.link(authStub.user1, { url: 'http://immich/user-settings?code=abc123' });
@ -171,7 +179,7 @@ describe('OAuthService', () => {
it('should unlink an account', async () => { it('should unlink an account', async () => {
sut = create(systemConfigStub.enabled); sut = create(systemConfigStub.enabled);
userMock.update.mockResolvedValue(entityStub.user1); userMock.update.mockResolvedValue(userEntityStub.user1);
await sut.unlink(authStub.user1); await sut.unlink(authStub.user1);

View file

@ -7,6 +7,7 @@ import { IUserRepository, UserCore, UserResponseDto } from '../user';
import { OAuthCallbackDto, OAuthConfigDto } from './dto'; import { OAuthCallbackDto, OAuthConfigDto } from './dto';
import { OAuthCore } from './oauth.core'; import { OAuthCore } from './oauth.core';
import { OAuthConfigResponseDto } from './response-dto'; import { OAuthConfigResponseDto } from './response-dto';
import { IUserTokenRepository } from '@app/domain/user-token';
@Injectable() @Injectable()
export class OAuthService { export class OAuthService {
@ -20,10 +21,11 @@ export class OAuthService {
@Inject(ICryptoRepository) cryptoRepository: ICryptoRepository, @Inject(ICryptoRepository) cryptoRepository: ICryptoRepository,
@Inject(ISystemConfigRepository) configRepository: ISystemConfigRepository, @Inject(ISystemConfigRepository) configRepository: ISystemConfigRepository,
@Inject(IUserRepository) userRepository: IUserRepository, @Inject(IUserRepository) userRepository: IUserRepository,
@Inject(IUserTokenRepository) userTokenRepository: IUserTokenRepository,
@Inject(INITIAL_SYSTEM_CONFIG) initialConfig: SystemConfig, @Inject(INITIAL_SYSTEM_CONFIG) initialConfig: SystemConfig,
) { ) {
this.authCore = new AuthCore(cryptoRepository, configRepository, initialConfig); this.authCore = new AuthCore(cryptoRepository, configRepository, userTokenRepository, initialConfig);
this.userCore = new UserCore(userRepository); this.userCore = new UserCore(userRepository, cryptoRepository);
this.oauthCore = new OAuthCore(configRepository, initialConfig); this.oauthCore = new OAuthCore(configRepository, initialConfig);
} }

View file

@ -1,7 +1,7 @@
import { BadRequestException, ForbiddenException, UnauthorizedException } from '@nestjs/common'; import { BadRequestException, ForbiddenException, UnauthorizedException } from '@nestjs/common';
import { import {
authStub, authStub,
entityStub, userEntityStub,
newCryptoRepositoryMock, newCryptoRepositoryMock,
newSharedLinkRepositoryMock, newSharedLinkRepositoryMock,
newUserRepositoryMock, newUserRepositoryMock,
@ -50,7 +50,7 @@ describe(ShareService.name, () => {
it('should accept a valid key', async () => { it('should accept a valid key', async () => {
shareMock.getByKey.mockResolvedValue(sharedLinkStub.valid); shareMock.getByKey.mockResolvedValue(sharedLinkStub.valid);
userMock.get.mockResolvedValue(entityStub.admin); userMock.get.mockResolvedValue(userEntityStub.admin);
await expect(sut.validate('key')).resolves.toEqual(authStub.adminSharedLink); await expect(sut.validate('key')).resolves.toEqual(authStub.adminSharedLink);
}); });
}); });

View file

@ -25,7 +25,7 @@ export class ShareService {
@Inject(IUserRepository) userRepository: IUserRepository, @Inject(IUserRepository) userRepository: IUserRepository,
) { ) {
this.shareCore = new ShareCore(sharedLinkRepository, cryptoRepository); this.shareCore = new ShareCore(sharedLinkRepository, cryptoRepository);
this.userCore = new UserCore(userRepository); this.userCore = new UserCore(userRepository, cryptoRepository);
} }
async validate(key: string): Promise<AuthUserDto> { async validate(key: string): Promise<AuthUserDto> {

View file

@ -0,0 +1,2 @@
export * from './user-token.repository';
export * from './user-token.core';

View file

@ -0,0 +1,28 @@
import { UserEntity } from '@app/infra/db/entities';
import { Injectable } from '@nestjs/common';
import { ICryptoRepository } from '../auth';
import { IUserTokenRepository } from './user-token.repository';
@Injectable()
export class UserTokenCore {
constructor(private crypto: ICryptoRepository, private repository: IUserTokenRepository) {}
public async getUserByToken(tokenValue: string): Promise<UserEntity | null> {
const token = await this.repository.get(tokenValue);
if (token?.user) {
return token.user;
}
return null;
}
public async createToken(user: UserEntity): Promise<string> {
const key = this.crypto.randomBytes(32).toString('base64').replace(/\W/g, '');
const token = this.crypto.hashSha256(key);
await this.repository.create({
token,
user,
});
return key;
}
}

View file

@ -0,0 +1,9 @@
import { UserTokenEntity } from '@app/infra/db/entities';
export const IUserTokenRepository = 'IUserTokenRepository';
export interface IUserTokenRepository {
create(dto: Partial<UserTokenEntity>): Promise<UserTokenEntity>;
delete(userToken: string): Promise<void>;
get(userToken: string): Promise<UserTokenEntity | null>;
}

View file

@ -10,14 +10,14 @@ import {
import { hash } from 'bcrypt'; import { hash } from 'bcrypt';
import { constants, createReadStream, ReadStream } from 'fs'; import { constants, createReadStream, ReadStream } from 'fs';
import fs from 'fs/promises'; import fs from 'fs/promises';
import { AuthUserDto } from '../auth'; import { AuthUserDto, ICryptoRepository } from '../auth';
import { CreateAdminDto, CreateUserDto, CreateUserOAuthDto } from './dto/create-user.dto'; import { CreateAdminDto, CreateUserDto, CreateUserOAuthDto } from './dto/create-user.dto';
import { IUserRepository, UserListFilter } from './user.repository'; import { IUserRepository, UserListFilter } from './user.repository';
const SALT_ROUNDS = 10; const SALT_ROUNDS = 10;
export class UserCore { export class UserCore {
constructor(private userRepository: IUserRepository) {} constructor(private userRepository: IUserRepository, private cryptoRepository: ICryptoRepository) {}
async updateUser(authUser: AuthUserDto, id: string, dto: Partial<UserEntity>): Promise<UserEntity> { async updateUser(authUser: AuthUserDto, id: string, dto: Partial<UserEntity>): Promise<UserEntity> {
if (!(authUser.isAdmin || authUser.id === id)) { if (!(authUser.isAdmin || authUser.id === id)) {
@ -37,7 +37,7 @@ export class UserCore {
try { try {
if (dto.password) { if (dto.password) {
dto.password = await hash(dto.password, SALT_ROUNDS); dto.password = await this.cryptoRepository.hashBcrypt(dto.password, SALT_ROUNDS);
} }
return this.userRepository.update(id, dto); return this.userRepository.update(id, dto);

View file

@ -2,8 +2,8 @@ import { IUserRepository } from './user.repository';
import { UserEntity } from '@app/infra/db/entities'; import { UserEntity } from '@app/infra/db/entities';
import { BadRequestException, ForbiddenException, NotFoundException } from '@nestjs/common'; import { BadRequestException, ForbiddenException, NotFoundException } from '@nestjs/common';
import { when } from 'jest-when'; import { when } from 'jest-when';
import { newUserRepositoryMock } from '../../test'; import { newCryptoRepositoryMock, newUserRepositoryMock } from '../../test';
import { AuthUserDto } from '../auth'; import { AuthUserDto, ICryptoRepository } from '../auth';
import { UpdateUserDto } from './dto/update-user.dto'; import { UpdateUserDto } from './dto/update-user.dto';
import { UserService } from './user.service'; import { UserService } from './user.service';
@ -77,10 +77,12 @@ const adminUserResponse = Object.freeze({
describe(UserService.name, () => { describe(UserService.name, () => {
let sut: UserService; let sut: UserService;
let userRepositoryMock: jest.Mocked<IUserRepository>; let userRepositoryMock: jest.Mocked<IUserRepository>;
let cryptoRepositoryMock: jest.Mocked<ICryptoRepository>;
beforeEach(async () => { beforeEach(async () => {
userRepositoryMock = newUserRepositoryMock(); userRepositoryMock = newUserRepositoryMock();
sut = new UserService(userRepositoryMock); cryptoRepositoryMock = newCryptoRepositoryMock();
sut = new UserService(userRepositoryMock, cryptoRepositoryMock);
when(userRepositoryMock.get).calledWith(adminUser.id).mockResolvedValue(adminUser); when(userRepositoryMock.get).calledWith(adminUser.id).mockResolvedValue(adminUser);
when(userRepositoryMock.get).calledWith(adminUser.id, undefined).mockResolvedValue(adminUser); when(userRepositoryMock.get).calledWith(adminUser.id, undefined).mockResolvedValue(adminUser);

View file

@ -1,7 +1,7 @@
import { BadRequestException, Inject, Injectable, NotFoundException } from '@nestjs/common'; import { BadRequestException, Inject, Injectable, NotFoundException } from '@nestjs/common';
import { randomBytes } from 'crypto'; import { randomBytes } from 'crypto';
import { ReadStream } from 'fs'; import { ReadStream } from 'fs';
import { AuthUserDto } from '../auth'; import { AuthUserDto, ICryptoRepository } from '../auth';
import { IUserRepository } from '../user'; import { IUserRepository } from '../user';
import { CreateUserDto } from './dto/create-user.dto'; import { CreateUserDto } from './dto/create-user.dto';
import { UpdateUserDto } from './dto/update-user.dto'; import { UpdateUserDto } from './dto/update-user.dto';
@ -17,8 +17,11 @@ import { UserCore } from './user.core';
@Injectable() @Injectable()
export class UserService { export class UserService {
private userCore: UserCore; private userCore: UserCore;
constructor(@Inject(IUserRepository) userRepository: IUserRepository) { constructor(
this.userCore = new UserCore(userRepository); @Inject(IUserRepository) userRepository: IUserRepository,
@Inject(ICryptoRepository) cryptoRepository: ICryptoRepository,
) {
this.userCore = new UserCore(userRepository, cryptoRepository);
} }
async getAllUsers(authUser: AuthUserDto, isAll: boolean): Promise<UserResponseDto[]> { async getAllUsers(authUser: AuthUserDto, isAll: boolean): Promise<UserResponseDto[]> {

View file

@ -3,9 +3,8 @@ import { ICryptoRepository } from '../src';
export const newCryptoRepositoryMock = (): jest.Mocked<ICryptoRepository> => { export const newCryptoRepositoryMock = (): jest.Mocked<ICryptoRepository> => {
return { return {
randomBytes: jest.fn().mockReturnValue(Buffer.from('random-bytes', 'utf8')), randomBytes: jest.fn().mockReturnValue(Buffer.from('random-bytes', 'utf8')),
compareSync: jest.fn().mockReturnValue(true), compareBcrypt: jest.fn().mockReturnValue(true),
hash: jest.fn().mockImplementation((input) => Promise.resolve(`${input} (hashed)`)), hashBcrypt: jest.fn().mockImplementation((input) => Promise.resolve(`${input} (hashed)`)),
signJwt: jest.fn().mockReturnValue('signed-jwt'), hashSha256: jest.fn().mockImplementation((input) => `${input} (hashed)`),
verifyJwtAsync: jest.fn().mockResolvedValue({ userId: 'test', email: 'test' }),
}; };
}; };

View file

@ -1,4 +1,11 @@
import { AssetType, SharedLinkEntity, SharedLinkType, SystemConfig, UserEntity } from '@app/infra/db/entities'; import {
AssetType,
SharedLinkEntity,
SharedLinkType,
SystemConfig,
UserEntity,
UserTokenEntity,
} from '@app/infra/db/entities';
import { AlbumResponseDto, AssetResponseDto, AuthUserDto, ExifResponseDto, SharedLinkResponseDto } from '../src'; import { AlbumResponseDto, AssetResponseDto, AuthUserDto, ExifResponseDto, SharedLinkResponseDto } from '../src';
const today = new Date(); const today = new Date();
@ -81,6 +88,8 @@ export const authStub = {
isAdmin: false, isAdmin: false,
isPublicUser: false, isPublicUser: false,
isAllowUpload: true, isAllowUpload: true,
isAllowDownload: true,
isShowExif: true,
}), }),
adminSharedLink: Object.freeze<AuthUserDto>({ adminSharedLink: Object.freeze<AuthUserDto>({
id: 'admin_id', id: 'admin_id',
@ -104,7 +113,7 @@ export const authStub = {
}), }),
}; };
export const entityStub = { export const userEntityStub = {
admin: Object.freeze<UserEntity>({ admin: Object.freeze<UserEntity>({
...authStub.admin, ...authStub.admin,
password: 'admin_password', password: 'admin_password',
@ -129,6 +138,16 @@ export const entityStub = {
}), }),
}; };
export const userTokenEntityStub = {
userToken: Object.freeze<UserTokenEntity>({
id: 'token-id',
token: 'auth_token',
user: userEntityStub.user1,
createdAt: '2021-01-01',
updatedAt: '2021-01-01',
}),
};
export const systemConfigStub = { export const systemConfigStub = {
defaults: Object.freeze({ defaults: Object.freeze({
ffmpeg: { ffmpeg: {
@ -204,7 +223,7 @@ export const systemConfigStub = {
export const loginResponseStub = { export const loginResponseStub = {
user1oauth: { user1oauth: {
response: { response: {
accessToken: 'signed-jwt', accessToken: 'cmFuZG9tLWJ5dGVz',
userId: 'immich_id', userId: 'immich_id',
userEmail: 'immich@test.com', userEmail: 'immich@test.com',
firstName: 'immich_first_name', firstName: 'immich_first_name',
@ -214,13 +233,13 @@ export const loginResponseStub = {
shouldChangePassword: false, shouldChangePassword: false,
}, },
cookie: [ cookie: [
'immich_access_token=signed-jwt; Secure; Path=/; Max-Age=604800; SameSite=Strict;', 'immich_access_token=cmFuZG9tLWJ5dGVz; HttpOnly; Secure; Path=/; Max-Age=604800; SameSite=Strict;',
'immich_auth_type=oauth; Secure; Path=/; Max-Age=604800; SameSite=Strict;', 'immich_auth_type=oauth; HttpOnly; Secure; Path=/; Max-Age=604800; SameSite=Strict;',
], ],
}, },
user1password: { user1password: {
response: { response: {
accessToken: 'signed-jwt', accessToken: 'cmFuZG9tLWJ5dGVz',
userId: 'immich_id', userId: 'immich_id',
userEmail: 'immich@test.com', userEmail: 'immich@test.com',
firstName: 'immich_first_name', firstName: 'immich_first_name',
@ -230,13 +249,13 @@ export const loginResponseStub = {
shouldChangePassword: false, shouldChangePassword: false,
}, },
cookie: [ cookie: [
'immich_access_token=signed-jwt; Secure; Path=/; Max-Age=604800; SameSite=Strict;', 'immich_access_token=cmFuZG9tLWJ5dGVz; HttpOnly; Secure; Path=/; Max-Age=604800; SameSite=Strict;',
'immich_auth_type=password; Secure; Path=/; Max-Age=604800; SameSite=Strict;', 'immich_auth_type=password; HttpOnly; Secure; Path=/; Max-Age=604800; SameSite=Strict;',
], ],
}, },
user1insecure: { user1insecure: {
response: { response: {
accessToken: 'signed-jwt', accessToken: 'cmFuZG9tLWJ5dGVz',
userId: 'immich_id', userId: 'immich_id',
userEmail: 'immich@test.com', userEmail: 'immich@test.com',
firstName: 'immich_first_name', firstName: 'immich_first_name',
@ -246,7 +265,7 @@ export const loginResponseStub = {
shouldChangePassword: false, shouldChangePassword: false,
}, },
cookie: [ cookie: [
'immich_access_token=signed-jwt; HttpOnly; Path=/; Max-Age=604800; SameSite=Strict;', 'immich_access_token=cmFuZG9tLWJ5dGVz; HttpOnly; Path=/; Max-Age=604800; SameSite=Strict;',
'immich_auth_type=password; HttpOnly; Path=/; Max-Age=604800; SameSite=Strict;', 'immich_auth_type=password; HttpOnly; Path=/; Max-Age=604800; SameSite=Strict;',
], ],
}, },

View file

@ -0,0 +1,9 @@
import { IUserTokenRepository } from '../src';
export const newUserTokenRepositoryMock = (): jest.Mocked<IUserTokenRepository> => {
return {
create: jest.fn(),
delete: jest.fn(),
get: jest.fn(),
};
};

View file

@ -1,22 +1,16 @@
import { ICryptoRepository } from '@app/domain'; import { ICryptoRepository } from '@app/domain';
import { Injectable } from '@nestjs/common'; import { Injectable } from '@nestjs/common';
import { JwtService, JwtVerifyOptions } from '@nestjs/jwt';
import { compareSync, hash } from 'bcrypt'; import { compareSync, hash } from 'bcrypt';
import { randomBytes } from 'crypto'; import { randomBytes, createHash } from 'crypto';
@Injectable() @Injectable()
export class CryptoRepository implements ICryptoRepository { export class CryptoRepository implements ICryptoRepository {
constructor(private jwtService: JwtService) {}
randomBytes = randomBytes; randomBytes = randomBytes;
hash = hash;
compareSync = compareSync;
signJwt(payload: string | Buffer | object) { hashBcrypt = hash;
return this.jwtService.sign(payload); compareBcrypt = compareSync;
}
verifyJwtAsync<T extends object = any>(token: string, options?: JwtVerifyOptions): Promise<T> { hashSha256(value: string) {
return this.jwtService.verifyAsync(token, options); return createHash('sha256').update(value).digest('base64');
} }
} }

View file

@ -5,11 +5,11 @@ const url = process.env.DB_URL;
const urlOrParts = url const urlOrParts = url
? { url } ? { url }
: { : {
host: process.env.DB_HOSTNAME || 'immich_postgres', host: process.env.DB_HOSTNAME || 'localhost',
port: parseInt(process.env.DB_PORT || '5432'), port: parseInt(process.env.DB_PORT || '5432'),
username: process.env.DB_USERNAME, username: process.env.DB_USERNAME || 'postgres',
password: process.env.DB_PASSWORD, password: process.env.DB_PASSWORD || 'postgres',
database: process.env.DB_DATABASE_NAME, database: process.env.DB_DATABASE_NAME || 'immich',
}; };
export const databaseConfig: PostgresConnectionOptions = { export const databaseConfig: PostgresConnectionOptions = {

View file

@ -9,4 +9,5 @@ export * from './system-config.entity';
export * from './tag.entity'; export * from './tag.entity';
export * from './user-album.entity'; export * from './user-album.entity';
export * from './user.entity'; export * from './user.entity';
export * from './user-token.entity';
export * from './shared-link.entity'; export * from './shared-link.entity';

View file

@ -0,0 +1,20 @@
import { Column, CreateDateColumn, Entity, ManyToOne, PrimaryGeneratedColumn, UpdateDateColumn } from 'typeorm';
import { UserEntity } from './user.entity';
@Entity('user_token')
export class UserTokenEntity {
@PrimaryGeneratedColumn('uuid')
id!: string;
@Column({ select: false })
token!: string;
@ManyToOne(() => UserEntity)
user!: UserEntity;
@CreateDateColumn({ type: 'timestamptz' })
createdAt!: string;
@UpdateDateColumn({ type: 'timestamptz' })
updatedAt!: string;
}

View file

@ -0,0 +1,16 @@
import { MigrationInterface, QueryRunner } from "typeorm";
export class CreateUserTokenEntity1674342044239 implements MigrationInterface {
name = 'CreateUserTokenEntity1674342044239'
public async up(queryRunner: QueryRunner): Promise<void> {
await queryRunner.query(`CREATE TABLE "user_token" ("id" uuid NOT NULL DEFAULT uuid_generate_v4(), "token" character varying NOT NULL, "createdAt" TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT now(), "updatedAt" TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT now(), "userId" uuid, CONSTRAINT "PK_48cb6b5c20faa63157b3c1baf7f" PRIMARY KEY ("id"))`);
await queryRunner.query(`ALTER TABLE "user_token" ADD CONSTRAINT "FK_d37db50eecdf9b8ce4eedd2f918" FOREIGN KEY ("userId") REFERENCES "users"("id") ON DELETE NO ACTION ON UPDATE NO ACTION`);
}
public async down(queryRunner: QueryRunner): Promise<void> {
await queryRunner.query(`ALTER TABLE "user_token" DROP CONSTRAINT "FK_d37db50eecdf9b8ce4eedd2f918"`);
await queryRunner.query(`DROP TABLE "user_token"`);
}
}

View file

@ -0,0 +1,14 @@
import { MigrationInterface, QueryRunner } from "typeorm"
export class TruncateAPIKeys1674774248319 implements MigrationInterface {
name = 'TruncateAPIKeys1674774248319'
public async up(queryRunner: QueryRunner): Promise<void> {
await queryRunner.query(`TRUNCATE TABLE "api_keys"`);
}
public async down(): Promise<void> {
//noop
}
}

View file

@ -21,14 +21,14 @@ export class APIKeyRepository implements IKeyRepository {
await this.repository.delete({ userId, id }); await this.repository.delete({ userId, id });
} }
getKey(id: number): Promise<APIKeyEntity | null> { getKey(hashedToken: string): Promise<APIKeyEntity | null> {
return this.repository.findOne({ return this.repository.findOne({
select: { select: {
id: true, id: true,
key: true, key: true,
userId: true, userId: true,
}, },
where: { id }, where: { key: hashedToken },
relations: { relations: {
user: true, user: true,
}, },

View file

@ -1,3 +1,4 @@
export * from './api-key.repository'; export * from './api-key.repository';
export * from './shared-link.repository'; export * from './shared-link.repository';
export * from './user.repository'; export * from './user.repository';
export * from './user-token.repository';

View file

@ -0,0 +1,25 @@
import { Injectable } from '@nestjs/common';
import { InjectRepository } from '@nestjs/typeorm';
import { Repository } from 'typeorm';
import { UserTokenEntity } from '@app/infra/db/entities/user-token.entity';
import { IUserTokenRepository } from '@app/domain/user-token';
@Injectable()
export class UserTokenRepository implements IUserTokenRepository {
constructor(
@InjectRepository(UserTokenEntity)
private userTokenRepository: Repository<UserTokenEntity>,
) {}
async get(userToken: string): Promise<UserTokenEntity | null> {
return this.userTokenRepository.findOne({ where: { token: userToken }, relations: { user: true } });
}
async create(userToken: Partial<UserTokenEntity>): Promise<UserTokenEntity> {
return this.userTokenRepository.save(userToken);
}
async delete(userToken: string): Promise<void> {
await this.userTokenRepository.delete(userToken);
}
}

View file

@ -7,17 +7,17 @@ import {
IUserRepository, IUserRepository,
QueueName, QueueName,
} from '@app/domain'; } from '@app/domain';
import { databaseConfig, UserEntity } from './db'; import { databaseConfig, UserEntity, UserTokenEntity } from './db';
import { BullModule } from '@nestjs/bull'; import { BullModule } from '@nestjs/bull';
import { Global, Module, Provider } from '@nestjs/common'; import { Global, Module, Provider } from '@nestjs/common';
import { JwtModule } from '@nestjs/jwt';
import { TypeOrmModule } from '@nestjs/typeorm'; import { TypeOrmModule } from '@nestjs/typeorm';
import { APIKeyEntity, SharedLinkEntity, SystemConfigEntity, UserRepository } from './db'; import { APIKeyEntity, SharedLinkEntity, SystemConfigEntity, UserRepository } from './db';
import { APIKeyRepository, SharedLinkRepository } from './db/repository'; import { APIKeyRepository, SharedLinkRepository } from './db/repository';
import { jwtConfig } from '@app/domain';
import { CryptoRepository } from './auth/crypto.repository'; import { CryptoRepository } from './auth/crypto.repository';
import { SystemConfigRepository } from './db/repository/system-config.repository'; import { SystemConfigRepository } from './db/repository/system-config.repository';
import { JobRepository } from './job'; import { JobRepository } from './job';
import { IUserTokenRepository } from '@app/domain/user-token';
import { UserTokenRepository } from '@app/infra/db/repository/user-token.repository';
const providers: Provider[] = [ const providers: Provider[] = [
{ provide: ICryptoRepository, useClass: CryptoRepository }, { provide: ICryptoRepository, useClass: CryptoRepository },
@ -26,14 +26,14 @@ const providers: Provider[] = [
{ provide: ISharedLinkRepository, useClass: SharedLinkRepository }, { provide: ISharedLinkRepository, useClass: SharedLinkRepository },
{ provide: ISystemConfigRepository, useClass: SystemConfigRepository }, { provide: ISystemConfigRepository, useClass: SystemConfigRepository },
{ provide: IUserRepository, useClass: UserRepository }, { provide: IUserRepository, useClass: UserRepository },
{ provide: IUserTokenRepository, useClass: UserTokenRepository },
]; ];
@Global() @Global()
@Module({ @Module({
imports: [ imports: [
JwtModule.register(jwtConfig),
TypeOrmModule.forRoot(databaseConfig), TypeOrmModule.forRoot(databaseConfig),
TypeOrmModule.forFeature([APIKeyEntity, UserEntity, SharedLinkEntity, SystemConfigEntity]), TypeOrmModule.forFeature([APIKeyEntity, UserEntity, SharedLinkEntity, SystemConfigEntity, UserTokenEntity]),
BullModule.forRootAsync({ BullModule.forRootAsync({
useFactory: async () => ({ useFactory: async () => ({
prefix: 'immich_bull', prefix: 'immich_bull',
@ -64,6 +64,6 @@ const providers: Provider[] = [
), ),
], ],
providers: [...providers], providers: [...providers],
exports: [...providers, BullModule, JwtModule], exports: [...providers, BullModule],
}) })
export class InfraModule {} export class InfraModule {}

208
server/package-lock.json generated
View file

@ -13,7 +13,6 @@
"@nestjs/common": "^9.2.1", "@nestjs/common": "^9.2.1",
"@nestjs/config": "^2.2.0", "@nestjs/config": "^2.2.0",
"@nestjs/core": "^9.2.1", "@nestjs/core": "^9.2.1",
"@nestjs/jwt": "^10.0.1",
"@nestjs/mapped-types": "1.2.0", "@nestjs/mapped-types": "1.2.0",
"@nestjs/passport": "^9.0.0", "@nestjs/passport": "^9.0.0",
"@nestjs/platform-express": "^9.2.1", "@nestjs/platform-express": "^9.2.1",
@ -50,7 +49,6 @@
"passport": "^0.6.0", "passport": "^0.6.0",
"passport-custom": "^1.1.1", "passport-custom": "^1.1.1",
"passport-http-header-strategy": "^1.1.0", "passport-http-header-strategy": "^1.1.0",
"passport-jwt": "^4.0.0",
"pg": "^8.8.0", "pg": "^8.8.0",
"redis": "^4.5.1", "redis": "^4.5.1",
"reflect-metadata": "^0.1.13", "reflect-metadata": "^0.1.13",
@ -83,7 +81,6 @@
"@types/multer": "^1.4.7", "@types/multer": "^1.4.7",
"@types/mv": "^2.1.2", "@types/mv": "^2.1.2",
"@types/node": "^16.0.0", "@types/node": "^16.0.0",
"@types/passport-jwt": "^3.0.6",
"@types/sharp": "^0.30.2", "@types/sharp": "^0.30.2",
"@types/supertest": "^2.0.11", "@types/supertest": "^2.0.11",
"@typescript-eslint/eslint-plugin": "^5.48.1", "@typescript-eslint/eslint-plugin": "^5.48.1",
@ -1521,18 +1518,6 @@
"uuid": "dist/bin/uuid" "uuid": "dist/bin/uuid"
} }
}, },
"node_modules/@nestjs/jwt": {
"version": "10.0.1",
"resolved": "https://registry.npmjs.org/@nestjs/jwt/-/jwt-10.0.1.tgz",
"integrity": "sha512-LwXBKVYHnFeX6GH/Wt0WDjsWCmNDC6tEdLlwNMAvJgYp+TkiCpEmQLkgRpifdUE29mvYSbjSnVs2kW2ob935NA==",
"dependencies": {
"@types/jsonwebtoken": "8.5.9",
"jsonwebtoken": "9.0.0"
},
"peerDependencies": {
"@nestjs/common": "^8.0.0 || ^9.0.0"
}
},
"node_modules/@nestjs/mapped-types": { "node_modules/@nestjs/mapped-types": {
"version": "1.2.0", "version": "1.2.0",
"resolved": "https://registry.npmjs.org/@nestjs/mapped-types/-/mapped-types-1.2.0.tgz", "resolved": "https://registry.npmjs.org/@nestjs/mapped-types/-/mapped-types-1.2.0.tgz",
@ -2714,14 +2699,6 @@
"integrity": "sha1-7ihweulOEdK4J7y+UnC86n8+ce4=", "integrity": "sha1-7ihweulOEdK4J7y+UnC86n8+ce4=",
"dev": true "dev": true
}, },
"node_modules/@types/jsonwebtoken": {
"version": "8.5.9",
"resolved": "https://registry.npmjs.org/@types/jsonwebtoken/-/jsonwebtoken-8.5.9.tgz",
"integrity": "sha512-272FMnFGzAVMGtu9tkr29hRL6bZj4Zs1KZNeHLnKqAvp06tAIcarTMwOh8/8bz4FmKRcMxZhZNeUAQsNLoiPhg==",
"dependencies": {
"@types/node": "*"
}
},
"node_modules/@types/lodash": { "node_modules/@types/lodash": {
"version": "4.14.178", "version": "4.14.178",
"resolved": "https://registry.npmjs.org/@types/lodash/-/lodash-4.14.178.tgz", "resolved": "https://registry.npmjs.org/@types/lodash/-/lodash-4.14.178.tgz",
@ -2770,36 +2747,6 @@
"resolved": "https://registry.npmjs.org/@types/parse-json/-/parse-json-4.0.0.tgz", "resolved": "https://registry.npmjs.org/@types/parse-json/-/parse-json-4.0.0.tgz",
"integrity": "sha512-//oorEZjL6sbPcKUaCdIGlIUeH26mgzimjBB77G6XRgnDl/L5wOnpyBGRe/Mmf5CVW3PwEBE1NjiMZ/ssFh4wA==" "integrity": "sha512-//oorEZjL6sbPcKUaCdIGlIUeH26mgzimjBB77G6XRgnDl/L5wOnpyBGRe/Mmf5CVW3PwEBE1NjiMZ/ssFh4wA=="
}, },
"node_modules/@types/passport": {
"version": "1.0.7",
"resolved": "https://registry.npmjs.org/@types/passport/-/passport-1.0.7.tgz",
"integrity": "sha512-JtswU8N3kxBYgo+n9of7C97YQBT+AYPP2aBfNGTzABqPAZnK/WOAaKfh3XesUYMZRrXFuoPc2Hv0/G/nQFveHw==",
"dev": true,
"dependencies": {
"@types/express": "*"
}
},
"node_modules/@types/passport-jwt": {
"version": "3.0.6",
"resolved": "https://registry.npmjs.org/@types/passport-jwt/-/passport-jwt-3.0.6.tgz",
"integrity": "sha512-cmAAMIRTaEwpqxlrZyiEY9kdibk94gP5KTF8AT1Ra4rWNZYHNMreqhKUEeC5WJtuN5SJZjPQmV+XO2P5PlnvNQ==",
"dev": true,
"dependencies": {
"@types/express": "*",
"@types/jsonwebtoken": "*",
"@types/passport-strategy": "*"
}
},
"node_modules/@types/passport-strategy": {
"version": "0.2.35",
"resolved": "https://registry.npmjs.org/@types/passport-strategy/-/passport-strategy-0.2.35.tgz",
"integrity": "sha512-o5D19Jy2XPFoX2rKApykY15et3Apgax00RRLf0RUotPDUsYrQa7x4howLYr9El2mlUApHmCMv5CZ1IXqKFQ2+g==",
"dev": true,
"dependencies": {
"@types/express": "*",
"@types/passport": "*"
}
},
"node_modules/@types/prettier": { "node_modules/@types/prettier": {
"version": "2.4.3", "version": "2.4.3",
"resolved": "https://registry.npmjs.org/@types/prettier/-/prettier-2.4.3.tgz", "resolved": "https://registry.npmjs.org/@types/prettier/-/prettier-2.4.3.tgz",
@ -3973,11 +3920,6 @@
"node": "*" "node": "*"
} }
}, },
"node_modules/buffer-equal-constant-time": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/buffer-equal-constant-time/-/buffer-equal-constant-time-1.0.1.tgz",
"integrity": "sha1-+OcRMvf/5uAaXJaXpMbz5I1cyBk="
},
"node_modules/buffer-from": { "node_modules/buffer-from": {
"version": "1.1.2", "version": "1.1.2",
"resolved": "https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.2.tgz", "resolved": "https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.2.tgz",
@ -5019,14 +4961,6 @@
"safer-buffer": "^2.1.0" "safer-buffer": "^2.1.0"
} }
}, },
"node_modules/ecdsa-sig-formatter": {
"version": "1.0.11",
"resolved": "https://registry.npmjs.org/ecdsa-sig-formatter/-/ecdsa-sig-formatter-1.0.11.tgz",
"integrity": "sha512-nagl3RYrbNv6kQkeJIpt6NJZy8twLB/2vtz6yN9Z4vRKHN4/QZJIEbqohALSgwKdnksuY3k5Addp5lg8sVoVcQ==",
"dependencies": {
"safe-buffer": "^5.0.1"
}
},
"node_modules/ee-first": { "node_modules/ee-first": {
"version": "1.1.1", "version": "1.1.1",
"resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz", "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz",
@ -7895,21 +7829,6 @@
"graceful-fs": "^4.1.6" "graceful-fs": "^4.1.6"
} }
}, },
"node_modules/jsonwebtoken": {
"version": "9.0.0",
"resolved": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-9.0.0.tgz",
"integrity": "sha512-tuGfYXxkQGDPnLJ7SibiQgVgeDgfbPq2k2ICcbgqW8WxWLBAxKQM/ZCu/IT8SOSwmaYl4dpTFCW5xZv7YbbWUw==",
"dependencies": {
"jws": "^3.2.2",
"lodash": "^4.17.21",
"ms": "^2.1.1",
"semver": "^7.3.8"
},
"engines": {
"node": ">=12",
"npm": ">=6"
}
},
"node_modules/jsprim": { "node_modules/jsprim": {
"version": "1.4.2", "version": "1.4.2",
"resolved": "https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz", "resolved": "https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz",
@ -7924,25 +7843,6 @@
"node": ">=0.6.0" "node": ">=0.6.0"
} }
}, },
"node_modules/jwa": {
"version": "1.4.1",
"resolved": "https://registry.npmjs.org/jwa/-/jwa-1.4.1.tgz",
"integrity": "sha512-qiLX/xhEEFKUAJ6FiBMbes3w9ATzyk5W7Hvzpa/SLYdxNtng+gcurvrI7TbACjIXlsJyr05/S1oUhZrc63evQA==",
"dependencies": {
"buffer-equal-constant-time": "1.0.1",
"ecdsa-sig-formatter": "1.0.11",
"safe-buffer": "^5.0.1"
}
},
"node_modules/jws": {
"version": "3.2.2",
"resolved": "https://registry.npmjs.org/jws/-/jws-3.2.2.tgz",
"integrity": "sha512-YHlZCB6lMTllWDtSPHz/ZXTsi8S00usEV6v1tjq8tOUZzw7DpSDWVXjXDre6ed1w/pd495ODpHZYSdkRTsa0HA==",
"dependencies": {
"jwa": "^1.4.1",
"safe-buffer": "^5.0.1"
}
},
"node_modules/kdt": { "node_modules/kdt": {
"version": "0.1.0", "version": "0.1.0",
"resolved": "https://registry.npmjs.org/kdt/-/kdt-0.1.0.tgz", "resolved": "https://registry.npmjs.org/kdt/-/kdt-0.1.0.tgz",
@ -9005,15 +8905,6 @@
"passport-strategy": "^1.0.0" "passport-strategy": "^1.0.0"
} }
}, },
"node_modules/passport-jwt": {
"version": "4.0.1",
"resolved": "https://registry.npmjs.org/passport-jwt/-/passport-jwt-4.0.1.tgz",
"integrity": "sha512-UCKMDYhNuGOBE9/9Ycuoyh7vP6jpeTp/+sfMJl7nLff/t6dps+iaeE0hhNkKN8/HZHcJ7lCdOyDxHdDoxoSvdQ==",
"dependencies": {
"jsonwebtoken": "^9.0.0",
"passport-strategy": "^1.0.0"
}
},
"node_modules/passport-strategy": { "node_modules/passport-strategy": {
"version": "1.0.0", "version": "1.0.0",
"resolved": "https://registry.npmjs.org/passport-strategy/-/passport-strategy-1.0.0.tgz", "resolved": "https://registry.npmjs.org/passport-strategy/-/passport-strategy-1.0.0.tgz",
@ -12769,15 +12660,6 @@
} }
} }
}, },
"@nestjs/jwt": {
"version": "10.0.1",
"resolved": "https://registry.npmjs.org/@nestjs/jwt/-/jwt-10.0.1.tgz",
"integrity": "sha512-LwXBKVYHnFeX6GH/Wt0WDjsWCmNDC6tEdLlwNMAvJgYp+TkiCpEmQLkgRpifdUE29mvYSbjSnVs2kW2ob935NA==",
"requires": {
"@types/jsonwebtoken": "8.5.9",
"jsonwebtoken": "9.0.0"
}
},
"@nestjs/mapped-types": { "@nestjs/mapped-types": {
"version": "1.2.0", "version": "1.2.0",
"resolved": "https://registry.npmjs.org/@nestjs/mapped-types/-/mapped-types-1.2.0.tgz", "resolved": "https://registry.npmjs.org/@nestjs/mapped-types/-/mapped-types-1.2.0.tgz",
@ -13715,14 +13597,6 @@
"integrity": "sha1-7ihweulOEdK4J7y+UnC86n8+ce4=", "integrity": "sha1-7ihweulOEdK4J7y+UnC86n8+ce4=",
"dev": true "dev": true
}, },
"@types/jsonwebtoken": {
"version": "8.5.9",
"resolved": "https://registry.npmjs.org/@types/jsonwebtoken/-/jsonwebtoken-8.5.9.tgz",
"integrity": "sha512-272FMnFGzAVMGtu9tkr29hRL6bZj4Zs1KZNeHLnKqAvp06tAIcarTMwOh8/8bz4FmKRcMxZhZNeUAQsNLoiPhg==",
"requires": {
"@types/node": "*"
}
},
"@types/lodash": { "@types/lodash": {
"version": "4.14.178", "version": "4.14.178",
"resolved": "https://registry.npmjs.org/@types/lodash/-/lodash-4.14.178.tgz", "resolved": "https://registry.npmjs.org/@types/lodash/-/lodash-4.14.178.tgz",
@ -13771,36 +13645,6 @@
"resolved": "https://registry.npmjs.org/@types/parse-json/-/parse-json-4.0.0.tgz", "resolved": "https://registry.npmjs.org/@types/parse-json/-/parse-json-4.0.0.tgz",
"integrity": "sha512-//oorEZjL6sbPcKUaCdIGlIUeH26mgzimjBB77G6XRgnDl/L5wOnpyBGRe/Mmf5CVW3PwEBE1NjiMZ/ssFh4wA==" "integrity": "sha512-//oorEZjL6sbPcKUaCdIGlIUeH26mgzimjBB77G6XRgnDl/L5wOnpyBGRe/Mmf5CVW3PwEBE1NjiMZ/ssFh4wA=="
}, },
"@types/passport": {
"version": "1.0.7",
"resolved": "https://registry.npmjs.org/@types/passport/-/passport-1.0.7.tgz",
"integrity": "sha512-JtswU8N3kxBYgo+n9of7C97YQBT+AYPP2aBfNGTzABqPAZnK/WOAaKfh3XesUYMZRrXFuoPc2Hv0/G/nQFveHw==",
"dev": true,
"requires": {
"@types/express": "*"
}
},
"@types/passport-jwt": {
"version": "3.0.6",
"resolved": "https://registry.npmjs.org/@types/passport-jwt/-/passport-jwt-3.0.6.tgz",
"integrity": "sha512-cmAAMIRTaEwpqxlrZyiEY9kdibk94gP5KTF8AT1Ra4rWNZYHNMreqhKUEeC5WJtuN5SJZjPQmV+XO2P5PlnvNQ==",
"dev": true,
"requires": {
"@types/express": "*",
"@types/jsonwebtoken": "*",
"@types/passport-strategy": "*"
}
},
"@types/passport-strategy": {
"version": "0.2.35",
"resolved": "https://registry.npmjs.org/@types/passport-strategy/-/passport-strategy-0.2.35.tgz",
"integrity": "sha512-o5D19Jy2XPFoX2rKApykY15et3Apgax00RRLf0RUotPDUsYrQa7x4howLYr9El2mlUApHmCMv5CZ1IXqKFQ2+g==",
"dev": true,
"requires": {
"@types/express": "*",
"@types/passport": "*"
}
},
"@types/prettier": { "@types/prettier": {
"version": "2.4.3", "version": "2.4.3",
"resolved": "https://registry.npmjs.org/@types/prettier/-/prettier-2.4.3.tgz", "resolved": "https://registry.npmjs.org/@types/prettier/-/prettier-2.4.3.tgz",
@ -14727,11 +14571,6 @@
"resolved": "https://registry.npmjs.org/buffer-crc32/-/buffer-crc32-0.2.13.tgz", "resolved": "https://registry.npmjs.org/buffer-crc32/-/buffer-crc32-0.2.13.tgz",
"integrity": "sha512-VO9Ht/+p3SN7SKWqcrgEzjGbRSJYTx+Q1pTQC0wrWqHx0vpJraQ6GtHx8tvcg1rlK1byhU5gccxgOgj7B0TDkQ==" "integrity": "sha512-VO9Ht/+p3SN7SKWqcrgEzjGbRSJYTx+Q1pTQC0wrWqHx0vpJraQ6GtHx8tvcg1rlK1byhU5gccxgOgj7B0TDkQ=="
}, },
"buffer-equal-constant-time": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/buffer-equal-constant-time/-/buffer-equal-constant-time-1.0.1.tgz",
"integrity": "sha1-+OcRMvf/5uAaXJaXpMbz5I1cyBk="
},
"buffer-from": { "buffer-from": {
"version": "1.1.2", "version": "1.1.2",
"resolved": "https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.2.tgz", "resolved": "https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.2.tgz",
@ -15545,14 +15384,6 @@
"safer-buffer": "^2.1.0" "safer-buffer": "^2.1.0"
} }
}, },
"ecdsa-sig-formatter": {
"version": "1.0.11",
"resolved": "https://registry.npmjs.org/ecdsa-sig-formatter/-/ecdsa-sig-formatter-1.0.11.tgz",
"integrity": "sha512-nagl3RYrbNv6kQkeJIpt6NJZy8twLB/2vtz6yN9Z4vRKHN4/QZJIEbqohALSgwKdnksuY3k5Addp5lg8sVoVcQ==",
"requires": {
"safe-buffer": "^5.0.1"
}
},
"ee-first": { "ee-first": {
"version": "1.1.1", "version": "1.1.1",
"resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz", "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz",
@ -17690,17 +17521,6 @@
"universalify": "^2.0.0" "universalify": "^2.0.0"
} }
}, },
"jsonwebtoken": {
"version": "9.0.0",
"resolved": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-9.0.0.tgz",
"integrity": "sha512-tuGfYXxkQGDPnLJ7SibiQgVgeDgfbPq2k2ICcbgqW8WxWLBAxKQM/ZCu/IT8SOSwmaYl4dpTFCW5xZv7YbbWUw==",
"requires": {
"jws": "^3.2.2",
"lodash": "^4.17.21",
"ms": "^2.1.1",
"semver": "^7.3.8"
}
},
"jsprim": { "jsprim": {
"version": "1.4.2", "version": "1.4.2",
"resolved": "https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz", "resolved": "https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz",
@ -17712,25 +17532,6 @@
"verror": "1.10.0" "verror": "1.10.0"
} }
}, },
"jwa": {
"version": "1.4.1",
"resolved": "https://registry.npmjs.org/jwa/-/jwa-1.4.1.tgz",
"integrity": "sha512-qiLX/xhEEFKUAJ6FiBMbes3w9ATzyk5W7Hvzpa/SLYdxNtng+gcurvrI7TbACjIXlsJyr05/S1oUhZrc63evQA==",
"requires": {
"buffer-equal-constant-time": "1.0.1",
"ecdsa-sig-formatter": "1.0.11",
"safe-buffer": "^5.0.1"
}
},
"jws": {
"version": "3.2.2",
"resolved": "https://registry.npmjs.org/jws/-/jws-3.2.2.tgz",
"integrity": "sha512-YHlZCB6lMTllWDtSPHz/ZXTsi8S00usEV6v1tjq8tOUZzw7DpSDWVXjXDre6ed1w/pd495ODpHZYSdkRTsa0HA==",
"requires": {
"jwa": "^1.4.1",
"safe-buffer": "^5.0.1"
}
},
"kdt": { "kdt": {
"version": "0.1.0", "version": "0.1.0",
"resolved": "https://registry.npmjs.org/kdt/-/kdt-0.1.0.tgz", "resolved": "https://registry.npmjs.org/kdt/-/kdt-0.1.0.tgz",
@ -18555,15 +18356,6 @@
"passport-strategy": "^1.0.0" "passport-strategy": "^1.0.0"
} }
}, },
"passport-jwt": {
"version": "4.0.1",
"resolved": "https://registry.npmjs.org/passport-jwt/-/passport-jwt-4.0.1.tgz",
"integrity": "sha512-UCKMDYhNuGOBE9/9Ycuoyh7vP6jpeTp/+sfMJl7nLff/t6dps+iaeE0hhNkKN8/HZHcJ7lCdOyDxHdDoxoSvdQ==",
"requires": {
"jsonwebtoken": "^9.0.0",
"passport-strategy": "^1.0.0"
}
},
"passport-strategy": { "passport-strategy": {
"version": "1.0.0", "version": "1.0.0",
"resolved": "https://registry.npmjs.org/passport-strategy/-/passport-strategy-1.0.0.tgz", "resolved": "https://registry.npmjs.org/passport-strategy/-/passport-strategy-1.0.0.tgz",

View file

@ -29,6 +29,10 @@
"test:debug": "node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand", "test:debug": "node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand",
"test:e2e": "jest --config ./apps/immich/test/jest-e2e.json --runInBand", "test:e2e": "jest --config ./apps/immich/test/jest-e2e.json --runInBand",
"typeorm": "node --require ts-node/register ./node_modules/typeorm/cli.js", "typeorm": "node --require ts-node/register ./node_modules/typeorm/cli.js",
"typeorm:migrations:generate": "node --require ts-node/register ./node_modules/typeorm/cli.js migration:generate -d ./libs/infra/src/db/config/database.config.ts",
"typeorm:migrations:run": "node --require ts-node/register ./node_modules/typeorm/cli.js migration:run -d ./libs/infra/src/db/config/database.config.ts",
"typeorm:migrations:revert": "node --require ts-node/register ./node_modules/typeorm/cli.js migration:revert -d ./libs/infra/src/db/config/database.config.ts",
"typeorm:schema:drop": "node --require ts-node/register ./node_modules/typeorm/cli.js schema:drop -d ./libs/infra/src/db/config/database.config.ts",
"api:typescript": "bash ./bin/generate-open-api.sh web", "api:typescript": "bash ./bin/generate-open-api.sh web",
"api:dart": "bash ./bin/generate-open-api.sh mobile", "api:dart": "bash ./bin/generate-open-api.sh mobile",
"api:generate": "bash ./bin/generate-open-api.sh" "api:generate": "bash ./bin/generate-open-api.sh"
@ -38,7 +42,6 @@
"@nestjs/common": "^9.2.1", "@nestjs/common": "^9.2.1",
"@nestjs/config": "^2.2.0", "@nestjs/config": "^2.2.0",
"@nestjs/core": "^9.2.1", "@nestjs/core": "^9.2.1",
"@nestjs/jwt": "^10.0.1",
"@nestjs/mapped-types": "1.2.0", "@nestjs/mapped-types": "1.2.0",
"@nestjs/passport": "^9.0.0", "@nestjs/passport": "^9.0.0",
"@nestjs/platform-express": "^9.2.1", "@nestjs/platform-express": "^9.2.1",
@ -75,7 +78,6 @@
"passport": "^0.6.0", "passport": "^0.6.0",
"passport-custom": "^1.1.1", "passport-custom": "^1.1.1",
"passport-http-header-strategy": "^1.1.0", "passport-http-header-strategy": "^1.1.0",
"passport-jwt": "^4.0.0",
"pg": "^8.8.0", "pg": "^8.8.0",
"redis": "^4.5.1", "redis": "^4.5.1",
"reflect-metadata": "^0.1.13", "reflect-metadata": "^0.1.13",
@ -105,7 +107,6 @@
"@types/multer": "^1.4.7", "@types/multer": "^1.4.7",
"@types/mv": "^2.1.2", "@types/mv": "^2.1.2",
"@types/node": "^16.0.0", "@types/node": "^16.0.0",
"@types/passport-jwt": "^3.0.6",
"@types/sharp": "^0.30.2", "@types/sharp": "^0.30.2",
"@types/supertest": "^2.0.11", "@types/supertest": "^2.0.11",
"@typescript-eslint/eslint-plugin": "^5.48.1", "@typescript-eslint/eslint-plugin": "^5.48.1",