mirror of
https://github.com/immich-app/immich
synced 2025-06-07 05:48:27 +00:00
b7a0cf2470
* fix: ensure oauth state param matches before finishing oauth flow Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * chore: upgrade openid-client to v6 Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * feat: use PKCE for oauth2 on supported clients Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * feat: use state and PKCE in mobile app Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: remove obsolete oauth repository init Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: rewrite callback url if mobile redirect url is enabled Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: propagate oidc client error cause when oauth callback fails Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: adapt auth service tests to required state and PKCE params Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: update sdk types Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: adapt oauth e2e test to work with PKCE Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: allow insecure (http) oauth clients Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> --------- Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> Co-authored-by: Jason Rasmussen <jason@rasm.me>
117 lines
2.3 KiB
TypeScript
117 lines
2.3 KiB
TypeScript
import { ApiProperty } from '@nestjs/swagger';
|
|
import { Transform } from 'class-transformer';
|
|
import { IsEmail, IsNotEmpty, IsString, MinLength } from 'class-validator';
|
|
import { AuthApiKey, AuthSession, AuthSharedLink, AuthUser, UserAdmin } from 'src/database';
|
|
import { ImmichCookie } from 'src/enum';
|
|
import { Optional, toEmail } from 'src/validation';
|
|
|
|
export type CookieResponse = {
|
|
isSecure: boolean;
|
|
values: Array<{ key: ImmichCookie; value: string | null }>;
|
|
};
|
|
|
|
export class AuthDto {
|
|
user!: AuthUser;
|
|
|
|
apiKey?: AuthApiKey;
|
|
sharedLink?: AuthSharedLink;
|
|
session?: AuthSession;
|
|
}
|
|
|
|
export class LoginCredentialDto {
|
|
@IsEmail({ require_tld: false })
|
|
@Transform(toEmail)
|
|
@IsNotEmpty()
|
|
@ApiProperty({ example: 'testuser@email.com' })
|
|
email!: string;
|
|
|
|
@IsString()
|
|
@IsNotEmpty()
|
|
@ApiProperty({ example: 'password' })
|
|
password!: string;
|
|
}
|
|
|
|
export class LoginResponseDto {
|
|
accessToken!: string;
|
|
userId!: string;
|
|
userEmail!: string;
|
|
name!: string;
|
|
profileImagePath!: string;
|
|
isAdmin!: boolean;
|
|
shouldChangePassword!: boolean;
|
|
}
|
|
|
|
export function mapLoginResponse(entity: UserAdmin, accessToken: string): LoginResponseDto {
|
|
return {
|
|
accessToken,
|
|
userId: entity.id,
|
|
userEmail: entity.email,
|
|
name: entity.name,
|
|
isAdmin: entity.isAdmin,
|
|
profileImagePath: entity.profileImagePath,
|
|
shouldChangePassword: entity.shouldChangePassword,
|
|
};
|
|
}
|
|
|
|
export class LogoutResponseDto {
|
|
successful!: boolean;
|
|
redirectUri!: string;
|
|
}
|
|
|
|
export class SignUpDto extends LoginCredentialDto {
|
|
@IsString()
|
|
@IsNotEmpty()
|
|
@ApiProperty({ example: 'Admin' })
|
|
name!: string;
|
|
}
|
|
|
|
export class ChangePasswordDto {
|
|
@IsString()
|
|
@IsNotEmpty()
|
|
@ApiProperty({ example: 'password' })
|
|
password!: string;
|
|
|
|
@IsString()
|
|
@IsNotEmpty()
|
|
@MinLength(8)
|
|
@ApiProperty({ example: 'password' })
|
|
newPassword!: string;
|
|
}
|
|
|
|
export class ValidateAccessTokenResponseDto {
|
|
authStatus!: boolean;
|
|
}
|
|
|
|
export class OAuthCallbackDto {
|
|
@IsNotEmpty()
|
|
@IsString()
|
|
@ApiProperty()
|
|
url!: string;
|
|
|
|
@Optional()
|
|
@IsString()
|
|
state?: string;
|
|
|
|
@Optional()
|
|
@IsString()
|
|
codeVerifier?: string;
|
|
}
|
|
|
|
export class OAuthConfigDto {
|
|
@IsNotEmpty()
|
|
@IsString()
|
|
redirectUri!: string;
|
|
|
|
@Optional()
|
|
@IsString()
|
|
state?: string;
|
|
|
|
@Optional()
|
|
@IsString()
|
|
codeChallenge?: string;
|
|
}
|
|
|
|
export class OAuthAuthorizeResponseDto {
|
|
url!: string;
|
|
}
|