mirror of
https://github.com/immich-app/immich
synced 2025-06-07 03:48:23 +00:00
b7a0cf2470
* fix: ensure oauth state param matches before finishing oauth flow Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * chore: upgrade openid-client to v6 Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * feat: use PKCE for oauth2 on supported clients Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * feat: use state and PKCE in mobile app Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: remove obsolete oauth repository init Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: rewrite callback url if mobile redirect url is enabled Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: propagate oidc client error cause when oauth callback fails Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: adapt auth service tests to required state and PKCE params Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: update sdk types Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: adapt oauth e2e test to work with PKCE Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: allow insecure (http) oauth clients Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> --------- Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> Co-authored-by: Jason Rasmussen <jason@rasm.me>
40 lines
1.2 KiB
TypeScript
40 lines
1.2 KiB
TypeScript
import { CookieOptions, Response } from 'express';
|
|
import { Duration } from 'luxon';
|
|
import { CookieResponse } from 'src/dtos/auth.dto';
|
|
import { ImmichCookie } from 'src/enum';
|
|
|
|
export const respondWithCookie = <T>(res: Response, body: T, { isSecure, values }: CookieResponse) => {
|
|
const defaults: CookieOptions = {
|
|
path: '/',
|
|
sameSite: 'lax',
|
|
httpOnly: true,
|
|
secure: isSecure,
|
|
maxAge: Duration.fromObject({ days: 400 }).toMillis(),
|
|
};
|
|
|
|
const cookieOptions: Record<ImmichCookie, CookieOptions> = {
|
|
[ImmichCookie.AUTH_TYPE]: defaults,
|
|
[ImmichCookie.ACCESS_TOKEN]: defaults,
|
|
[ImmichCookie.OAUTH_STATE]: defaults,
|
|
[ImmichCookie.OAUTH_CODE_VERIFIER]: defaults,
|
|
// no httpOnly so that the client can know the auth state
|
|
[ImmichCookie.IS_AUTHENTICATED]: { ...defaults, httpOnly: false },
|
|
[ImmichCookie.SHARED_LINK_TOKEN]: { ...defaults, maxAge: Duration.fromObject({ days: 1 }).toMillis() },
|
|
};
|
|
|
|
for (const { key, value } of values) {
|
|
const options = cookieOptions[key];
|
|
res.cookie(key, value, options);
|
|
}
|
|
|
|
return body;
|
|
};
|
|
|
|
export const respondWithoutCookie = <T>(res: Response, body: T, cookies: ImmichCookie[]) => {
|
|
for (const cookie of cookies) {
|
|
res.clearCookie(cookie);
|
|
}
|
|
|
|
return body;
|
|
};
|