feat(server): move authentication to tokens stored in the database (#1381)

* chore: add typeorm commands to npm and set default database config values

* feat: move to server side authentication tokens

* fix: websocket should emit error and disconnect on error thrown by the server

* refactor: rename cookie-auth-strategy to user-auth-strategy

* feat: user tokens and API keys now use SHA256 hash for performance improvements

* test: album e2e test remove unneeded module import

* infra: truncate api key table as old keys will no longer work with new hash algorithm

* fix(server): e2e tests (#1435)

* fix: root module paths

* chore: linting

* chore: rename user-auth to strategy.ts and make validate return AuthUserDto

* fix: we should always send HttpOnly for our auth cookies

* chore: remove now unused crypto functions and jwt dependencies

* fix: return the extra fields for AuthUserDto in auth service validate

---------

Co-authored-by: Jason Rasmussen <jrasm91@gmail.com>

server/apps/immich/src/api-v1/communication/communication.gateway.ts

@@ -19,8 +19,7 @@ export class CommunicationGateway implements OnGatewayConnection, OnGatewayDisco
   async handleConnection(client: Socket) {
     try {
       this.logger.log(`New websocket connection: ${client.id}`);
-
-      const user = await this.authService.validateSocket(client);
+      const user = await this.authService.validate(client.request.headers);
       if (user) {
         client.join(user.id);
       } else {
@@ -28,7 +27,8 @@ export class CommunicationGateway implements OnGatewayConnection, OnGatewayDisco
         client.disconnect();
       }
     } catch (e) {
-      // Logger.error(`Error establish websocket conneciton ${e}`, 'HandleWebscoketConnection');
+      client.emit('error', 'unauthorized');
+      client.disconnect();
     }
   }
 }

server/apps/immich/src/app.module.ts

@@ -1,7 +1,6 @@
 import { immichAppConfig } from '@app/common/config';
 import { MiddlewareConsumer, Module, NestModule } from '@nestjs/common';
 import { AssetModule } from './api-v1/asset/asset.module';
-import { ImmichJwtModule } from './modules/immich-jwt/immich-jwt.module';
 import { DeviceInfoModule } from './api-v1/device-info/device-info.module';
 import { ConfigModule } from '@nestjs/config';
 import { ServerInfoModule } from './api-v1/server-info/server-info.module';
@@ -23,6 +22,9 @@ import {
   SystemConfigController,
   UserController,
 } from './controllers';
+import { PublicShareStrategy } from './modules/immich-auth/strategies/public-share.strategy';
+import { APIKeyStrategy } from './modules/immich-auth/strategies/api-key.strategy';
+import { UserAuthStrategy } from './modules/immich-auth/strategies/user-auth.strategy';
 
 @Module({
   imports: [
@@ -34,8 +36,6 @@ import {
 
     AssetModule,
 
-    ImmichJwtModule,
-
     DeviceInfoModule,
 
     ServerInfoModule,
@@ -64,7 +64,7 @@ import {
     SystemConfigController,
     UserController,
   ],
-  providers: [],
+  providers: [UserAuthStrategy, APIKeyStrategy, PublicShareStrategy],
 })
 export class AppModule implements NestModule {
   // TODO: check if consumer is needed or remove

server/apps/immich/src/decorators/authenticated.decorator.ts

@@ -1,7 +1,7 @@
 import { UseGuards } from '@nestjs/common';
 import { AdminRolesGuard } from '../middlewares/admin-role-guard.middleware';
 import { RouteNotSharedGuard } from '../middlewares/route-not-shared-guard.middleware';
-import { AuthGuard } from '../modules/immich-jwt/guards/auth.guard';
+import { AuthGuard } from '../modules/immich-auth/guards/auth.guard';
 
 interface AuthenticatedOptions {
   admin?: boolean;

server/apps/immich/src/global.d.ts

@@ -4,5 +4,8 @@ declare global {
   namespace Express {
     // eslint-disable-next-line @typescript-eslint/no-empty-interface
     interface User extends AuthUserDto {}
+    export interface Request {
+      user: AuthUserDto;
+    }
   }
 }

server/apps/immich/src/main.ts

@@ -40,9 +40,6 @@ async function bootstrap() {
     .addBearerAuth({
       type: 'http',
       scheme: 'Bearer',
-      bearerFormat: 'JWT',
-      name: 'JWT',
-      description: 'Enter JWT token',
       in: 'header',
     })
     .addServer('/api')

server/apps/immich/src/modules/immich-auth/guards/auth.guard.ts

@@ -1,8 +1,8 @@
 import { Injectable } from '@nestjs/common';
 import { AuthGuard as PassportAuthGuard } from '@nestjs/passport';
 import { API_KEY_STRATEGY } from '../strategies/api-key.strategy';
-import { JWT_STRATEGY } from '../strategies/jwt.strategy';
+import { AUTH_COOKIE_STRATEGY } from '../strategies/user-auth.strategy';
 import { PUBLIC_SHARE_STRATEGY } from '../strategies/public-share.strategy';
 
 @Injectable()
-export class AuthGuard extends PassportAuthGuard([PUBLIC_SHARE_STRATEGY, JWT_STRATEGY, API_KEY_STRATEGY]) {}
+export class AuthGuard extends PassportAuthGuard([PUBLIC_SHARE_STRATEGY, AUTH_COOKIE_STRATEGY, API_KEY_STRATEGY]) {}

server/apps/immich/src/modules/immich-auth/strategies/user-auth.strategy.ts

@@ -0,0 +1,24 @@
+import { Injectable, UnauthorizedException } from '@nestjs/common';
+import { PassportStrategy } from '@nestjs/passport';
+import { AuthService, AuthUserDto, UserService } from '@app/domain';
+import { Strategy } from 'passport-custom';
+import { Request } from 'express';
+
+export const AUTH_COOKIE_STRATEGY = 'auth-cookie';
+
+@Injectable()
+export class UserAuthStrategy extends PassportStrategy(Strategy, AUTH_COOKIE_STRATEGY) {
+  constructor(private userService: UserService, private authService: AuthService) {
+    super();
+  }
+
+  async validate(request: Request): Promise<AuthUserDto> {
+    const authUser = await this.authService.validate(request.headers);
+
+    if (!authUser) {
+      throw new UnauthorizedException('Incorrect token provided');
+    }
+
+    return authUser;
+  }
+}

server/apps/immich/src/modules/immich-jwt/immich-jwt.module.ts

@@ -1,9 +0,0 @@
-import { Module } from '@nestjs/common';
-import { APIKeyStrategy } from './strategies/api-key.strategy';
-import { JwtStrategy } from './strategies/jwt.strategy';
-import { PublicShareStrategy } from './strategies/public-share.strategy';
-
-@Module({
-  providers: [JwtStrategy, APIKeyStrategy, PublicShareStrategy],
-})
-export class ImmichJwtModule {}

server/apps/immich/src/modules/immich-jwt/strategies/jwt.strategy.ts

@@ -1,24 +0,0 @@
-import { AuthService, AuthUserDto, JwtPayloadDto, jwtSecret } from '@app/domain';
-import { Injectable } from '@nestjs/common';
-import { PassportStrategy } from '@nestjs/passport';
-import { ExtractJwt, Strategy, StrategyOptions } from 'passport-jwt';
-
-export const JWT_STRATEGY = 'jwt';
-
-@Injectable()
-export class JwtStrategy extends PassportStrategy(Strategy, JWT_STRATEGY) {
-  constructor(private authService: AuthService) {
-    super({
-      jwtFromRequest: ExtractJwt.fromExtractors([
-        (req) => authService.extractJwtFromCookie(req.cookies),
-        (req) => authService.extractJwtFromHeader(req.headers),
-      ]),
-      ignoreExpiration: false,
-      secretOrKey: jwtSecret,
-    } as StrategyOptions);
-  }
-
-  async validate(payload: JwtPayloadDto): Promise<AuthUserDto> {
-    return this.authService.validatePayload(payload);
-  }
-}

server/apps/immich/test/album.e2e-spec.ts

@@ -5,10 +5,10 @@ import { clearDb, getAuthUser, authCustom } from './test-utils';
 import { InfraModule } from '@app/infra';
 import { AlbumModule } from '../src/api-v1/album/album.module';
 import { CreateAlbumDto } from '../src/api-v1/album/dto/create-album.dto';
-import { ImmichJwtModule } from '../src/modules/immich-jwt/immich-jwt.module';
 import { AuthUserDto } from '../src/decorators/auth-user.decorator';
 import { AuthService, DomainModule, UserService } from '@app/domain';
 import { DataSource } from 'typeorm';
+import { AppModule } from '../src/app.module';
 
 function _createAlbum(app: INestApplication, data: CreateAlbumDto) {
   return request(app.getHttpServer()).post('/album').send(data);
@@ -21,7 +21,7 @@ describe('Album', () => {
   describe('without auth', () => {
     beforeAll(async () => {
       const moduleFixture: TestingModule = await Test.createTestingModule({
-        imports: [DomainModule.register({ imports: [InfraModule] }), AlbumModule, ImmichJwtModule],
+        imports: [DomainModule.register({ imports: [InfraModule] }), AppModule],
       }).compile();
 
       app = moduleFixture.createNestApplication();

server/apps/immich/test/jest-e2e.json

@@ -1,5 +1,6 @@
 {
   "moduleFileExtensions": ["js", "json", "ts"],
+  "modulePaths": ["<rootDir>", "<rootDir>../../../"],
   "rootDir": ".",
   "testEnvironment": "node",
   "testRegex": ".e2e-spec.ts$",

server/apps/immich/test/test-utils.ts

@@ -2,7 +2,7 @@ import { CanActivate, ExecutionContext } from '@nestjs/common';
 import { TestingModuleBuilder } from '@nestjs/testing';
 import { DataSource } from 'typeorm';
 import { AuthUserDto } from '../src/decorators/auth-user.decorator';
-import { AuthGuard } from '../src/modules/immich-jwt/guards/auth.guard';
+import { AuthGuard } from '../src/modules/immich-auth/guards/auth.guard';
 
 type CustomAuthCallback = () => AuthUserDto;
 

server/apps/immich/test/user.e2e-spec.ts

@@ -3,11 +3,11 @@ import { INestApplication } from '@nestjs/common';
 import request from 'supertest';
 import { clearDb, authCustom } from './test-utils';
 import { InfraModule } from '@app/infra';
-import { ImmichJwtModule } from '../src/modules/immich-jwt/immich-jwt.module';
 import { DomainModule, CreateUserDto, UserService, AuthUserDto } from '@app/domain';
 import { DataSource } from 'typeorm';
 import { UserController } from '../src/controllers';
 import { AuthService } from '@app/domain';
+import { AppModule } from '../src/app.module';
 
 function _createUser(userService: UserService, data: CreateUserDto) {
   return userService.createUser(data);
@@ -25,7 +25,7 @@ describe('User', () => {
   describe('without auth', () => {
     beforeAll(async () => {
       const moduleFixture: TestingModule = await Test.createTestingModule({
-        imports: [DomainModule.register({ imports: [InfraModule] }), ImmichJwtModule],
+        imports: [DomainModule.register({ imports: [InfraModule] }), AppModule],
         controllers: [UserController],
       }).compile();