feat(server): move authentication to tokens stored in the database (#1381)

* chore: add typeorm commands to npm and set default database config values * feat: move to server side authentication tokens * fix: websocket should emit error and disconnect on error thrown by the server * refactor: rename cookie-auth-strategy to user-auth-strategy * feat: user tokens and API keys now use SHA256 hash for performance improvements * test: album e2e test remove unneeded module import * infra: truncate api key table as old keys will no longer work with new hash algorithm * fix(server): e2e tests (#1435) * fix: root module paths * chore: linting * chore: rename user-auth to strategy.ts and make validate return AuthUserDto * fix: we should always send HttpOnly for our auth cookies * chore: remove now unused crypto functions and jwt dependencies * fix: return the extra fields for AuthUserDto in auth service validate --------- Co-authored-by: Jason Rasmussen <jrasm91@gmail.com>
2025-10-29 17:40:28 +00:00 · 2023-01-27 20:50:07 +00:00
parent 9be71f603e
commit 3f2513a717
61 changed files with 373 additions and 517 deletions
--- a/server/libs/infra/src/auth/crypto.repository.ts
+++ b/server/libs/infra/src/auth/crypto.repository.ts
@@ -1,22 +1,16 @@
 import { ICryptoRepository } from '@app/domain';
 import { Injectable } from '@nestjs/common';
-import { JwtService, JwtVerifyOptions } from '@nestjs/jwt';
 import { compareSync, hash } from 'bcrypt';
-import { randomBytes } from 'crypto';
+import { randomBytes, createHash } from 'crypto';

@Injectable()
 export class CryptoRepository implements ICryptoRepository {
-  constructor(private jwtService: JwtService) {}
-
  randomBytes = randomBytes;
-  hash = hash;
-  compareSync = compareSync;

-  signJwt(payload: string | Buffer | object) {
-    return this.jwtService.sign(payload);
-  }
+  hashBcrypt = hash;
+  compareBcrypt = compareSync;

-  verifyJwtAsync<T extends object = any>(token: string, options?: JwtVerifyOptions): Promise<T> {
-    return this.jwtService.verifyAsync(token, options);
+  hashSha256(value: string) {
+    return createHash('sha256').update(value).digest('base64');
  }
 }
--- a/server/libs/infra/src/db/config/database.config.ts
+++ b/server/libs/infra/src/db/config/database.config.ts
@@ -5,11 +5,11 @@ const url = process.env.DB_URL;
 const urlOrParts = url
  ? { url }
  : {
-      host: process.env.DB_HOSTNAME || 'immich_postgres',
+      host: process.env.DB_HOSTNAME || 'localhost',
      port: parseInt(process.env.DB_PORT || '5432'),
-      username: process.env.DB_USERNAME,
-      password: process.env.DB_PASSWORD,
-      database: process.env.DB_DATABASE_NAME,
+      username: process.env.DB_USERNAME || 'postgres',
+      password: process.env.DB_PASSWORD || 'postgres',
+      database: process.env.DB_DATABASE_NAME || 'immich',
    };

 export const databaseConfig: PostgresConnectionOptions = {
--- a/server/libs/infra/src/db/entities/index.ts
+++ b/server/libs/infra/src/db/entities/index.ts
@@ -9,4 +9,5 @@ export * from './system-config.entity';
 export * from './tag.entity';
 export * from './user-album.entity';
 export * from './user.entity';
+export * from './user-token.entity';
 export * from './shared-link.entity';
--- a/server/libs/infra/src/db/entities/user-token.entity.ts
+++ b/server/libs/infra/src/db/entities/user-token.entity.ts
@@ -0,0 +1,20 @@
+import { Column, CreateDateColumn, Entity, ManyToOne, PrimaryGeneratedColumn, UpdateDateColumn } from 'typeorm';
+import { UserEntity } from './user.entity';
+
+@Entity('user_token')
+export class UserTokenEntity {
+  @PrimaryGeneratedColumn('uuid')
+  id!: string;
+
+  @Column({ select: false })
+  token!: string;
+
+  @ManyToOne(() => UserEntity)
+  user!: UserEntity;
+
+  @CreateDateColumn({ type: 'timestamptz' })
+  createdAt!: string;
+
+  @UpdateDateColumn({ type: 'timestamptz' })
+  updatedAt!: string;
+}
--- a/server/libs/infra/src/db/migrations/1674342044239-CreateUserTokenEntity.ts
+++ b/server/libs/infra/src/db/migrations/1674342044239-CreateUserTokenEntity.ts
@@ -0,0 +1,16 @@
+import { MigrationInterface, QueryRunner } from "typeorm";
+
+export class CreateUserTokenEntity1674342044239 implements MigrationInterface {
+    name = 'CreateUserTokenEntity1674342044239'
+
+    public async up(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query(`CREATE TABLE "user_token" ("id" uuid NOT NULL DEFAULT uuid_generate_v4(), "token" character varying NOT NULL, "createdAt" TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT now(), "updatedAt" TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT now(), "userId" uuid, CONSTRAINT "PK_48cb6b5c20faa63157b3c1baf7f" PRIMARY KEY ("id"))`);
+        await queryRunner.query(`ALTER TABLE "user_token" ADD CONSTRAINT "FK_d37db50eecdf9b8ce4eedd2f918" FOREIGN KEY ("userId") REFERENCES "users"("id") ON DELETE NO ACTION ON UPDATE NO ACTION`);
+    }
+
+    public async down(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query(`ALTER TABLE "user_token" DROP CONSTRAINT "FK_d37db50eecdf9b8ce4eedd2f918"`);
+        await queryRunner.query(`DROP TABLE "user_token"`);
+    }
+
+}
--- a/server/libs/infra/src/db/migrations/1674774248319-TruncateAPIKeys.ts
+++ b/server/libs/infra/src/db/migrations/1674774248319-TruncateAPIKeys.ts
@@ -0,0 +1,14 @@
+import { MigrationInterface, QueryRunner } from "typeorm"
+
+export class TruncateAPIKeys1674774248319 implements MigrationInterface {
+    name = 'TruncateAPIKeys1674774248319'
+
+    public async up(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query(`TRUNCATE TABLE "api_keys"`);
+    }
+
+    public async down(): Promise<void> {
+        //noop
+    }
+
+}
--- a/server/libs/infra/src/db/repository/api-key.repository.ts
+++ b/server/libs/infra/src/db/repository/api-key.repository.ts
@@ -21,14 +21,14 @@ export class APIKeyRepository implements IKeyRepository {
    await this.repository.delete({ userId, id });
  }

-  getKey(id: number): Promise<APIKeyEntity | null> {
+  getKey(hashedToken: string): Promise<APIKeyEntity | null> {
    return this.repository.findOne({
      select: {
        id: true,
        key: true,
        userId: true,
      },
-      where: { id },
+      where: { key: hashedToken },
      relations: {
        user: true,
      },
--- a/server/libs/infra/src/db/repository/index.ts
+++ b/server/libs/infra/src/db/repository/index.ts
@@ -1,3 +1,4 @@
 export * from './api-key.repository';
 export * from './shared-link.repository';
 export * from './user.repository';
+export * from './user-token.repository';
--- a/server/libs/infra/src/db/repository/user-token.repository.ts
+++ b/server/libs/infra/src/db/repository/user-token.repository.ts
@@ -0,0 +1,25 @@
+import { Injectable } from '@nestjs/common';
+import { InjectRepository } from '@nestjs/typeorm';
+import { Repository } from 'typeorm';
+import { UserTokenEntity } from '@app/infra/db/entities/user-token.entity';
+import { IUserTokenRepository } from '@app/domain/user-token';
+
+@Injectable()
+export class UserTokenRepository implements IUserTokenRepository {
+  constructor(
+    @InjectRepository(UserTokenEntity)
+    private userTokenRepository: Repository<UserTokenEntity>,
+  ) {}
+
+  async get(userToken: string): Promise<UserTokenEntity | null> {
+    return this.userTokenRepository.findOne({ where: { token: userToken }, relations: { user: true } });
+  }
+
+  async create(userToken: Partial<UserTokenEntity>): Promise<UserTokenEntity> {
+    return this.userTokenRepository.save(userToken);
+  }
+
+  async delete(userToken: string): Promise<void> {
+    await this.userTokenRepository.delete(userToken);
+  }
+}
--- a/server/libs/infra/src/infra.module.ts
+++ b/server/libs/infra/src/infra.module.ts
@@ -7,17 +7,17 @@ import {
  IUserRepository,
  QueueName,
 } from '@app/domain';
-import { databaseConfig, UserEntity } from './db';
+import { databaseConfig, UserEntity, UserTokenEntity } from './db';
 import { BullModule } from '@nestjs/bull';
 import { Global, Module, Provider } from '@nestjs/common';
-import { JwtModule } from '@nestjs/jwt';
 import { TypeOrmModule } from '@nestjs/typeorm';
 import { APIKeyEntity, SharedLinkEntity, SystemConfigEntity, UserRepository } from './db';
 import { APIKeyRepository, SharedLinkRepository } from './db/repository';
-import { jwtConfig } from '@app/domain';
 import { CryptoRepository } from './auth/crypto.repository';
 import { SystemConfigRepository } from './db/repository/system-config.repository';
 import { JobRepository } from './job';
+import { IUserTokenRepository } from '@app/domain/user-token';
+import { UserTokenRepository } from '@app/infra/db/repository/user-token.repository';

 const providers: Provider[] = [
  { provide: ICryptoRepository, useClass: CryptoRepository },
@@ -26,14 +26,14 @@ const providers: Provider[] = [
  { provide: ISharedLinkRepository, useClass: SharedLinkRepository },
  { provide: ISystemConfigRepository, useClass: SystemConfigRepository },
  { provide: IUserRepository, useClass: UserRepository },
+  { provide: IUserTokenRepository, useClass: UserTokenRepository },
 ];

@Global()
@Module({
  imports: [
-    JwtModule.register(jwtConfig),
    TypeOrmModule.forRoot(databaseConfig),
-    TypeOrmModule.forFeature([APIKeyEntity, UserEntity, SharedLinkEntity, SystemConfigEntity]),
+    TypeOrmModule.forFeature([APIKeyEntity, UserEntity, SharedLinkEntity, SystemConfigEntity, UserTokenEntity]),
    BullModule.forRootAsync({
      useFactory: async () => ({
        prefix: 'immich_bull',
@@ -64,6 +64,6 @@ const providers: Provider[] = [
    ),
  ],
  providers: [...providers],
-  exports: [...providers, BullModule, JwtModule],
+  exports: [...providers, BullModule],
 })
 export class InfraModule {}