feat(web,server): api keys (#1244)

* feat(server): api keys

* chore: open-api

* feat(web): api keys

* fix: remove keys when deleting a user

server/apps/immich/src/api-v1/api-key/api-key.controller.ts

@@ -0,0 +1,48 @@
+import { Body, Controller, Delete, Get, Param, ParseIntPipe, Post, Put, ValidationPipe } from '@nestjs/common';
+import { ApiTags } from '@nestjs/swagger';
+import { AuthUserDto, GetAuthUser } from '../../decorators/auth-user.decorator';
+import { Authenticated } from '../../decorators/authenticated.decorator';
+import { APIKeyService } from './api-key.service';
+import { APIKeyCreateDto } from './dto/api-key-create.dto';
+import { APIKeyUpdateDto } from './dto/api-key-update.dto';
+import { APIKeyCreateResponseDto } from './repsonse-dto/api-key-create-response.dto';
+import { APIKeyResponseDto } from './repsonse-dto/api-key-response.dto';
+
+@ApiTags('API Key')
+@Controller('api-key')
+@Authenticated()
+export class APIKeyController {
+  constructor(private service: APIKeyService) {}
+
+  @Post()
+  createKey(
+    @GetAuthUser() authUser: AuthUserDto,
+    @Body(ValidationPipe) dto: APIKeyCreateDto,
+  ): Promise<APIKeyCreateResponseDto> {
+    return this.service.create(authUser, dto);
+  }
+
+  @Get()
+  getKeys(@GetAuthUser() authUser: AuthUserDto): Promise<APIKeyResponseDto[]> {
+    return this.service.getAll(authUser);
+  }
+
+  @Get(':id')
+  getKey(@GetAuthUser() authUser: AuthUserDto, @Param('id', ParseIntPipe) id: number): Promise<APIKeyResponseDto> {
+    return this.service.getById(authUser, id);
+  }
+
+  @Put(':id')
+  updateKey(
+    @GetAuthUser() authUser: AuthUserDto,
+    @Param('id', ParseIntPipe) id: number,
+    @Body(ValidationPipe) dto: APIKeyUpdateDto,
+  ): Promise<APIKeyResponseDto> {
+    return this.service.update(authUser, id, dto);
+  }
+
+  @Delete(':id')
+  deleteKey(@GetAuthUser() authUser: AuthUserDto, @Param('id', ParseIntPipe) id: number): Promise<void> {
+    return this.service.delete(authUser, id);
+  }
+}

server/apps/immich/src/api-v1/api-key/api-key.module.ts

@@ -0,0 +1,16 @@
+import { APIKeyEntity } from '@app/database';
+import { Module } from '@nestjs/common';
+import { TypeOrmModule } from '@nestjs/typeorm';
+import { APIKeyController } from './api-key.controller';
+import { APIKeyRepository, IKeyRepository } from './api-key.repository';
+import { APIKeyService } from './api-key.service';
+
+const KEY_REPOSITORY = { provide: IKeyRepository, useClass: APIKeyRepository };
+
+@Module({
+  imports: [TypeOrmModule.forFeature([APIKeyEntity])],
+  controllers: [APIKeyController],
+  providers: [APIKeyService, KEY_REPOSITORY],
+  exports: [APIKeyService, KEY_REPOSITORY],
+})
+export class APIKeyModule {}

server/apps/immich/src/api-v1/api-key/api-key.repository.ts

@@ -0,0 +1,59 @@
+import { APIKeyEntity } from '@app/database';
+import { Injectable } from '@nestjs/common';
+import { InjectRepository } from '@nestjs/typeorm';
+import { Repository } from 'typeorm';
+
+export const IKeyRepository = 'IKeyRepository';
+
+export interface IKeyRepository {
+  create(dto: Partial<APIKeyEntity>): Promise<APIKeyEntity>;
+  update(userId: string, id: number, dto: Partial<APIKeyEntity>): Promise<APIKeyEntity>;
+  delete(userId: string, id: number): Promise<void>;
+  /**
+   * Includes the hashed `key` for verification
+   * @param id
+   */
+  getKey(id: number): Promise<APIKeyEntity | null>;
+  getById(userId: string, id: number): Promise<APIKeyEntity | null>;
+  getByUserId(userId: string): Promise<APIKeyEntity[]>;
+}
+
+@Injectable()
+export class APIKeyRepository implements IKeyRepository {
+  constructor(@InjectRepository(APIKeyEntity) private repository: Repository<APIKeyEntity>) {}
+
+  async create(dto: Partial<APIKeyEntity>): Promise<APIKeyEntity> {
+    return this.repository.save(dto);
+  }
+
+  async update(userId: string, id: number, dto: Partial<APIKeyEntity>): Promise<APIKeyEntity> {
+    await this.repository.update({ userId, id }, dto);
+    return this.repository.findOneOrFail({ where: { id: dto.id } });
+  }
+
+  async delete(userId: string, id: number): Promise<void> {
+    await this.repository.delete({ userId, id });
+  }
+
+  getKey(id: number): Promise<APIKeyEntity | null> {
+    return this.repository.findOne({
+      select: {
+        id: true,
+        key: true,
+        userId: true,
+      },
+      where: { id },
+      relations: {
+        user: true,
+      },
+    });
+  }
+
+  getById(userId: string, id: number): Promise<APIKeyEntity | null> {
+    return this.repository.findOne({ where: { userId, id } });
+  }
+
+  getByUserId(userId: string): Promise<APIKeyEntity[]> {
+    return this.repository.find({ where: { userId }, order: { createdAt: 'DESC' } });
+  }
+}

server/apps/immich/src/api-v1/api-key/api-key.service.ts

@@ -0,0 +1,74 @@
+import { UserEntity } from '@app/database';
+import { BadRequestException, Inject, Injectable, UnauthorizedException } from '@nestjs/common';
+import { compareSync, hash } from 'bcrypt';
+import { randomBytes } from 'node:crypto';
+import { AuthUserDto } from '../../decorators/auth-user.decorator';
+import { IKeyRepository } from './api-key.repository';
+import { APIKeyCreateDto } from './dto/api-key-create.dto';
+import { APIKeyCreateResponseDto } from './repsonse-dto/api-key-create-response.dto';
+import { APIKeyResponseDto, mapKey } from './repsonse-dto/api-key-response.dto';
+
+@Injectable()
+export class APIKeyService {
+  constructor(@Inject(IKeyRepository) private repository: IKeyRepository) {}
+
+  async create(authUser: AuthUserDto, dto: APIKeyCreateDto): Promise<APIKeyCreateResponseDto> {
+    const key = randomBytes(24).toString('base64').replace(/\W/g, '');
+    const entity = await this.repository.create({
+      key: await hash(key, 10),
+      name: dto.name || 'API Key',
+      userId: authUser.id,
+    });
+
+    const secret = Buffer.from(`${entity.id}:${key}`, 'utf8').toString('base64');
+
+    return { secret, apiKey: mapKey(entity) };
+  }
+
+  async update(authUser: AuthUserDto, id: number, dto: APIKeyCreateDto): Promise<APIKeyResponseDto> {
+    const exists = await this.repository.getById(authUser.id, id);
+    if (!exists) {
+      throw new BadRequestException('API Key not found');
+    }
+
+    return this.repository.update(authUser.id, id, {
+      name: dto.name,
+    });
+  }
+
+  async delete(authUser: AuthUserDto, id: number): Promise<void> {
+    const exists = await this.repository.getById(authUser.id, id);
+    if (!exists) {
+      throw new BadRequestException('API Key not found');
+    }
+
+    await this.repository.delete(authUser.id, id);
+  }
+
+  async getById(authUser: AuthUserDto, id: number): Promise<APIKeyResponseDto> {
+    const key = await this.repository.getById(authUser.id, id);
+    if (!key) {
+      throw new BadRequestException('API Key not found');
+    }
+    return mapKey(key);
+  }
+
+  async getAll(authUser: AuthUserDto): Promise<APIKeyResponseDto[]> {
+    const keys = await this.repository.getByUserId(authUser.id);
+    return keys.map(mapKey);
+  }
+
+  async validate(token: string): Promise<UserEntity> {
+    const [_id, key] = Buffer.from(token, 'base64').toString('utf8').split(':');
+    const id = Number(_id);
+
+    if (id && key) {
+      const entity = await this.repository.getKey(id);
+      if (entity?.user && entity?.key && compareSync(key, entity.key)) {
+        return entity.user as UserEntity;
+      }
+    }
+
+    throw new UnauthorizedException('Invalid API Key');
+  }
+}

server/apps/immich/src/api-v1/api-key/dto/api-key-create.dto.ts

@@ -0,0 +1,8 @@
+import { IsNotEmpty, IsOptional, IsString } from 'class-validator';
+
+export class APIKeyCreateDto {
+  @IsString()
+  @IsNotEmpty()
+  @IsOptional()
+  name?: string;
+}

server/apps/immich/src/api-v1/api-key/dto/api-key-update.dto.ts

@@ -0,0 +1,7 @@
+import { IsNotEmpty, IsString } from 'class-validator';
+
+export class APIKeyUpdateDto {
+  @IsString()
+  @IsNotEmpty()
+  name!: string;
+}

server/apps/immich/src/api-v1/api-key/repsonse-dto/api-key-create-response.dto.ts

@@ -0,0 +1,6 @@
+import { APIKeyResponseDto } from './api-key-response.dto';
+
+export class APIKeyCreateResponseDto {
+  secret!: string;
+  apiKey!: APIKeyResponseDto;
+}

server/apps/immich/src/api-v1/api-key/repsonse-dto/api-key-response.dto.ts

@@ -0,0 +1,17 @@
+import { APIKeyEntity } from '@app/database';
+
+export class APIKeyResponseDto {
+  id!: number;
+  name!: string;
+  createdAt!: string;
+  updatedAt!: string;
+}
+
+export function mapKey(entity: APIKeyEntity): APIKeyResponseDto {
+  return {
+    id: entity.id,
+    name: entity.name,
+    createdAt: entity.createdAt,
+    updatedAt: entity.updatedAt,
+  };
+}

server/apps/immich/src/app.module.ts

@@ -19,6 +19,7 @@ import { JobModule } from './api-v1/job/job.module';
 import { SystemConfigModule } from './api-v1/system-config/system-config.module';
 import { OAuthModule } from './api-v1/oauth/oauth.module';
 import { TagModule } from './api-v1/tag/tag.module';
+import { APIKeyModule } from './api-v1/api-key/api-key.module';
 
 @Module({
   imports: [
@@ -27,6 +28,8 @@ import { TagModule } from './api-v1/tag/tag.module';
     DatabaseModule,
     UserModule,
 
+    APIKeyModule,
+
     AssetModule,
 
     AuthModule,

server/apps/immich/src/decorators/authenticated.decorator.ts

@@ -1,13 +1,13 @@
 import { UseGuards } from '@nestjs/common';
 import { AdminRolesGuard } from '../middlewares/admin-role-guard.middleware';
-import { JwtAuthGuard } from '../modules/immich-jwt/guards/jwt-auth.guard';
+import { AuthGuard } from '../modules/immich-jwt/guards/auth.guard';
 
 interface AuthenticatedOptions {
   admin?: boolean;
 }
 
 export const Authenticated = (options?: AuthenticatedOptions) => {
-  const guards: Parameters<typeof UseGuards> = [JwtAuthGuard];
+  const guards: Parameters<typeof UseGuards> = [AuthGuard];
   options = options || {};
   if (options.admin) {
     guards.push(AdminRolesGuard);

server/apps/immich/src/middlewares/admin-role-guard.middleware.ts

@@ -1,12 +1,17 @@
 import { CanActivate, ExecutionContext, Injectable, Logger } from '@nestjs/common';
 import { Request } from 'express';
+import { UserResponseDto } from '../api-v1/user/response-dto/user-response.dto';
+
+interface UserRequest extends Request {
+  user: UserResponseDto;
+}
 
 @Injectable()
 export class AdminRolesGuard implements CanActivate {
   logger = new Logger(AdminRolesGuard.name);
 
   async canActivate(context: ExecutionContext): Promise<boolean> {
-    const request = context.switchToHttp().getRequest<Request>();
+    const request = context.switchToHttp().getRequest<UserRequest>();
     const isAdmin = request.user?.isAdmin || false;
     if (!isAdmin) {
       this.logger.log(`Denied access to admin only route: ${request.path}`);

server/apps/immich/src/modules/immich-jwt/guards/auth.guard.ts

@@ -0,0 +1,7 @@
+import { Injectable } from '@nestjs/common';
+import { AuthGuard as PassportAuthGuard } from '@nestjs/passport';
+import { API_KEY_STRATEGY } from '../strategies/api-key.strategy';
+import { JWT_STRATEGY } from '../strategies/jwt.strategy';
+
+@Injectable()
+export class AuthGuard extends PassportAuthGuard([JWT_STRATEGY, API_KEY_STRATEGY]) {}

server/apps/immich/src/modules/immich-jwt/guards/jwt-auth.guard.ts

@@ -1,5 +0,0 @@
-import { Injectable } from '@nestjs/common';
-import { AuthGuard } from '@nestjs/passport';
-
-@Injectable()
-export class JwtAuthGuard extends AuthGuard('jwt') {}

server/apps/immich/src/modules/immich-jwt/immich-jwt.module.ts

@@ -5,10 +5,12 @@ import { jwtConfig } from '../../config/jwt.config';
 import { JwtStrategy } from './strategies/jwt.strategy';
 import { TypeOrmModule } from '@nestjs/typeorm';
 import { UserEntity } from '@app/database';
+import { APIKeyModule } from '../../api-v1/api-key/api-key.module';
+import { APIKeyStrategy } from './strategies/api-key.strategy';
 
 @Module({
-  imports: [JwtModule.register(jwtConfig), TypeOrmModule.forFeature([UserEntity])],
-  providers: [ImmichJwtService, JwtStrategy],
+  imports: [JwtModule.register(jwtConfig), TypeOrmModule.forFeature([UserEntity]), APIKeyModule],
+  providers: [ImmichJwtService, JwtStrategy, APIKeyStrategy],
   exports: [ImmichJwtService],
 })
 export class ImmichJwtModule {}

server/apps/immich/src/modules/immich-jwt/strategies/api-key.strategy.ts

@@ -0,0 +1,21 @@
+import { Injectable } from '@nestjs/common';
+import { PassportStrategy } from '@nestjs/passport';
+import { IStrategyOptions, Strategy } from 'passport-http-header-strategy';
+import { APIKeyService } from '../../../api-v1/api-key/api-key.service';
+
+export const API_KEY_STRATEGY = 'api-key';
+
+const options: IStrategyOptions = {
+  header: 'x-api-key',
+};
+
+@Injectable()
+export class APIKeyStrategy extends PassportStrategy(Strategy, API_KEY_STRATEGY) {
+  constructor(private apiKeyService: APIKeyService) {
+    super(options);
+  }
+
+  async validate(token: string) {
+    return this.apiKeyService.validate(token);
+  }
+}

server/apps/immich/src/modules/immich-jwt/strategies/jwt.strategy.ts

@@ -1,15 +1,17 @@
 import { Injectable, UnauthorizedException } from '@nestjs/common';
 import { PassportStrategy } from '@nestjs/passport';
 import { InjectRepository } from '@nestjs/typeorm';
-import { ExtractJwt, Strategy } from 'passport-jwt';
+import { ExtractJwt, Strategy, StrategyOptions } from 'passport-jwt';
 import { Repository } from 'typeorm';
 import { JwtPayloadDto } from '../../../api-v1/auth/dto/jwt-payload.dto';
 import { UserEntity } from '@app/database';
 import { jwtSecret } from '../../../constants/jwt.constant';
 import { ImmichJwtService } from '../immich-jwt.service';
 
+export const JWT_STRATEGY = 'jwt';
+
 @Injectable()
-export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
+export class JwtStrategy extends PassportStrategy(Strategy, JWT_STRATEGY) {
   constructor(
     @InjectRepository(UserEntity)
     private usersRepository: Repository<UserEntity>,
@@ -22,7 +24,7 @@ export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
       ]),
       ignoreExpiration: false,
       secretOrKey: jwtSecret,
-    });
+    } as StrategyOptions);
   }
 
   async validate(payload: JwtPayloadDto) {

server/apps/immich/test/test-utils.ts

@@ -3,7 +3,7 @@ import { TestingModuleBuilder } from '@nestjs/testing';
 import { DataSource } from 'typeorm';
 import { IUserRepository } from '../src/api-v1/user/user-repository';
 import { AuthUserDto } from '../src/decorators/auth-user.decorator';
-import { JwtAuthGuard } from '../src/modules/immich-jwt/guards/jwt-auth.guard';
+import { AuthGuard } from '../src/modules/immich-jwt/guards/auth.guard';
 
 type CustomAuthCallback = () => AuthUserDto;
 
@@ -49,5 +49,5 @@ export function authCustom(builder: TestingModuleBuilder, callback: CustomAuthCa
       return true;
     },
   };
-  return builder.overrideGuard(JwtAuthGuard).useValue(canActivate);
+  return builder.overrideGuard(AuthGuard).useValue(canActivate);
 }