KevinMidboe/immich
1
0
Fork 0
mirror of https://github.com/KevinMidboe/immich.git synced 2025-10-29 17:40:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(web,server): disable password login (#1223)

Browse Source 
* feat(web,server): disable password login

* chore: unit tests

* chore: fix import

* chore: linting

* feat(cli): server command for enable/disable password login

* chore: update docs

* feat(web): confirm dialogue

* chore: linting

* chore: linting

* chore: linting

* chore: linting

* chore: linting

* chore: fix web test

* chore: server unit tests
This commit is contained in:
Jason Rasmussen
2023-01-09 16:32:58 -05:00
committed by GitHub
parent 5999af6c78
commit bd838a71d1
66 changed files with 861 additions and 167 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
docs/docs/features/img/password-login-settings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
docs/docs/features/img/user-management-update.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

25
docs/docs/features/oauth.md
View File

@@ -59,16 +59,17 @@ Before enabling OAuth in Immich, a new client application needs to be configured
Once you have a new OAuth client application configured, Immich can be configured using the Administration Settings page, available on the web (Administration -> Settings).
| Setting | Type | Default | Description |
| ---------------------------- | ------- | -------------------- | ------------------------------------------------------------------------- |
| Enabled | boolean | false | Enable/disable OAuth |
| Issuer URL | URL | (required) | Required. Self-discovery URL for client (from previous step) |
| Client ID | string | (required) | Required. Client ID (from previous step) |
| Client secret | string | (required) | Required. Client Secret (previous step) |
| Scope | string | openid email profile | Full list of scopes to send with the request (space delimited) |
| Button text | string | Login with OAuth | Text for the OAuth button on the web |
| Auto register | boolean | true | When true, will automatically register a user the first time they sign in |
| Mobile Redirect URI Override | URL | (empty) | Http(s) alternative mobile redirect URI |
| Setting | Type | Default | Description |
| ---------------------------------------------------- | ------- | -------------------- | ----------------------------------------------------------------------------------- |
| Enabled | boolean | false | Enable/disable OAuth |
| Issuer URL | URL | (required) | Required. Self-discovery URL for client (from previous step) |
| Client ID | string | (required) | Required. Client ID (from previous step) |
| Client Secret | string | (required) | Required. Client Secret (previous step) |
| Scope | string | openid email profile | Full list of scopes to send with the request (space delimited) |
| Button Text | string | Login with OAuth | Text for the OAuth button on the web |
| Auto Register | boolean | true | When true, will automatically register a user the first time they sign in |
| [Auto Launch](#auto-launch) | boolean | false | When true, will skip the login page and automatically start the OAuth login process |
| [Mobile Redirect URI Override](#mobile-redirect-uri) | URL | (empty) | Http(s) alternative mobile redirect URI |
:::info
The Issuer URL should look something like the following, and return a valid json document.
@@ -79,6 +80,10 @@ The Issuer URL should look something like the following, and return a valid json
The `.well-known/openid-configuration` part of the url is optional and will be automatically added during discovery.
:::
## Auto Launch
When Auto Launch is enabled, the login page will automatically redirect the user to the OAuth authorization url, to login with OAuth. To access the login screen again, use the browser's back button, or navigate directly to `/auth/login?autoLaunch=0`.
## Mobile Redirect URI
The redirect URI for the mobile app is `app.immich:/`, which is a [Custom Scheme](https://developer.apple.com/documentation/xcode/defining-a-custom-url-scheme-for-your-app). If this custom scheme is an invalid redirect URI for your OAuth Provider, you can work around this by doing the following:

32
docs/docs/features/password-login.md Normal file
View File

@@ -0,0 +1,32 @@
# Password Login
An overview of password login and related settings for Immich.
## Enable/Disable
Immich supports password login, which is enabled by default. The preferred way to disable it is via the [Administration Page](#administration-page), although it can also be changed via a [Server Command](#server-command) as well.
### Administration Page
To toggle the password login setting via the web, navigate to the "Administration", expand "Password Authentication", toggle the "Enabled" switch, and press "Save".
![Password Login Settings](./img/password-login-settings.png)
### Server Command
There are two [Server Commands](/docs/features/server-commands.md) for password login:
1. `enable-password-login`
2. `disable-password-login`
See [Server Commands](/docs/features/server-commands.md) for more details about how to run them.
## Password Reset
### Admin
To reset the administrator password, use the `reset-admin-password` [Server Command](/docs/features/server-commands.md).
### User
Immich does not currently support self-service password reset. However, the administration can reset passwords for other users. See [User Management: Password Reset](/docs/features/user-management.mdx#password-reset) for more information about how to do this.

34
docs/docs/features/server-commands.md
View File

@@ -1,21 +1,39 @@
# Server Commands
The `immich-server` docker image comes preinstalled with an administrative CLI that supports the following commands:
The `immich-server` docker image comes preinstalled with an administrative CLI (`immich`) that supports the following commands:
| Command | Description |
| ----------------------------- | ------------------------------------- |
| `immich help` | Display help |
| `immich reset-admin-password` | Reset the password for the admin user |
| Command | Description |
| ------------------------ | ------------------------------------- |
| `help` | Display help |
| `reset-admin-password` | Reset the password for the admin user |
| `disable-password-login` | Disable password login |
| `enable-password-login` | Enable password login |
## How to run a command
To run a command, connect to the container and then execute it. For example:
To run a command, connect to the container and then execute it by running `immich <command>`.
```bash
docker exec -it immich-server_1 sh
## Examples
```bash title="Reset Admin Password"
docker exec -it immich_server sh
/usr/src/app$ immich reset-admin-password
? Please choose a new password (optional) immich-is-awesome-unlike-this-password
New password:
immich-is-awesome-unlike-this-password
```
```bash title="Disable Password Login"
docker exec -it immich_server sh
/usr/src/app$ immich disable-password-login
Password login has been disabled.
```
```bash title="Enable Password Login"
docker exec -it immich_server sh
/usr/src/app$ immich enable-password-login
Password login has been enabled.
```

6
docs/docs/features/user-management.mdx
View File

@@ -16,3 +16,9 @@ Immich supports multiple users, each with their own library.
## Delete a User
If you need to remove a user from Immich, head to "Administration", where users can be scheduled for deletion. The user account will immediately become disabled and their library and all associated data will be removed after 7 days.
## Password Reset
To reset a user's password, click the pencil icon to edit a user, then click "Reset Password". The user's password will be reset to "password" and they have to change it next time the sign in.
![Reset Password](./img/user-management-update.png)