fix(server,web): correctly remove metadata from shared links (#4464)

* wip: strip metadata * fix: authenticate time buckets * hide detail panel * fix tests * fix lint * add e2e tests * chore: open api * fix web compilation error * feat: test with asset with gps position * fix: only import fs.promises.cp * fix: cleanup mapasset * fix: format --------- Co-authored-by: Alex Tran <alex.tran1502@gmail.com>
2025-10-29 17:40:28 +00:00 · 2023-10-14 03:46:30 +02:00
parent 4a9f58bf9b
commit dadcf49eca
39 changed files with 332 additions and 150 deletions
--- a/server/test/api/shared-link-api.ts
+++ b/server/test/api/shared-link-api.ts
@@ -10,4 +10,11 @@ export const sharedLinkApi = {
    expect(status).toBe(201);
    return body as SharedLinkResponseDto;
  },
+
+  getMySharedLink: async (server: any, key: string) => {
+    const { status, body } = await request(server).get('/shared-link/me').query({ key });
+
+    expect(status).toBe(200);
+    return body as SharedLinkResponseDto;
+  },
 };
--- a/server/test/assets
+++ b/server/test/assets
--- a/server/test/e2e/shared-link.e2e-spec.ts
+++ b/server/test/e2e/shared-link.e2e-spec.ts
@@ -1,11 +1,17 @@
 import { AlbumResponseDto, LoginResponseDto, SharedLinkResponseDto } from '@app/domain';
 import { PartnerController } from '@app/immich';
-import { SharedLinkType } from '@app/infra/entities';
+import { LibraryType, SharedLinkType } from '@app/infra/entities';
 import { INestApplication } from '@nestjs/common';
 import { api } from '@test/api';
 import { db } from '@test/db';
 import { errorStub, uuidStub } from '@test/fixtures';
-import { createTestApp } from '@test/test-utils';
+import {
+  IMMICH_TEST_ASSET_PATH,
+  IMMICH_TEST_ASSET_TEMP_PATH,
+  createTestApp,
+  restoreTempFolder,
+} from '@test/test-utils';
+import { cp } from 'fs/promises';
 import request from 'supertest';

 const user1Dto = {
@@ -18,24 +24,22 @@ const user1Dto = {
 describe(`${PartnerController.name} (e2e)`, () => {
  let app: INestApplication;
  let server: any;
-  let loginResponse: LoginResponseDto;
-  let accessToken: string;
+  let admin: LoginResponseDto;
  let user1: LoginResponseDto;
  let album: AlbumResponseDto;
  let sharedLink: SharedLinkResponseDto;

  beforeAll(async () => {
-    app = await createTestApp();
+    app = await createTestApp(true);
    server = app.getHttpServer();
  });

  beforeEach(async () => {
    await db.reset();
    await api.authApi.adminSignUp(server);
-    loginResponse = await api.authApi.adminLogin(server);
-    accessToken = loginResponse.accessToken;
+    admin = await api.authApi.adminLogin(server);

-    await api.userApi.create(server, accessToken, user1Dto);
+    await api.userApi.create(server, admin.accessToken, user1Dto);
    user1 = await api.authApi.login(server, { email: user1Dto.email, password: user1Dto.password });

    album = await api.albumApi.create(server, user1.accessToken, { albumName: 'shared with link' });
@@ -48,6 +52,7 @@ describe(`${PartnerController.name} (e2e)`, () => {
  afterAll(async () => {
    await db.disconnect();
    await app.close();
+    await restoreTempFolder();
  });

  describe('GET /shared-link', () => {
@@ -68,7 +73,9 @@ describe(`${PartnerController.name} (e2e)`, () => {
    });

    it('should not get shared links created by other users', async () => {
-      const { status, body } = await request(server).get('/shared-link').set('Authorization', `Bearer ${accessToken}`);
+      const { status, body } = await request(server)
+        .get('/shared-link')
+        .set('Authorization', `Bearer ${admin.accessToken}`);

      expect(status).toBe(200);
      expect(body).toEqual([]);
@@ -77,7 +84,9 @@ describe(`${PartnerController.name} (e2e)`, () => {

  describe('GET /shared-link/me', () => {
    it('should not require admin authentication', async () => {
-      const { status } = await request(server).get('/shared-link/me').set('Authorization', `Bearer ${accessToken}`);
+      const { status } = await request(server)
+        .get('/shared-link/me')
+        .set('Authorization', `Bearer ${admin.accessToken}`);

      expect(status).toBe(403);
    });
@@ -104,7 +113,7 @@ describe(`${PartnerController.name} (e2e)`, () => {
        type: SharedLinkType.ALBUM,
        albumId: softDeletedAlbum.id,
      });
-      await api.userApi.delete(server, accessToken, user1.userId);
+      await api.userApi.delete(server, admin.accessToken, user1.userId);

      const { status, body } = await request(server).get('/shared-link/me').query({ key: softDeletedAlbumLink.key });

@@ -133,7 +142,7 @@ describe(`${PartnerController.name} (e2e)`, () => {
    it('should not get shared link by id if user has not created the link or it does not exist', async () => {
      const { status, body } = await request(server)
        .get(`/shared-link/${sharedLink.id}`)
-        .set('Authorization', `Bearer ${accessToken}`);
+        .set('Authorization', `Bearer ${admin.accessToken}`);

      expect(status).toBe(400);
      expect(body).toEqual(expect.objectContaining({ message: 'Shared link not found' }));
@@ -248,4 +257,81 @@ describe(`${PartnerController.name} (e2e)`, () => {
      expect(status).toBe(200);
    });
  });
+
+  describe('Shared link metadata', () => {
+    beforeEach(async () => {
+      await restoreTempFolder();
+
+      await cp(
+        `${IMMICH_TEST_ASSET_PATH}/metadata/gps-position/thompson-springs.jpg`,
+        `${IMMICH_TEST_ASSET_TEMP_PATH}/thompson-springs.jpg`,
+      );
+
+      await api.userApi.setExternalPath(server, admin.accessToken, admin.userId, '/');
+
+      const library = await api.libraryApi.create(server, admin.accessToken, {
+        type: LibraryType.EXTERNAL,
+        importPaths: [`${IMMICH_TEST_ASSET_TEMP_PATH}`],
+      });
+
+      await api.libraryApi.scanLibrary(server, admin.accessToken, library.id);
+
+      const assets = await api.assetApi.getAllAssets(server, admin.accessToken);
+
+      expect(assets).toHaveLength(1);
+
+      album = await api.albumApi.create(server, admin.accessToken, { albumName: 'New album' });
+      await api.albumApi.addAssets(server, admin.accessToken, album.id, { ids: [assets[0].id] });
+    });
+
+    it('should return metadata for album shared link', async () => {
+      const sharedLink = await api.sharedLinkApi.create(server, admin.accessToken, {
+        type: SharedLinkType.ALBUM,
+        albumId: album.id,
+      });
+
+      const returnedLink = await api.sharedLinkApi.getMySharedLink(server, sharedLink.key);
+
+      expect(returnedLink.assets).toHaveLength(1);
+      expect(returnedLink.album).toBeDefined();
+
+      const returnedAsset = returnedLink.assets[0];
+      expect(returnedAsset).toEqual(
+        expect.objectContaining({
+          originalFileName: 'thompson-springs',
+          resized: true,
+          localDateTime: '2022-01-10T15:15:44.310Z',
+          fileCreatedAt: '2022-01-10T19:15:44.310Z',
+          exifInfo: expect.objectContaining({
+            longitude: -108.400968333333,
+            latitude: 39.115,
+            orientation: '1',
+            dateTimeOriginal: '2022-01-10T19:15:44.310Z',
+            timeZone: 'UTC-4',
+            state: 'Mesa County, Colorado',
+            country: 'United States of America',
+          }),
+        }),
+      );
+    });
+
+    it('should not return metadata for album shared link without metadata', async () => {
+      const sharedLink = await api.sharedLinkApi.create(server, admin.accessToken, {
+        type: SharedLinkType.ALBUM,
+        albumId: album.id,
+        showMetadata: false,
+      });
+
+      const returnedLink = await api.sharedLinkApi.getMySharedLink(server, sharedLink.key);
+
+      expect(returnedLink.assets).toHaveLength(1);
+      expect(returnedLink.album).toBeDefined();
+
+      const returnedAsset = returnedLink.assets[0];
+      expect(returnedAsset).not.toHaveProperty('exifInfo');
+      expect(returnedAsset).not.toHaveProperty('fileCreatedAt');
+      expect(returnedAsset).not.toHaveProperty('originalFilename');
+      expect(returnedAsset).not.toHaveProperty('originalPath');
+    });
+  });
 });
--- a/server/test/fixtures/auth.stub.ts
+++ b/server/test/fixtures/auth.stub.ts
@@ -48,7 +48,7 @@ export const authStub = {
    isPublicUser: false,
    isAllowUpload: true,
    isAllowDownload: true,
-    isShowExif: true,
+    isShowMetadata: true,
    accessTokenId: 'token-id',
    externalPath: null,
  }),
@@ -59,7 +59,7 @@ export const authStub = {
    isPublicUser: false,
    isAllowUpload: true,
    isAllowDownload: true,
-    isShowExif: true,
+    isShowMetadata: true,
    accessTokenId: 'token-id',
    externalPath: null,
  }),
@@ -70,7 +70,7 @@ export const authStub = {
    isPublicUser: false,
    isAllowUpload: true,
    isAllowDownload: true,
-    isShowExif: true,
+    isShowMetadata: true,
    accessTokenId: 'token-id',
    externalPath: '/data/user1',
  }),
@@ -81,7 +81,7 @@ export const authStub = {
    isAllowUpload: true,
    isAllowDownload: true,
    isPublicUser: true,
-    isShowExif: true,
+    isShowMetadata: true,
    sharedLinkId: '123',
  }),
  adminSharedLinkNoExif: Object.freeze<AuthUserDto>({
@@ -91,7 +91,7 @@ export const authStub = {
    isAllowUpload: true,
    isAllowDownload: true,
    isPublicUser: true,
-    isShowExif: false,
+    isShowMetadata: false,
    sharedLinkId: '123',
  }),
  readonlySharedLink: Object.freeze<AuthUserDto>({
@@ -101,7 +101,7 @@ export const authStub = {
    isAllowUpload: false,
    isAllowDownload: false,
    isPublicUser: true,
-    isShowExif: true,
+    isShowMetadata: true,
    sharedLinkId: '123',
    accessTokenId: 'token-id',
  }),
--- a/server/test/fixtures/shared-link.stub.ts
+++ b/server/test/fixtures/shared-link.stub.ts
@@ -71,8 +71,20 @@ const assetResponse: AssetResponseDto = {
  checksum: 'ZmlsZSBoYXNo',
  isTrashed: false,
  libraryId: 'library-id',
+  hasMetadata: true,
 };

+const assetResponseWithoutMetadata = {
+  id: 'id_1',
+  type: AssetType.VIDEO,
+  resized: false,
+  thumbhash: null,
+  localDateTime: today,
+  duration: '0:00:00.00000',
+  livePhotoVideoId: null,
+  hasMetadata: false,
+} as AssetResponseDto;
+
 const albumResponse: AlbumResponseDto = {
  albumName: 'Test Album',
  description: '',
@@ -253,7 +265,7 @@ export const sharedLinkResponseStub = {
    expiresAt: tomorrow,
    id: '123',
    key: sharedLinkBytes.toString('base64url'),
-    showExif: true,
+    showMetadata: true,
    type: SharedLinkType.ALBUM,
    userId: 'admin_id',
  }),
@@ -267,7 +279,7 @@ export const sharedLinkResponseStub = {
    expiresAt: yesterday,
    id: '123',
    key: sharedLinkBytes.toString('base64url'),
-    showExif: true,
+    showMetadata: true,
    type: SharedLinkType.ALBUM,
    userId: 'admin_id',
  }),
@@ -281,11 +293,11 @@ export const sharedLinkResponseStub = {
    description: null,
    allowUpload: false,
    allowDownload: false,
-    showExif: true,
+    showMetadata: true,
    album: albumResponse,
    assets: [assetResponse],
  }),
-  readonlyNoExif: Object.freeze<SharedLinkResponseDto>({
+  readonlyNoMetadata: Object.freeze<SharedLinkResponseDto>({
    id: '123',
    userId: 'admin_id',
    key: sharedLinkBytes.toString('base64url'),
@@ -295,8 +307,8 @@ export const sharedLinkResponseStub = {
    description: null,
    allowUpload: false,
    allowDownload: false,
-    showExif: false,
+    showMetadata: false,
    album: { ...albumResponse, startDate: assetResponse.fileCreatedAt, endDate: assetResponse.fileCreatedAt },
-    assets: [{ ...assetResponse, exifInfo: undefined }],
+    assets: [{ ...assetResponseWithoutMetadata, exifInfo: undefined }],
  }),
 };