immich/server/src/dtos/auth.dto.ts

import { ApiProperty } from '@nestjs/swagger';
import { Transform } from 'class-transformer';
import { IsEmail, IsNotEmpty, IsString, MinLength } from 'class-validator';
import { AuthApiKey, AuthSession, AuthSharedLink, AuthUser } from 'src/database';
import { ImmichCookie, Permission } from 'src/enum';
import { Optional, PinCode, toEmail, ValidateEnum } from 'src/validation';

export type CookieResponse = {
  isSecure: boolean;
  values: Array<{ key: ImmichCookie; value: string | null }>;
};

export class AuthDto {
  user!: AuthUser;

  apiKey?: AuthApiKey;
  sharedLink?: AuthSharedLink;
  session?: AuthSession;
}

export class LoginCredentialDto {
  @IsEmail({ require_tld: false })
  @Transform(toEmail)
  @IsNotEmpty()
  @ApiProperty({ example: 'testuser@email.com' })
  email!: string;

  @IsString()
  @IsNotEmpty()
  @ApiProperty({ example: 'password' })
  password!: string;
}

export class LoginResponseDto {
  accessToken!: string;
  userId!: string;
  userEmail!: string;
  name!: string;
  profileImagePath!: string;
  isAdmin!: boolean;
  shouldChangePassword!: boolean;
  isOnboarded!: boolean;
  @ValidateEnum({ enum: Permission, name: 'Permission', each: true })
  permissions!: Permission[];
}

export class LogoutResponseDto {
  successful!: boolean;
  redirectUri!: string;
}

export class SignUpDto extends LoginCredentialDto {
  @IsString()
  @IsNotEmpty()
  @ApiProperty({ example: 'Admin' })
  name!: string;
}

export class ChangePasswordDto {
  @IsString()
  @IsNotEmpty()
  @ApiProperty({ example: 'password' })
  password!: string;

  @IsString()
  @IsNotEmpty()
  @MinLength(8)
  @ApiProperty({ example: 'password' })
  newPassword!: string;
}

export class PinCodeSetupDto {
  @PinCode()
  pinCode!: string;
}

export class PinCodeResetDto {
  @PinCode({ optional: true })
  pinCode?: string;

  @Optional()
  @IsString()
  @IsNotEmpty()
  password?: string;
}

export class SessionUnlockDto extends PinCodeResetDto {}

export class PinCodeChangeDto extends PinCodeResetDto {
  @PinCode()
  newPinCode!: string;
}

export class ValidateAccessTokenResponseDto {
  authStatus!: boolean;
}

export class OAuthCallbackDto {
  @IsNotEmpty()
  @IsString()
  @ApiProperty()
  url!: string;

  @Optional()
  @IsString()
  state?: string;

  @Optional()
  @IsString()
  codeVerifier?: string;
}

export class OAuthConfigDto {
  @IsNotEmpty()
  @IsString()
  redirectUri!: string;

  @Optional()
  @IsString()
  state?: string;

  @Optional()
  @IsString()
  codeChallenge?: string;
}

export class OAuthAuthorizeResponseDto {
  url!: string;
}

export class AuthStatusResponseDto {
  pinCode!: boolean;
  password!: boolean;
  isElevated!: boolean;
  expiresAt?: string;
  pinExpiresAt?: string;
}
refactor(server): auth dtos (#4881) * refactor: auth dtos * chore: open api 2023-11-09 10:14:15 -05:00			`import { ApiProperty } from '@nestjs/swagger';`
			`import { Transform } from 'class-transformer';`
			`import { IsEmail, IsNotEmpty, IsString, MinLength } from 'class-validator';`
feat: session permissions 2025-10-07 14:25:18 -04:00			`import { AuthApiKey, AuthSession, AuthSharedLink, AuthUser } from 'src/database';`
			`import { ImmichCookie, Permission } from 'src/enum';`
			`import { Optional, PinCode, toEmail, ValidateEnum } from 'src/validation';`
refactor(server): auth dtos (#4881) * refactor: auth dtos * chore: open api 2023-11-09 10:14:15 -05:00
refactor(server): cookies (#8920) 2024-04-19 11:19:23 -04:00			`export type CookieResponse = {`
			`isSecure: boolean;`
feat: add oauth2 code verifier * fix: ensure oauth state param matches before finishing oauth flow Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * chore: upgrade openid-client to v6 Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * feat: use PKCE for oauth2 on supported clients Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * feat: use state and PKCE in mobile app Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: remove obsolete oauth repository init Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: rewrite callback url if mobile redirect url is enabled Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: propagate oidc client error cause when oauth callback fails Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: adapt auth service tests to required state and PKCE params Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: update sdk types Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: adapt oauth e2e test to work with PKCE Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: allow insecure (http) oauth clients Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> --------- Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> Co-authored-by: Jason Rasmussen <jason@rasm.me> 2025-04-23 16:05:00 +02:00			`values: Array<{ key: ImmichCookie; value: string \| null }>;`
refactor(server): cookies (#8920) 2024-04-19 11:19:23 -04:00			`};`

refactor(server): auth dto (#5593) * refactor: AuthUserDto => AuthDto * refactor: reorganize auth-dto * refactor: AuthUser() => Auth() 2023-12-09 23:34:12 -05:00			`export class AuthDto {`
refactor(server): narrow auth types (#16066) 2025-02-12 15:23:08 -05:00			`user!: AuthUser;`
refactor(server): auth dto (#5593) * refactor: AuthUserDto => AuthDto * refactor: reorganize auth-dto * refactor: AuthUser() => Auth() 2023-12-09 23:34:12 -05:00
feat: migration api keys to use kysely (#15206) 2025-01-10 14:02:12 -05:00			`apiKey?: AuthApiKey;`
refactor(server): narrow auth types (#16066) 2025-02-12 15:23:08 -05:00			`sharedLink?: AuthSharedLink;`
			`session?: AuthSession;`
refactor(server): auth dtos (#4881) * refactor: auth dtos * chore: open api 2023-11-09 10:14:15 -05:00			`}`

			`export class LoginCredentialDto {`
			`@IsEmail({ require_tld: false })`
fix(server): avoid server error for invalid email data type (#10978) * fix(server): avoid server error for invalid email data type * add e2e test * fix e2e 2024-07-10 13:58:06 +02:00			`@Transform(toEmail)`
refactor(server): auth dtos (#4881) * refactor: auth dtos * chore: open api 2023-11-09 10:14:15 -05:00			`@IsNotEmpty()`
			`@ApiProperty({ example: 'testuser@email.com' })`
			`email!: string;`

			`@IsString()`
			`@IsNotEmpty()`
			`@ApiProperty({ example: 'password' })`
			`password!: string;`
			`}`

			`export class LoginResponseDto {`
			`accessToken!: string;`
			`userId!: string;`
			`userEmail!: string;`
fix: replace first and last name with single field (#4915) 2023-11-11 20:03:32 -05:00			`name!: string;`
refactor(server): auth dtos (#4881) * refactor: auth dtos * chore: open api 2023-11-09 10:14:15 -05:00			`profileImagePath!: string;`
			`isAdmin!: boolean;`
			`shouldChangePassword!: boolean;`
feat(web): improved user onboarding (#18782) * wip * added user metadata key * wip * restructure onboarding system and add initial locale * update language card and fix translation updating * remove prints * new card formattings * fix cursed unmount effect * add OAuth route onboarding * remove required admin auth for onboarding * delete the hotwire button * update open-api files * delete import * fix failing oauth onboarding fields * fix e2e test * fix web e2e test * add onboarding to user registration e2e test * remove todo this was a holdover during dev and didn't get deleted * fix server small tests * use onDestroy to save settings rather than a bind:this * change to false for isOnboarded * fix other auth small test * provide type annotation in user factory metadata field * remove onboardingCompelted from UserDto * move translations to onboarding steps array and mark as derived so they update * break language selector out into its own component as per @danieldietzler suggestion * remove hello header on card * fix flixkering on server privacy card * label/id fixes * openapi --------- Co-authored-by: Alex Tran <alex.tran1502@gmail.com> 2025-06-02 16:09:13 -05:00			`isOnboarded!: boolean;`
feat: session permissions 2025-10-07 14:25:18 -04:00			`@ValidateEnum({ enum: Permission, name: 'Permission', each: true })`
			`permissions!: Permission[];`
refactor(server): auth dtos (#4881) * refactor: auth dtos * chore: open api 2023-11-09 10:14:15 -05:00			`}`

			`export class LogoutResponseDto {`
			`successful!: boolean;`
			`redirectUri!: string;`
			`}`

			`export class SignUpDto extends LoginCredentialDto {`
			`@IsString()`
			`@IsNotEmpty()`
			`@ApiProperty({ example: 'Admin' })`
fix: replace first and last name with single field (#4915) 2023-11-11 20:03:32 -05:00			`name!: string;`
refactor(server): auth dtos (#4881) * refactor: auth dtos * chore: open api 2023-11-09 10:14:15 -05:00			`}`

			`export class ChangePasswordDto {`
			`@IsString()`
			`@IsNotEmpty()`
			`@ApiProperty({ example: 'password' })`
			`password!: string;`

			`@IsString()`
			`@IsNotEmpty()`
			`@MinLength(8)`
			`@ApiProperty({ example: 'password' })`
			`newPassword!: string;`
			`}`

feat: user pin-code (#18138) * feat: user pincode * pr feedback * chore: cleanup --------- Co-authored-by: Jason Rasmussen <jason@rasm.me> 2025-05-09 16:00:58 -05:00			`export class PinCodeSetupDto {`
			`@PinCode()`
			`pinCode!: string;`
			`}`

			`export class PinCodeResetDto {`
			`@PinCode({ optional: true })`
			`pinCode?: string;`

			`@Optional()`
			`@IsString()`
			`@IsNotEmpty()`
			`password?: string;`
			`}`

feat: lock auth session (#18322) 2025-05-15 18:08:31 -04:00			`export class SessionUnlockDto extends PinCodeResetDto {}`

feat: user pin-code (#18138) * feat: user pincode * pr feedback * chore: cleanup --------- Co-authored-by: Jason Rasmussen <jason@rasm.me> 2025-05-09 16:00:58 -05:00			`export class PinCodeChangeDto extends PinCodeResetDto {`
			`@PinCode()`
			`newPinCode!: string;`
			`}`

refactor(server): auth dtos (#4881) * refactor: auth dtos * chore: open api 2023-11-09 10:14:15 -05:00			`export class ValidateAccessTokenResponseDto {`
			`authStatus!: boolean;`
			`}`

			`export class OAuthCallbackDto {`
			`@IsNotEmpty()`
			`@IsString()`
			`@ApiProperty()`
			`url!: string;`
feat: add oauth2 code verifier * fix: ensure oauth state param matches before finishing oauth flow Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * chore: upgrade openid-client to v6 Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * feat: use PKCE for oauth2 on supported clients Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * feat: use state and PKCE in mobile app Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: remove obsolete oauth repository init Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: rewrite callback url if mobile redirect url is enabled Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: propagate oidc client error cause when oauth callback fails Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: adapt auth service tests to required state and PKCE params Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: update sdk types Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: adapt oauth e2e test to work with PKCE Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: allow insecure (http) oauth clients Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> --------- Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> Co-authored-by: Jason Rasmussen <jason@rasm.me> 2025-04-23 16:05:00 +02:00
			`@Optional()`
			`@IsString()`
			`state?: string;`

			`@Optional()`
			`@IsString()`
			`codeVerifier?: string;`
refactor(server): auth dtos (#4881) * refactor: auth dtos * chore: open api 2023-11-09 10:14:15 -05:00			`}`

			`export class OAuthConfigDto {`
			`@IsNotEmpty()`
			`@IsString()`
			`redirectUri!: string;`
feat: add oauth2 code verifier * fix: ensure oauth state param matches before finishing oauth flow Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * chore: upgrade openid-client to v6 Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * feat: use PKCE for oauth2 on supported clients Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * feat: use state and PKCE in mobile app Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: remove obsolete oauth repository init Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: rewrite callback url if mobile redirect url is enabled Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: propagate oidc client error cause when oauth callback fails Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: adapt auth service tests to required state and PKCE params Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: update sdk types Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: adapt oauth e2e test to work with PKCE Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: allow insecure (http) oauth clients Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> --------- Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> Co-authored-by: Jason Rasmussen <jason@rasm.me> 2025-04-23 16:05:00 +02:00
			`@Optional()`
			`@IsString()`
			`state?: string;`

			`@Optional()`
			`@IsString()`
			`codeChallenge?: string;`
refactor(server): auth dtos (#4881) * refactor: auth dtos * chore: open api 2023-11-09 10:14:15 -05:00			`}`

			`export class OAuthAuthorizeResponseDto {`
			`url!: string;`
			`}`
feat: user pin-code (#18138) * feat: user pincode * pr feedback * chore: cleanup --------- Co-authored-by: Jason Rasmussen <jason@rasm.me> 2025-05-09 16:00:58 -05:00
			`export class AuthStatusResponseDto {`
			`pinCode!: boolean;`
			`password!: boolean;`
feat: locked/private view (#18268) * feat: locked/private view * feat: locked/private view * pr feedback * fix: redirect loop * pr feedback 2025-05-15 09:35:21 -06:00			`isElevated!: boolean;`
feat: lock auth session (#18322) 2025-05-15 18:08:31 -04:00			`expiresAt?: string;`
			`pinExpiresAt?: string;`
feat: user pin-code (#18138) * feat: user pincode * pr feedback * chore: cleanup --------- Co-authored-by: Jason Rasmussen <jason@rasm.me> 2025-05-09 16:00:58 -05:00			`}`