immich/server/libs/domain/src/oauth/oauth.service.ts

import { SystemConfig } from '@app/infra/db/entities';
import { BadRequestException, Inject, Injectable, Logger } from '@nestjs/common';
import { AuthType, AuthUserDto, ICryptoRepository, LoginResponseDto } from '../auth';
import { AuthCore } from '../auth/auth.core';
import { INITIAL_SYSTEM_CONFIG, ISystemConfigRepository } from '../system-config';
import { IUserRepository, UserCore, UserResponseDto } from '../user';
import { OAuthCallbackDto, OAuthConfigDto } from './dto';
import { OAuthCore } from './oauth.core';
import { OAuthConfigResponseDto } from './response-dto';
import { IUserTokenRepository } from '@app/domain/user-token';

@Injectable()
export class OAuthService {
  private authCore: AuthCore;
  private oauthCore: OAuthCore;
  private userCore: UserCore;

  private readonly logger = new Logger(OAuthService.name);

  constructor(
    @Inject(ICryptoRepository) cryptoRepository: ICryptoRepository,
    @Inject(ISystemConfigRepository) configRepository: ISystemConfigRepository,
    @Inject(IUserRepository) userRepository: IUserRepository,
    @Inject(IUserTokenRepository) userTokenRepository: IUserTokenRepository,
    @Inject(INITIAL_SYSTEM_CONFIG) initialConfig: SystemConfig,
  ) {
    this.authCore = new AuthCore(cryptoRepository, configRepository, userTokenRepository, initialConfig);
    this.userCore = new UserCore(userRepository, cryptoRepository);
    this.oauthCore = new OAuthCore(configRepository, initialConfig);
  }

  generateConfig(dto: OAuthConfigDto): Promise<OAuthConfigResponseDto> {
    return this.oauthCore.generateConfig(dto);
  }

  async login(dto: OAuthCallbackDto, isSecure: boolean): Promise<{ response: LoginResponseDto; cookie: string[] }> {
    const profile = await this.oauthCore.callback(dto.url);

    this.logger.debug(`Logging in with OAuth: ${JSON.stringify(profile)}`);
    let user = await this.userCore.getByOAuthId(profile.sub);

    // link existing user
    if (!user) {
      const emailUser = await this.userCore.getByEmail(profile.email);
      if (emailUser) {
        user = await this.userCore.updateUser(emailUser, emailUser.id, { oauthId: profile.sub });
      }
    }

    // register new user
    if (!user) {
      if (!this.oauthCore.isAutoRegisterEnabled()) {
        this.logger.warn(
          `Unable to register ${profile.email}. To enable set OAuth Auto Register to true in admin settings.`,
        );
        throw new BadRequestException(`User does not exist and auto registering is disabled.`);
      }

      this.logger.log(`Registering new user: ${profile.email}/${profile.sub}`);
      user = await this.userCore.createUser(this.oauthCore.asUser(profile));
    }

    return this.authCore.createLoginResponse(user, AuthType.OAUTH, isSecure);
  }

  public async link(user: AuthUserDto, dto: OAuthCallbackDto): Promise<UserResponseDto> {
    const { sub: oauthId } = await this.oauthCore.callback(dto.url);
    const duplicate = await this.userCore.getByOAuthId(oauthId);
    if (duplicate && duplicate.id !== user.id) {
      this.logger.warn(`OAuth link account failed: sub is already linked to another user (${duplicate.email}).`);
      throw new BadRequestException('This OAuth account has already been linked to another user.');
    }
    return this.userCore.updateUser(user, user.id, { oauthId });
  }

  public async unlink(user: AuthUserDto): Promise<UserResponseDto> {
    return this.userCore.updateUser(user, user.id, { oauthId: '' });
  }

  public async getLogoutEndpoint(): Promise<string | null> {
    return this.oauthCore.getLogoutEndpoint();
  }
}
refactor(server): auth service (#1383) * refactor: auth * chore: tests * Remove await on non-async method * refactor: constants * chore: remove extra async Co-authored-by: Alex Tran <alex.tran1502@gmail.com> 2023-01-23 23:13:42 -05:00			`import { SystemConfig } from '@app/infra/db/entities';`
			`import { BadRequestException, Inject, Injectable, Logger } from '@nestjs/common';`
			`import { AuthType, AuthUserDto, ICryptoRepository, LoginResponseDto } from '../auth';`
			`import { AuthCore } from '../auth/auth.core';`
			`import { INITIAL_SYSTEM_CONFIG, ISystemConfigRepository } from '../system-config';`
			`import { IUserRepository, UserCore, UserResponseDto } from '../user';`
			`import { OAuthCallbackDto, OAuthConfigDto } from './dto';`
			`import { OAuthCore } from './oauth.core';`
			`import { OAuthConfigResponseDto } from './response-dto';`
feat(server): move authentication to tokens stored in the database (#1381) * chore: add typeorm commands to npm and set default database config values * feat: move to server side authentication tokens * fix: websocket should emit error and disconnect on error thrown by the server * refactor: rename cookie-auth-strategy to user-auth-strategy * feat: user tokens and API keys now use SHA256 hash for performance improvements * test: album e2e test remove unneeded module import * infra: truncate api key table as old keys will no longer work with new hash algorithm * fix(server): e2e tests (#1435) * fix: root module paths * chore: linting * chore: rename user-auth to strategy.ts and make validate return AuthUserDto * fix: we should always send HttpOnly for our auth cookies * chore: remove now unused crypto functions and jwt dependencies * fix: return the extra fields for AuthUserDto in auth service validate --------- Co-authored-by: Jason Rasmussen <jrasm91@gmail.com> 2023-01-27 20:50:07 +00:00			`import { IUserTokenRepository } from '@app/domain/user-token';`
refactor(server): auth service (#1383) * refactor: auth * chore: tests * Remove await on non-async method * refactor: constants * chore: remove extra async Co-authored-by: Alex Tran <alex.tran1502@gmail.com> 2023-01-23 23:13:42 -05:00
			`@Injectable()`
			`export class OAuthService {`
			`private authCore: AuthCore;`
			`private oauthCore: OAuthCore;`
			`private userCore: UserCore;`

			`private readonly logger = new Logger(OAuthService.name);`

			`constructor(`
			`@Inject(ICryptoRepository) cryptoRepository: ICryptoRepository,`
			`@Inject(ISystemConfigRepository) configRepository: ISystemConfigRepository,`
			`@Inject(IUserRepository) userRepository: IUserRepository,`
feat(server): move authentication to tokens stored in the database (#1381) * chore: add typeorm commands to npm and set default database config values * feat: move to server side authentication tokens * fix: websocket should emit error and disconnect on error thrown by the server * refactor: rename cookie-auth-strategy to user-auth-strategy * feat: user tokens and API keys now use SHA256 hash for performance improvements * test: album e2e test remove unneeded module import * infra: truncate api key table as old keys will no longer work with new hash algorithm * fix(server): e2e tests (#1435) * fix: root module paths * chore: linting * chore: rename user-auth to strategy.ts and make validate return AuthUserDto * fix: we should always send HttpOnly for our auth cookies * chore: remove now unused crypto functions and jwt dependencies * fix: return the extra fields for AuthUserDto in auth service validate --------- Co-authored-by: Jason Rasmussen <jrasm91@gmail.com> 2023-01-27 20:50:07 +00:00			`@Inject(IUserTokenRepository) userTokenRepository: IUserTokenRepository,`
refactor(server): auth service (#1383) * refactor: auth * chore: tests * Remove await on non-async method * refactor: constants * chore: remove extra async Co-authored-by: Alex Tran <alex.tran1502@gmail.com> 2023-01-23 23:13:42 -05:00			`@Inject(INITIAL_SYSTEM_CONFIG) initialConfig: SystemConfig,`
			`) {`
feat(server): move authentication to tokens stored in the database (#1381) * chore: add typeorm commands to npm and set default database config values * feat: move to server side authentication tokens * fix: websocket should emit error and disconnect on error thrown by the server * refactor: rename cookie-auth-strategy to user-auth-strategy * feat: user tokens and API keys now use SHA256 hash for performance improvements * test: album e2e test remove unneeded module import * infra: truncate api key table as old keys will no longer work with new hash algorithm * fix(server): e2e tests (#1435) * fix: root module paths * chore: linting * chore: rename user-auth to strategy.ts and make validate return AuthUserDto * fix: we should always send HttpOnly for our auth cookies * chore: remove now unused crypto functions and jwt dependencies * fix: return the extra fields for AuthUserDto in auth service validate --------- Co-authored-by: Jason Rasmussen <jrasm91@gmail.com> 2023-01-27 20:50:07 +00:00			`this.authCore = new AuthCore(cryptoRepository, configRepository, userTokenRepository, initialConfig);`
			`this.userCore = new UserCore(userRepository, cryptoRepository);`
refactor(server): auth service (#1383) * refactor: auth * chore: tests * Remove await on non-async method * refactor: constants * chore: remove extra async Co-authored-by: Alex Tran <alex.tran1502@gmail.com> 2023-01-23 23:13:42 -05:00			`this.oauthCore = new OAuthCore(configRepository, initialConfig);`
			`}`

			`generateConfig(dto: OAuthConfigDto): Promise<OAuthConfigResponseDto> {`
			`return this.oauthCore.generateConfig(dto);`
			`}`

			`async login(dto: OAuthCallbackDto, isSecure: boolean): Promise<{ response: LoginResponseDto; cookie: string[] }> {`
			`const profile = await this.oauthCore.callback(dto.url);`

			this.logger.debug(`Logging in with OAuth: ${JSON.stringify(profile)}`);
			`let user = await this.userCore.getByOAuthId(profile.sub);`

			`// link existing user`
			`if (!user) {`
			`const emailUser = await this.userCore.getByEmail(profile.email);`
			`if (emailUser) {`
			`user = await this.userCore.updateUser(emailUser, emailUser.id, { oauthId: profile.sub });`
			`}`
			`}`

			`// register new user`
			`if (!user) {`
			`if (!this.oauthCore.isAutoRegisterEnabled()) {`
			`this.logger.warn(`
			`Unable to register ${profile.email}. To enable set OAuth Auto Register to true in admin settings.`,
			`);`
			throw new BadRequestException(`User does not exist and auto registering is disabled.`);
			`}`

			this.logger.log(`Registering new user: ${profile.email}/${profile.sub}`);
			`user = await this.userCore.createUser(this.oauthCore.asUser(profile));`
			`}`

			`return this.authCore.createLoginResponse(user, AuthType.OAUTH, isSecure);`
			`}`

			`public async link(user: AuthUserDto, dto: OAuthCallbackDto): Promise<UserResponseDto> {`
			`const { sub: oauthId } = await this.oauthCore.callback(dto.url);`
			`const duplicate = await this.userCore.getByOAuthId(oauthId);`
			`if (duplicate && duplicate.id !== user.id) {`
			this.logger.warn(`OAuth link account failed: sub is already linked to another user (${duplicate.email}).`);
			`throw new BadRequestException('This OAuth account has already been linked to another user.');`
			`}`
			`return this.userCore.updateUser(user, user.id, { oauthId });`
			`}`

			`public async unlink(user: AuthUserDto): Promise<UserResponseDto> {`
			`return this.userCore.updateUser(user, user.id, { oauthId: '' });`
			`}`

			`public async getLogoutEndpoint(): Promise<string \| null> {`
			`return this.oauthCore.getLogoutEndpoint();`
			`}`
			`}`