immich/server/src/dtos/auth.dto.ts

import { ApiProperty } from '@nestjs/swagger';
import { Transform } from 'class-transformer';
import { IsEmail, IsNotEmpty, IsString, MinLength } from 'class-validator';
import { AuthApiKey, AuthSession, AuthSharedLink, AuthUser, UserAdmin } from 'src/database';
import { ImmichCookie } from 'src/enum';
import { Optional, PinCode, toEmail } from 'src/validation';

export type CookieResponse = {
  isSecure: boolean;
  values: Array<{ key: ImmichCookie; value: string | null }>;
};

export class AuthDto {
  user!: AuthUser;

  apiKey?: AuthApiKey;
  sharedLink?: AuthSharedLink;
  session?: AuthSession;
}

export class LoginCredentialDto {
  @IsEmail({ require_tld: false })
  @Transform(toEmail)
  @IsNotEmpty()
  @ApiProperty({ example: 'testuser@email.com' })
  email!: string;

  @IsString()
  @IsNotEmpty()
  @ApiProperty({ example: 'password' })
  password!: string;
}

export class LoginResponseDto {
  accessToken!: string;
  userId!: string;
  userEmail!: string;
  name!: string;
  profileImagePath!: string;
  isAdmin!: boolean;
  shouldChangePassword!: boolean;
}

export function mapLoginResponse(entity: UserAdmin, accessToken: string): LoginResponseDto {
  return {
    accessToken,
    userId: entity.id,
    userEmail: entity.email,
    name: entity.name,
    isAdmin: entity.isAdmin,
    profileImagePath: entity.profileImagePath,
    shouldChangePassword: entity.shouldChangePassword,
  };
}

export class LogoutResponseDto {
  successful!: boolean;
  redirectUri!: string;
}

export class SignUpDto extends LoginCredentialDto {
  @IsString()
  @IsNotEmpty()
  @ApiProperty({ example: 'Admin' })
  name!: string;
}

export class ChangePasswordDto {
  @IsString()
  @IsNotEmpty()
  @ApiProperty({ example: 'password' })
  password!: string;

  @IsString()
  @IsNotEmpty()
  @MinLength(8)
  @ApiProperty({ example: 'password' })
  newPassword!: string;
}

export class PinCodeSetupDto {
  @PinCode()
  pinCode!: string;
}

export class PinCodeResetDto {
  @PinCode({ optional: true })
  pinCode?: string;

  @Optional()
  @IsString()
  @IsNotEmpty()
  password?: string;
}

export class PinCodeChangeDto extends PinCodeResetDto {
  @PinCode()
  newPinCode!: string;
}

export class ValidateAccessTokenResponseDto {
  authStatus!: boolean;
}

export class OAuthCallbackDto {
  @IsNotEmpty()
  @IsString()
  @ApiProperty()
  url!: string;

  @Optional()
  @IsString()
  state?: string;

  @Optional()
  @IsString()
  codeVerifier?: string;
}

export class OAuthConfigDto {
  @IsNotEmpty()
  @IsString()
  redirectUri!: string;

  @Optional()
  @IsString()
  state?: string;

  @Optional()
  @IsString()
  codeChallenge?: string;
}

export class OAuthAuthorizeResponseDto {
  url!: string;
}

export class AuthStatusResponseDto {
  pinCode!: boolean;
  password!: boolean;
  isElevated!: boolean;
}
refactor(server): auth dtos (#4881) * refactor: auth dtos * chore: open api 2023-11-09 10:14:15 -05:00			`import { ApiProperty } from '@nestjs/swagger';`
			`import { Transform } from 'class-transformer';`
			`import { IsEmail, IsNotEmpty, IsString, MinLength } from 'class-validator';`
refactor: remove user entity (#17498) 2025-04-10 15:53:21 +01:00			`import { AuthApiKey, AuthSession, AuthSharedLink, AuthUser, UserAdmin } from 'src/database';`
refactor(server): auth enums (#13552) 2024-10-17 13:17:32 -04:00			`import { ImmichCookie } from 'src/enum';`
feat: user pin-code (#18138) * feat: user pincode * pr feedback * chore: cleanup --------- Co-authored-by: Jason Rasmussen <jason@rasm.me> 2025-05-09 16:00:58 -05:00			`import { Optional, PinCode, toEmail } from 'src/validation';`
refactor(server): auth dtos (#4881) * refactor: auth dtos * chore: open api 2023-11-09 10:14:15 -05:00
refactor(server): cookies (#8920) 2024-04-19 11:19:23 -04:00			`export type CookieResponse = {`
			`isSecure: boolean;`
feat: add oauth2 code verifier * fix: ensure oauth state param matches before finishing oauth flow Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * chore: upgrade openid-client to v6 Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * feat: use PKCE for oauth2 on supported clients Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * feat: use state and PKCE in mobile app Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: remove obsolete oauth repository init Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: rewrite callback url if mobile redirect url is enabled Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: propagate oidc client error cause when oauth callback fails Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: adapt auth service tests to required state and PKCE params Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: update sdk types Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: adapt oauth e2e test to work with PKCE Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: allow insecure (http) oauth clients Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> --------- Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> Co-authored-by: Jason Rasmussen <jason@rasm.me> 2025-04-23 16:05:00 +02:00			`values: Array<{ key: ImmichCookie; value: string \| null }>;`
refactor(server): cookies (#8920) 2024-04-19 11:19:23 -04:00			`};`

refactor(server): auth dto (#5593) * refactor: AuthUserDto => AuthDto * refactor: reorganize auth-dto * refactor: AuthUser() => Auth() 2023-12-09 23:34:12 -05:00			`export class AuthDto {`
refactor(server): narrow auth types (#16066) 2025-02-12 15:23:08 -05:00			`user!: AuthUser;`
refactor(server): auth dto (#5593) * refactor: AuthUserDto => AuthDto * refactor: reorganize auth-dto * refactor: AuthUser() => Auth() 2023-12-09 23:34:12 -05:00
feat: migration api keys to use kysely (#15206) 2025-01-10 14:02:12 -05:00			`apiKey?: AuthApiKey;`
refactor(server): narrow auth types (#16066) 2025-02-12 15:23:08 -05:00			`sharedLink?: AuthSharedLink;`
			`session?: AuthSession;`
refactor(server): auth dtos (#4881) * refactor: auth dtos * chore: open api 2023-11-09 10:14:15 -05:00			`}`

			`export class LoginCredentialDto {`
			`@IsEmail({ require_tld: false })`
fix(server): avoid server error for invalid email data type (#10978) * fix(server): avoid server error for invalid email data type * add e2e test * fix e2e 2024-07-10 13:58:06 +02:00			`@Transform(toEmail)`
refactor(server): auth dtos (#4881) * refactor: auth dtos * chore: open api 2023-11-09 10:14:15 -05:00			`@IsNotEmpty()`
			`@ApiProperty({ example: 'testuser@email.com' })`
			`email!: string;`

			`@IsString()`
			`@IsNotEmpty()`
			`@ApiProperty({ example: 'password' })`
			`password!: string;`
			`}`

			`export class LoginResponseDto {`
			`accessToken!: string;`
			`userId!: string;`
			`userEmail!: string;`
fix: replace first and last name with single field (#4915) 2023-11-11 20:03:32 -05:00			`name!: string;`
refactor(server): auth dtos (#4881) * refactor: auth dtos * chore: open api 2023-11-09 10:14:15 -05:00			`profileImagePath!: string;`
			`isAdmin!: boolean;`
			`shouldChangePassword!: boolean;`
			`}`

refactor: remove user entity (#17498) 2025-04-10 15:53:21 +01:00			`export function mapLoginResponse(entity: UserAdmin, accessToken: string): LoginResponseDto {`
refactor(server): auth dtos (#4881) * refactor: auth dtos * chore: open api 2023-11-09 10:14:15 -05:00			`return {`
refactor(server): cookies (#8920) 2024-04-19 11:19:23 -04:00			`accessToken,`
refactor(server): auth dtos (#4881) * refactor: auth dtos * chore: open api 2023-11-09 10:14:15 -05:00			`userId: entity.id,`
			`userEmail: entity.email,`
fix: replace first and last name with single field (#4915) 2023-11-11 20:03:32 -05:00			`name: entity.name,`
refactor(server): auth dtos (#4881) * refactor: auth dtos * chore: open api 2023-11-09 10:14:15 -05:00			`isAdmin: entity.isAdmin,`
			`profileImagePath: entity.profileImagePath,`
			`shouldChangePassword: entity.shouldChangePassword,`
			`};`
			`}`

			`export class LogoutResponseDto {`
			`successful!: boolean;`
			`redirectUri!: string;`
			`}`

			`export class SignUpDto extends LoginCredentialDto {`
			`@IsString()`
			`@IsNotEmpty()`
			`@ApiProperty({ example: 'Admin' })`
fix: replace first and last name with single field (#4915) 2023-11-11 20:03:32 -05:00			`name!: string;`
refactor(server): auth dtos (#4881) * refactor: auth dtos * chore: open api 2023-11-09 10:14:15 -05:00			`}`

			`export class ChangePasswordDto {`
			`@IsString()`
			`@IsNotEmpty()`
			`@ApiProperty({ example: 'password' })`
			`password!: string;`

			`@IsString()`
			`@IsNotEmpty()`
			`@MinLength(8)`
			`@ApiProperty({ example: 'password' })`
			`newPassword!: string;`
			`}`

feat: user pin-code (#18138) * feat: user pincode * pr feedback * chore: cleanup --------- Co-authored-by: Jason Rasmussen <jason@rasm.me> 2025-05-09 16:00:58 -05:00			`export class PinCodeSetupDto {`
			`@PinCode()`
			`pinCode!: string;`
			`}`

			`export class PinCodeResetDto {`
			`@PinCode({ optional: true })`
			`pinCode?: string;`

			`@Optional()`
			`@IsString()`
			`@IsNotEmpty()`
			`password?: string;`
			`}`

			`export class PinCodeChangeDto extends PinCodeResetDto {`
			`@PinCode()`
			`newPinCode!: string;`
			`}`

refactor(server): auth dtos (#4881) * refactor: auth dtos * chore: open api 2023-11-09 10:14:15 -05:00			`export class ValidateAccessTokenResponseDto {`
			`authStatus!: boolean;`
			`}`

			`export class OAuthCallbackDto {`
			`@IsNotEmpty()`
			`@IsString()`
			`@ApiProperty()`
			`url!: string;`
feat: add oauth2 code verifier * fix: ensure oauth state param matches before finishing oauth flow Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * chore: upgrade openid-client to v6 Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * feat: use PKCE for oauth2 on supported clients Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * feat: use state and PKCE in mobile app Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: remove obsolete oauth repository init Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: rewrite callback url if mobile redirect url is enabled Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: propagate oidc client error cause when oauth callback fails Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: adapt auth service tests to required state and PKCE params Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: update sdk types Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: adapt oauth e2e test to work with PKCE Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: allow insecure (http) oauth clients Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> --------- Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> Co-authored-by: Jason Rasmussen <jason@rasm.me> 2025-04-23 16:05:00 +02:00
			`@Optional()`
			`@IsString()`
			`state?: string;`

			`@Optional()`
			`@IsString()`
			`codeVerifier?: string;`
refactor(server): auth dtos (#4881) * refactor: auth dtos * chore: open api 2023-11-09 10:14:15 -05:00			`}`

			`export class OAuthConfigDto {`
			`@IsNotEmpty()`
			`@IsString()`
			`redirectUri!: string;`
feat: add oauth2 code verifier * fix: ensure oauth state param matches before finishing oauth flow Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * chore: upgrade openid-client to v6 Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * feat: use PKCE for oauth2 on supported clients Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * feat: use state and PKCE in mobile app Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: remove obsolete oauth repository init Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: rewrite callback url if mobile redirect url is enabled Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: propagate oidc client error cause when oauth callback fails Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: adapt auth service tests to required state and PKCE params Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: update sdk types Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: adapt oauth e2e test to work with PKCE Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: allow insecure (http) oauth clients Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> --------- Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> Co-authored-by: Jason Rasmussen <jason@rasm.me> 2025-04-23 16:05:00 +02:00
			`@Optional()`
			`@IsString()`
			`state?: string;`

			`@Optional()`
			`@IsString()`
			`codeChallenge?: string;`
refactor(server): auth dtos (#4881) * refactor: auth dtos * chore: open api 2023-11-09 10:14:15 -05:00			`}`

			`export class OAuthAuthorizeResponseDto {`
			`url!: string;`
			`}`
feat: user pin-code (#18138) * feat: user pincode * pr feedback * chore: cleanup --------- Co-authored-by: Jason Rasmussen <jason@rasm.me> 2025-05-09 16:00:58 -05:00
			`export class AuthStatusResponseDto {`
			`pinCode!: boolean;`
			`password!: boolean;`
feat: locked/private view (#18268) * feat: locked/private view * feat: locked/private view * pr feedback * fix: redirect loop * pr feedback 2025-05-15 09:35:21 -06:00			`isElevated!: boolean;`
feat: user pin-code (#18138) * feat: user pincode * pr feedback * chore: cleanup --------- Co-authored-by: Jason Rasmussen <jason@rasm.me> 2025-05-09 16:00:58 -05:00			`}`