refactor(server): auth route metadata (#9344)

server/src/middleware/auth.guard.ts

@@ -10,7 +10,7 @@ import {
 import { Reflector } from '@nestjs/core';
 import { ApiBearerAuth, ApiCookieAuth, ApiOkResponse, ApiQuery, ApiSecurity } from '@nestjs/swagger';
 import { Request } from 'express';
-import { AuthDto } from 'src/dtos/auth.dto';
+import { AuthDto, ImmichQuery } from 'src/dtos/auth.dto';
 import { ILoggerRepository } from 'src/interfaces/logger.interface';
 import { AuthService, LoginDetails } from 'src/services/auth.service';
 import { UAParser } from 'ua-parser-js';
@@ -19,42 +19,30 @@ export enum Metadata {
   AUTH_ROUTE = 'auth_route',
   ADMIN_ROUTE = 'admin_route',
   SHARED_ROUTE = 'shared_route',
-  PUBLIC_SECURITY = 'public_security',
   API_KEY_SECURITY = 'api_key',
 }
 
-export interface AuthenticatedOptions {
-  admin?: true;
-  isShared?: true;
-}
+type AdminRoute = { admin?: true };
+type SharedLinkRoute = { sharedLink?: true };
+type AuthenticatedOptions = AdminRoute | SharedLinkRoute;
 
-export const Authenticated = (options: AuthenticatedOptions = {}) => {
+export const Authenticated = (options?: AuthenticatedOptions): MethodDecorator => {
   const decorators: MethodDecorator[] = [
     ApiBearerAuth(),
     ApiCookieAuth(),
     ApiSecurity(Metadata.API_KEY_SECURITY),
-    SetMetadata(Metadata.AUTH_ROUTE, true),
+    SetMetadata(Metadata.AUTH_ROUTE, options || {}),
   ];
 
-  if (options.admin) {
-    decorators.push(AdminRoute());
-  }
-
-  if (options.isShared) {
-    decorators.push(SharedLinkRoute());
+  if ((options as SharedLinkRoute)?.sharedLink) {
+    decorators.push(ApiQuery({ name: ImmichQuery.SHARED_LINK_KEY, type: String, required: false }));
   }
 
   return applyDecorators(...decorators);
 };
 
-export const PublicRoute = () =>
-  applyDecorators(SetMetadata(Metadata.AUTH_ROUTE, false), ApiSecurity(Metadata.PUBLIC_SECURITY));
-export const SharedLinkRoute = () =>
-  applyDecorators(SetMetadata(Metadata.SHARED_ROUTE, true), ApiQuery({ name: 'key', type: String, required: false }));
-export const AdminRoute = (value = true) => SetMetadata(Metadata.ADMIN_ROUTE, value);
-
 export const Auth = createParamDecorator((data, context: ExecutionContext): AuthDto => {
-  return context.switchToHttp().getRequest<{ user: AuthDto }>().user;
+  return context.switchToHttp().getRequest<AuthenticatedRequest>().user;
 });
 
 export const FileResponse = () =>
@@ -93,25 +81,22 @@ export class AuthGuard implements CanActivate {
   }
 
   async canActivate(context: ExecutionContext): Promise<boolean> {
-    const targets = [context.getHandler(), context.getClass()];
+    const targets = [context.getHandler()];
 
-    const isAuthRoute = this.reflector.getAllAndOverride(Metadata.AUTH_ROUTE, targets);
-    const isAdminRoute = this.reflector.getAllAndOverride(Metadata.ADMIN_ROUTE, targets);
-    const isSharedRoute = this.reflector.getAllAndOverride(Metadata.SHARED_ROUTE, targets);
-
-    if (!isAuthRoute) {
+    const options = this.reflector.getAllAndOverride<AuthenticatedOptions | undefined>(Metadata.AUTH_ROUTE, targets);
+    if (!options) {
       return true;
     }
 
     const request = context.switchToHttp().getRequest<AuthRequest>();
 
     const authDto = await this.authService.validate(request.headers, request.query as Record<string, string>);
-    if (authDto.sharedLink && !isSharedRoute) {
+    if (authDto.sharedLink && !(options as SharedLinkRoute).sharedLink) {
       this.logger.warn(`Denied access to non-shared route: ${request.path}`);
       return false;
     }
 
-    if (isAdminRoute && !authDto.user.isAdmin) {
+    if (!authDto.user.isAdmin && (options as AdminRoute).admin) {
       this.logger.warn(`Denied access to admin only route: ${request.path}`);
       return false;
     }