refactor: authentication on public routes (#6765)

* refactor: authentication on public routes * fix: remove public user * pr feedback * pr feedback * pr feedback * pr feedback * remove unused method * fix: tests * fix: useless methods * fix: tests * pr feedback * pr feedback * chore: cleanup --------- Co-authored-by: Jason Rasmussen <jrasm91@gmail.com>
2025-11-14 17:36:12 +00:00 · 2024-02-13 02:47:26 +01:00 · 2024-02-13 02:47:26 +01:00 · f1e4fdf175
commit f1e4fdf175
parent 45ea0bb689
16 changed files with 92 additions and 75 deletions
--- a/server/src/domain/auth/auth.constant.ts
+++ b/server/src/domain/auth/auth.constant.ts
@ -1,6 +1,7 @@
 export const MOBILE_REDIRECT = 'app.immich:/';
 export const LOGIN_URL = '/auth/login?autoLaunch=0';
 export const IMMICH_ACCESS_COOKIE = 'immich_access_token';
+export const IMMICH_IS_AUTHENTICATED = 'immich_is_authenticated';
 export const IMMICH_AUTH_TYPE_COOKIE = 'immich_auth_type';
 export const IMMICH_API_KEY_NAME = 'api_key';
 export const IMMICH_API_KEY_HEADER = 'x-api-key';
--- a/server/src/domain/auth/auth.service.ts
+++ b/server/src/domain/auth/auth.service.ts
@ -29,6 +29,7 @@ import {
  IMMICH_ACCESS_COOKIE,
  IMMICH_API_KEY_HEADER,
  IMMICH_AUTH_TYPE_COOKIE,
+  IMMICH_IS_AUTHENTICATED,
  LOGIN_URL,
  MOBILE_REDIRECT,
 } from './auth.constant';
@ -429,14 +430,17 @@ export class AuthService {

    let authTypeCookie = '';
    let accessTokenCookie = '';
+    let isAuthenticatedCookie = '';

    if (isSecure) {
      accessTokenCookie = `${IMMICH_ACCESS_COOKIE}=${loginResponse.accessToken}; HttpOnly; Secure; Path=/; Max-Age=${maxAge}; SameSite=Lax;`;
      authTypeCookie = `${IMMICH_AUTH_TYPE_COOKIE}=${authType}; HttpOnly; Secure; Path=/; Max-Age=${maxAge}; SameSite=Lax;`;
+      isAuthenticatedCookie = `${IMMICH_IS_AUTHENTICATED}=true; Secure; Path=/; Max-Age=${maxAge}; SameSite=Lax;`;
    } else {
      accessTokenCookie = `${IMMICH_ACCESS_COOKIE}=${loginResponse.accessToken}; HttpOnly; Path=/; Max-Age=${maxAge}; SameSite=Lax;`;
      authTypeCookie = `${IMMICH_AUTH_TYPE_COOKIE}=${authType}; HttpOnly; Path=/; Max-Age=${maxAge}; SameSite=Lax;`;
+      isAuthenticatedCookie = `${IMMICH_IS_AUTHENTICATED}=true; Path=/; Max-Age=${maxAge}; SameSite=Lax;`;
    }
-    return [accessTokenCookie, authTypeCookie];
+    return [accessTokenCookie, authTypeCookie, isAuthenticatedCookie];
  }
 }
--- a/server/src/immich/controllers/auth.controller.ts
+++ b/server/src/immich/controllers/auth.controller.ts
@ -5,6 +5,7 @@ import {
  ChangePasswordDto,
  IMMICH_ACCESS_COOKIE,
  IMMICH_AUTH_TYPE_COOKIE,
+  IMMICH_IS_AUTHENTICATED,
  LoginCredentialDto,
  LoginDetails,
  LoginResponseDto,
@ -84,6 +85,7 @@ export class AuthController {
  ): Promise<LogoutResponseDto> {
    res.clearCookie(IMMICH_ACCESS_COOKIE);
    res.clearCookie(IMMICH_AUTH_TYPE_COOKIE);
+    res.clearCookie(IMMICH_IS_AUTHENTICATED);

    return this.service.logout(auth, (request.cookies || {})[IMMICH_AUTH_TYPE_COOKIE]);
  }