server/src/middleware/auth.guard.ts

import {
  CanActivate,
  ExecutionContext,
  Injectable,
  SetMetadata,
  applyDecorators,
  createParamDecorator,
} from '@nestjs/common';
import { Reflector } from '@nestjs/core';
import { ApiBearerAuth, ApiCookieAuth, ApiExtension, ApiOkResponse, ApiQuery, ApiSecurity } from '@nestjs/swagger';
import { Request } from 'express';
import { AuthDto } from 'src/dtos/auth.dto';
import { ApiCustomExtension, ImmichQuery, MetadataKey, Permission } from 'src/enum';
import { LoggingRepository } from 'src/repositories/logging.repository';
import { AuthService, LoginDetails } from 'src/services/auth.service';
import { UAParser } from 'ua-parser-js';

type AdminRoute = { admin?: true };
type SharedLinkRoute = { sharedLink?: true };
type AuthenticatedOptions = { permission?: Permission } & (AdminRoute | SharedLinkRoute);

export const Authenticated = (options: AuthenticatedOptions = {}): MethodDecorator => {
  const decorators: MethodDecorator[] = [
    ApiBearerAuth(),
    ApiCookieAuth(),
    ApiSecurity(MetadataKey.ApiKeySecurity),
    SetMetadata(MetadataKey.AuthRoute, options),
  ];

  if ((options as AdminRoute).admin) {
    decorators.push(ApiExtension(ApiCustomExtension.AdminOnly, true));
  }

  if (options?.permission) {
    decorators.push(ApiExtension(ApiCustomExtension.Permission, options.permission ?? Permission.All));
  }

  if ((options as SharedLinkRoute)?.sharedLink) {
    decorators.push(
      ApiQuery({ name: ImmichQuery.SharedLinkKey, type: String, required: false }),
      ApiQuery({ name: ImmichQuery.SharedLinkSlug, type: String, required: false }),
    );
  }

  return applyDecorators(...decorators);
};

export const Auth = createParamDecorator((data, context: ExecutionContext): AuthDto => {
  return context.switchToHttp().getRequest<AuthenticatedRequest>().user;
});

export const FileResponse = () =>
  ApiOkResponse({
    content: { 'application/octet-stream': { schema: { type: 'string', format: 'binary' } } },
  });

export const GetLoginDetails = createParamDecorator((data, context: ExecutionContext): LoginDetails => {
  const request = context.switchToHttp().getRequest<Request>();
  const userAgent = UAParser(request.headers['user-agent']);

  return {
    clientIp: request.ip ?? '',
    isSecure: request.secure,
    deviceType: userAgent.browser.name || userAgent.device.type || (request.headers.devicemodel as string) || '',
    deviceOS: userAgent.os.name || (request.headers.devicetype as string) || '',
  };
});

export interface AuthRequest extends Request {
  user?: AuthDto;
}

export interface AuthenticatedRequest extends Request {
  user: AuthDto;
}

@Injectable()
export class AuthGuard implements CanActivate {
  constructor(
    private logger: LoggingRepository,
    private reflector: Reflector,
    private authService: AuthService,
  ) {
    this.logger.setContext(AuthGuard.name);
  }

  async canActivate(context: ExecutionContext): Promise<boolean> {
    const targets = [context.getHandler()];

    const options = this.reflector.getAllAndOverride<AuthenticatedOptions | undefined>(MetadataKey.AuthRoute, targets);
    if (!options) {
      return true;
    }

    const {
      admin: adminRoute,
      sharedLink: sharedLinkRoute,
      permission,
    } = { sharedLink: false, admin: false, ...options };
    const request = context.switchToHttp().getRequest<AuthRequest>();

    request.user = await this.authService.authenticate({
      headers: request.headers,
      queryParams: request.query as Record<string, string>,
      metadata: { adminRoute, sharedLinkRoute, permission, uri: request.path },
    });

    return true;
  }
}
refactor(server): guards, decorators, and utils (#3060) 2023-07-01 14:27:34 -04:00			`import {`
			`CanActivate,`
			`ExecutionContext,`
			`Injectable,`
			`SetMetadata,`
fix(server): lint import order (#3974) * fix: use prettier extension * chore: format fix 2023-09-04 15:45:59 -04:00			`applyDecorators,`
			`createParamDecorator,`
refactor(server): guards, decorators, and utils (#3060) 2023-07-01 14:27:34 -04:00			`} from '@nestjs/common';`
			`import { Reflector } from '@nestjs/core';`
chore: add permission metadata to open-api document (#20373) 2025-07-28 18:40:34 -04:00			`import { ApiBearerAuth, ApiCookieAuth, ApiExtension, ApiOkResponse, ApiQuery, ApiSecurity } from '@nestjs/swagger';`
refactor(server): guards, decorators, and utils (#3060) 2023-07-01 14:27:34 -04:00			`import { Request } from 'express';`
refactor(server): auth enums (#13552) 2024-10-17 13:17:32 -04:00			`import { AuthDto } from 'src/dtos/auth.dto';`
feat: better endpoint descriptions (#20439) 2025-07-30 12:29:36 -04:00			`import { ApiCustomExtension, ImmichQuery, MetadataKey, Permission } from 'src/enum';`
refactor: logging repository (#15540) 2025-01-23 08:31:30 -05:00			`import { LoggingRepository } from 'src/repositories/logging.repository';`
chore(server): move services (#8133) move services 2024-03-21 00:07:30 +01:00			`import { AuthService, LoginDetails } from 'src/services/auth.service';`
refactor(server): guards, decorators, and utils (#3060) 2023-07-01 14:27:34 -04:00			`import { UAParser } from 'ua-parser-js';`

refactor(server): auth route metadata (#9344) 2024-05-09 13:58:44 -04:00			`type AdminRoute = { admin?: true };`
			`type SharedLinkRoute = { sharedLink?: true };`
feat(server): granular permissions for api keys (#11824) feat(server): api auth permissions 2024-08-16 09:48:43 -04:00			`type AuthenticatedOptions = { permission?: Permission } & (AdminRoute \| SharedLinkRoute);`
refactor(server): guards, decorators, and utils (#3060) 2023-07-01 14:27:34 -04:00
feat: better endpoint descriptions (#20439) 2025-07-30 12:29:36 -04:00			`export const Authenticated = (options: AuthenticatedOptions = {}): MethodDecorator => {`
refactor(server): guards, decorators, and utils (#3060) 2023-07-01 14:27:34 -04:00			`const decorators: MethodDecorator[] = [`
			`ApiBearerAuth(),`
			`ApiCookieAuth(),`
refactor: enum casing (#19946) 2025-07-15 14:50:13 -04:00			`ApiSecurity(MetadataKey.ApiKeySecurity),`
feat: better endpoint descriptions (#20439) 2025-07-30 12:29:36 -04:00			`SetMetadata(MetadataKey.AuthRoute, options),`
refactor(server): guards, decorators, and utils (#3060) 2023-07-01 14:27:34 -04:00			`];`

feat: better endpoint descriptions (#20439) 2025-07-30 12:29:36 -04:00			`if ((options as AdminRoute).admin) {`
			`decorators.push(ApiExtension(ApiCustomExtension.AdminOnly, true));`
			`}`

chore: add permission metadata to open-api document (#20373) 2025-07-28 18:40:34 -04:00			`if (options?.permission) {`
feat: better endpoint descriptions (#20439) 2025-07-30 12:29:36 -04:00			`decorators.push(ApiExtension(ApiCustomExtension.Permission, options.permission ?? Permission.All));`
chore: add permission metadata to open-api document (#20373) 2025-07-28 18:40:34 -04:00			`}`

refactor(server): auth route metadata (#9344) 2024-05-09 13:58:44 -04:00			`if ((options as SharedLinkRoute)?.sharedLink) {`
feat: shared links custom URL (#19999) * feat: custom url for shared links * feat: use a separate route and query param --------- Co-authored-by: Jason Rasmussen <jason@rasm.me> 2025-07-28 14:16:55 -04:00			`decorators.push(`
			`ApiQuery({ name: ImmichQuery.SharedLinkKey, type: String, required: false }),`
			`ApiQuery({ name: ImmichQuery.SharedLinkSlug, type: String, required: false }),`
			`);`
refactor(server): guards, decorators, and utils (#3060) 2023-07-01 14:27:34 -04:00			`}`

			`return applyDecorators(...decorators);`
			`};`

chore(server,cli,web): housekeeping and stricter code style (#6751) * add unicorn to eslint * fix lint errors for cli * fix merge * fix album name extraction * Update cli/src/commands/upload.command.ts Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com> * es2k23 * use lowercase os * return undefined album name * fix bug in asset response dto * auto fix issues * fix server code style * es2022 and formatting * fix compilation error * fix test * fix config load * fix last lint errors * set string type * bump ts * start work on web * web formatting * Fix UUIDParamDto as UUIDParamDto * fix library service lint * fix web errors * fix errors * formatting * wip * lints fixed * web can now start * alphabetical package json * rename error * chore: clean up --------- Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com> Co-authored-by: Jason Rasmussen <jrasm91@gmail.com> 2024-02-02 04:18:00 +01:00			`export const Auth = createParamDecorator((data, context: ExecutionContext): AuthDto => {`
refactor(server): auth route metadata (#9344) 2024-05-09 13:58:44 -04:00			`return context.switchToHttp().getRequest<AuthenticatedRequest>().user;`
refactor(server): guards, decorators, and utils (#3060) 2023-07-01 14:27:34 -04:00			`});`

refactor(server): immich file responses (#5641) * refactor(server): immich file response * chore: open api * chore: tests * chore: fix logger import --------- Co-authored-by: Alex Tran <alex.tran1502@gmail.com> 2023-12-12 09:58:25 -05:00			`export const FileResponse = () =>`
			`ApiOkResponse({`
			`content: { 'application/octet-stream': { schema: { type: 'string', format: 'binary' } } },`
			`});`

chore(server,cli,web): housekeeping and stricter code style (#6751) * add unicorn to eslint * fix lint errors for cli * fix merge * fix album name extraction * Update cli/src/commands/upload.command.ts Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com> * es2k23 * use lowercase os * return undefined album name * fix bug in asset response dto * auto fix issues * fix server code style * es2022 and formatting * fix compilation error * fix test * fix config load * fix last lint errors * set string type * bump ts * start work on web * web formatting * Fix UUIDParamDto as UUIDParamDto * fix library service lint * fix web errors * fix errors * formatting * wip * lints fixed * web can now start * alphabetical package json * rename error * chore: clean up --------- Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com> Co-authored-by: Jason Rasmussen <jrasm91@gmail.com> 2024-02-02 04:18:00 +01:00			`export const GetLoginDetails = createParamDecorator((data, context: ExecutionContext): LoginDetails => {`
			`const request = context.switchToHttp().getRequest<Request>();`
			`const userAgent = UAParser(request.headers['user-agent']);`
refactor(server): guards, decorators, and utils (#3060) 2023-07-01 14:27:34 -04:00
			`return {`
chore: update deps (#14755) 2024-12-18 15:19:48 +01:00			`clientIp: request.ip ?? '',`
chore(server,cli,web): housekeeping and stricter code style (#6751) * add unicorn to eslint * fix lint errors for cli * fix merge * fix album name extraction * Update cli/src/commands/upload.command.ts Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com> * es2k23 * use lowercase os * return undefined album name * fix bug in asset response dto * auto fix issues * fix server code style * es2022 and formatting * fix compilation error * fix test * fix config load * fix last lint errors * set string type * bump ts * start work on web * web formatting * Fix UUIDParamDto as UUIDParamDto * fix library service lint * fix web errors * fix errors * formatting * wip * lints fixed * web can now start * alphabetical package json * rename error * chore: clean up --------- Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com> Co-authored-by: Jason Rasmussen <jrasm91@gmail.com> 2024-02-02 04:18:00 +01:00			`isSecure: request.secure,`
			`deviceType: userAgent.browser.name \|\| userAgent.device.type \|\| (request.headers.devicemodel as string) \|\| '',`
			`deviceOS: userAgent.os.name \|\| (request.headers.devicetype as string) \|\| '',`
refactor(server): guards, decorators, and utils (#3060) 2023-07-01 14:27:34 -04:00			`};`
			`});`

			`export interface AuthRequest extends Request {`
refactor(server): auth dto (#5593) * refactor: AuthUserDto => AuthDto * refactor: reorganize auth-dto * refactor: AuthUser() => Auth() 2023-12-09 23:34:12 -05:00			`user?: AuthDto;`
refactor(server): guards, decorators, and utils (#3060) 2023-07-01 14:27:34 -04:00			`}`

feat(server): immich checksum header (#9229) * feat: dedupe by checksum header * chore: open api 2024-05-02 15:42:26 -04:00			`export interface AuthenticatedRequest extends Request {`
			`user: AuthDto;`
			`}`

refactor(server): guards, decorators, and utils (#3060) 2023-07-01 14:27:34 -04:00			`@Injectable()`
chore: move controllers and middleware (#8119) 2024-03-20 15:15:01 -05:00			`export class AuthGuard implements CanActivate {`
chore(server): bump server dependencies (#3899) * chore(server): bump server dependencies * fix: test 2023-08-28 14:41:57 -05:00			`constructor(`
refactor: logging repository (#15540) 2025-01-23 08:31:30 -05:00			`private logger: LoggingRepository,`
chore(server): bump server dependencies (#3899) * chore(server): bump server dependencies * fix: test 2023-08-28 14:41:57 -05:00			`private reflector: Reflector,`
			`private authService: AuthService,`
feat(server): correlation id via injected logger (#8823) * feat(server): correlation id via injected logger * feat: cid response header 2024-04-15 19:39:06 -04:00			`) {`
			`this.logger.setContext(AuthGuard.name);`
			`}`
refactor(server): guards, decorators, and utils (#3060) 2023-07-01 14:27:34 -04:00
			`async canActivate(context: ExecutionContext): Promise<boolean> {`
refactor(server): auth route metadata (#9344) 2024-05-09 13:58:44 -04:00			`const targets = [context.getHandler()];`
refactor(server): guards, decorators, and utils (#3060) 2023-07-01 14:27:34 -04:00
refactor: enum casing (#19946) 2025-07-15 14:50:13 -04:00			`const options = this.reflector.getAllAndOverride<AuthenticatedOptions \| undefined>(MetadataKey.AuthRoute, targets);`
refactor(server): auth route metadata (#9344) 2024-05-09 13:58:44 -04:00			`if (!options) {`
refactor(server): guards, decorators, and utils (#3060) 2023-07-01 14:27:34 -04:00			`return true;`
			`}`

feat(server): granular permissions for api keys (#11824) feat(server): api auth permissions 2024-08-16 09:48:43 -04:00			`const {`
			`admin: adminRoute,`
			`sharedLink: sharedLinkRoute,`
			`permission,`
			`} = { sharedLink: false, admin: false, ...options };`
chore(server,cli,web): housekeeping and stricter code style (#6751) * add unicorn to eslint * fix lint errors for cli * fix merge * fix album name extraction * Update cli/src/commands/upload.command.ts Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com> * es2k23 * use lowercase os * return undefined album name * fix bug in asset response dto * auto fix issues * fix server code style * es2022 and formatting * fix compilation error * fix test * fix config load * fix last lint errors * set string type * bump ts * start work on web * web formatting * Fix UUIDParamDto as UUIDParamDto * fix library service lint * fix web errors * fix errors * formatting * wip * lints fixed * web can now start * alphabetical package json * rename error * chore: clean up --------- Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com> Co-authored-by: Jason Rasmussen <jrasm91@gmail.com> 2024-02-02 04:18:00 +01:00			`const request = context.switchToHttp().getRequest<AuthRequest>();`
refactor(server): guards, decorators, and utils (#3060) 2023-07-01 14:27:34 -04:00
refactor: auth service (#11811) 2024-08-15 09:14:23 -04:00			`request.user = await this.authService.authenticate({`
			`headers: request.headers,`
			`queryParams: request.query as Record<string, string>,`
feat(server): granular permissions for api keys (#11824) feat(server): api auth permissions 2024-08-16 09:48:43 -04:00			`metadata: { adminRoute, sharedLinkRoute, permission, uri: request.path },`
refactor: auth service (#11811) 2024-08-15 09:14:23 -04:00			`});`
refactor(server): guards, decorators, and utils (#3060) 2023-07-01 14:27:34 -04:00
			`return true;`
			`}`
			`}`