mobile/lib/services/oauth.service.dart

import 'dart:convert';
import 'dart:math';

import 'package:crypto/crypto.dart';
import 'package:flutter_web_auth_2/flutter_web_auth_2.dart';
import 'package:immich_mobile/models/auth/oauth_login_data.model.dart';
import 'package:immich_mobile/services/api.service.dart';
import 'package:immich_mobile/utils/url_helper.dart';
import 'package:logging/logging.dart';
import 'package:openapi/api.dart';

// Redirect URL = app.immich:///oauth-callback

class OAuthService {
  final ApiService _apiService;
  final callbackUrlScheme = 'app.immich';
  final log = Logger('OAuthService');
  OAuthService(this._apiService);

  String _generateRandomString(int length) {
    const chars = 'AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz1234567890';
    final random = Random.secure();
    return String.fromCharCodes(Iterable.generate(length, (_) => chars.codeUnitAt(random.nextInt(chars.length))));
  }

  List<int> _randomBytes(int length) {
    final random = Random.secure();
    return List<int>.generate(length, (i) => random.nextInt(256));
  }

  /// Per specification, the code verifier must be 43-128 characters long
  /// and consist of characters [A-Z, a-z, 0-9, "-", ".", "_", "~"]
  /// https://datatracker.ietf.org/doc/html/rfc7636#section-4.1
  String _randomCodeVerifier() {
    return base64Url.encode(_randomBytes(42));
  }

  String _generatePKCECodeChallenge(String codeVerifier) {
    final bytes = utf8.encode(codeVerifier);
    final digest = sha256.convert(bytes);
    return base64Url.encode(digest.bytes).replaceAll('=', '');
  }

  /// Initiates OAuth login flow.
  /// Returns the OAuth server URL to redirect to, along with PKCE parameters.
  Future<OAuthLoginData?> getOAuthLoginData(String serverUrl) async {
    final state = _generateRandomString(32);
    final codeVerifier = _randomCodeVerifier();
    final codeChallenge = _generatePKCECodeChallenge(codeVerifier);

    final oAuthServerUrl = await getOAuthServerUrl(sanitizeUrl(serverUrl), state, codeChallenge);

    if (oAuthServerUrl == null) {
      return null;
    }

    return OAuthLoginData(serverUrl: oAuthServerUrl, state: state, codeVerifier: codeVerifier);
  }

  Future<LoginResponseDto?> completeOAuthLogin(OAuthLoginData oAuthData) {
    return oAuthLogin(oAuthData.serverUrl, oAuthData.state, oAuthData.codeVerifier);
  }

  Future<String?> getOAuthServerUrl(String serverUrl, String state, String codeChallenge) async {
    // Resolve API server endpoint from user provided serverUrl
    await _apiService.resolveAndSetEndpoint(serverUrl);
    final redirectUri = '$callbackUrlScheme:///oauth-callback';
    log.info("Starting OAuth flow with redirect URI: $redirectUri");

    final dto = await _apiService.oAuthApi.startOAuth(
      OAuthConfigDto(redirectUri: redirectUri, state: state, codeChallenge: codeChallenge),
    );

    final authUrl = dto?.url;
    log.info('Received Authorization URL: $authUrl');

    return authUrl;
  }

  Future<LoginResponseDto?> oAuthLogin(String oauthUrl, String state, String codeVerifier) async {
    String result = await FlutterWebAuth2.authenticate(url: oauthUrl, callbackUrlScheme: callbackUrlScheme);

    log.info('Received OAuth callback: $result');

    if (result.startsWith('app.immich:/oauth-callback')) {
      result = result.replaceAll('app.immich:/oauth-callback', 'app.immich:///oauth-callback');
    }

    return await _apiService.oAuthApi.finishOAuth(
      OAuthCallbackDto(url: result, state: state, codeVerifier: codeVerifier),
    );
  }
}
refactor: login form 2025-12-02 13:10:35 -06:00			`import 'dart:convert';`
			`import 'dart:math';`

			`import 'package:crypto/crypto.dart';`
chore(mobile): upgrade flutter_web_auth_2 (#16741) * chore(mobile): upgrade flutter_web_auth_2 * pod file 2025-03-09 20:26:37 -05:00			`import 'package:flutter_web_auth_2/flutter_web_auth_2.dart';`
refactor: login form 2025-12-02 13:10:35 -06:00			`import 'package:immich_mobile/models/auth/oauth_login_data.model.dart';`
refactor(mobile): services and providers (#9232) * refactor(mobile): services and provider * providers 2024-05-02 15:59:14 -05:00			`import 'package:immich_mobile/services/api.service.dart';`
refactor: login form 2025-12-02 13:10:35 -06:00			`import 'package:immich_mobile/utils/url_helper.dart';`
chore(mobile): Add more error log (#2949) Co-authored-by: alex <alex@pop-os.localdomain> 2023-06-25 18:59:35 -05:00			`import 'package:logging/logging.dart';`
feat(mobile) Add OAuth Login On Mobile (#990) * Added return type for oauth/callback * Remove console.log * Redirect app * Wording * Added loading state change * Added OAuth login on mobile * Return correct status for correct redirection * Auto discovery OAuth Login 2022-11-20 11:43:10 -06:00			`import 'package:openapi/api.dart';`

fix(mobile): use a valid OAuth callback URL (#10832) * add root resource path '/' to mobile oauth scheme * chore: add oauth-callback path * add root resource path '/' to mobile oauth scheme * chore: add oauth-callback path * fix: make sure there are three forward slash in callback URL --------- Co-authored-by: Jason Rasmussen <jason@rasm.me> Co-authored-by: Alex <alex.tran1502@gmail.com> 2024-08-28 12:30:06 -04:00			`// Redirect URL = app.immich:///oauth-callback`
feat(mobile) Add OAuth Login On Mobile (#990) * Added return type for oauth/callback * Remove console.log * Redirect app * Wording * Added loading state change * Added OAuth login on mobile * Return correct status for correct redirection * Auto discovery OAuth Login 2022-11-20 11:43:10 -06:00
			`class OAuthService {`
			`final ApiService _apiService;`
			`final callbackUrlScheme = 'app.immich';`
chore(mobile): Add more error log (#2949) Co-authored-by: alex <alex@pop-os.localdomain> 2023-06-25 18:59:35 -05:00			`final log = Logger('OAuthService');`
feat(mobile) Add OAuth Login On Mobile (#990) * Added return type for oauth/callback * Remove console.log * Redirect app * Wording * Added loading state change * Added OAuth login on mobile * Return correct status for correct redirection * Auto discovery OAuth Login 2022-11-20 11:43:10 -06:00			`OAuthService(this._apiService);`

refactor: login form 2025-12-02 13:10:35 -06:00			`String _generateRandomString(int length) {`
			`const chars = 'AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz1234567890';`
			`final random = Random.secure();`
			`return String.fromCharCodes(Iterable.generate(length, (_) => chars.codeUnitAt(random.nextInt(chars.length))));`
			`}`

			`List<int> _randomBytes(int length) {`
			`final random = Random.secure();`
			`return List<int>.generate(length, (i) => random.nextInt(256));`
			`}`

			`/// Per specification, the code verifier must be 43-128 characters long`
			`/// and consist of characters [A-Z, a-z, 0-9, "-", ".", "_", "~"]`
			`/// https://datatracker.ietf.org/doc/html/rfc7636#section-4.1`
			`String _randomCodeVerifier() {`
			`return base64Url.encode(_randomBytes(42));`
			`}`

			`String _generatePKCECodeChallenge(String codeVerifier) {`
			`final bytes = utf8.encode(codeVerifier);`
			`final digest = sha256.convert(bytes);`
			`return base64Url.encode(digest.bytes).replaceAll('=', '');`
			`}`

			`/// Initiates OAuth login flow.`
			`/// Returns the OAuth server URL to redirect to, along with PKCE parameters.`
			`Future<OAuthLoginData?> getOAuthLoginData(String serverUrl) async {`
			`final state = _generateRandomString(32);`
			`final codeVerifier = _randomCodeVerifier();`
			`final codeChallenge = _generatePKCECodeChallenge(codeVerifier);`

			`final oAuthServerUrl = await getOAuthServerUrl(sanitizeUrl(serverUrl), state, codeChallenge);`

			`if (oAuthServerUrl == null) {`
			`return null;`
			`}`

			`return OAuthLoginData(serverUrl: oAuthServerUrl, state: state, codeVerifier: codeVerifier);`
			`}`

			`Future<LoginResponseDto?> completeOAuthLogin(OAuthLoginData oAuthData) {`
			`return oAuthLogin(oAuthData.serverUrl, oAuthData.state, oAuthData.codeVerifier);`
			`}`

chore: bump dart sdk to 3.8 (#20355) * chore: bump dart sdk to 3.8 * chore: make build * make pigeon * chore: format files --------- Co-authored-by: shenlong-tanwen <139912620+shalong-tanwen@users.noreply.github.com> 2025-07-29 00:34:03 +05:30			`Future<String?> getOAuthServerUrl(String serverUrl, String state, String codeChallenge) async {`
feat(.well-known): add .well-known/immich to reference API endpoint (#1308) * feat(.well-known): add .well-known/immich to reference API endpoint * feat(.well-known): make schema optional (defaults to https) * adjust method comment to be a little less confusing * fix casting issue with resovled url * include when checking Well-known, update server hint * add validation for login form's server url * consolidate common process into resolveAndSetEndpoint * fix missed prettier formatting * revert translation changes * update environment variable description, hopefully a bit clearer * rename environment variable to IMMICH_API_URL_EXTERNAL * comment out optional env variables * fix(web): browser-side api client to include authorization token * Revert "fix(web): browser-side api client to include authorization token" This reverts commit 60e338938f25792adb233d35bcecbd789bdb3240. * remove multi-domain related changes 2023-01-19 07:45:37 -08:00			`// Resolve API server endpoint from user provided serverUrl`
			`await _apiService.resolveAndSetEndpoint(serverUrl);`
fix(mobile): use a valid OAuth callback URL (#10832) * add root resource path '/' to mobile oauth scheme * chore: add oauth-callback path * add root resource path '/' to mobile oauth scheme * chore: add oauth-callback path * fix: make sure there are three forward slash in callback URL --------- Co-authored-by: Jason Rasmussen <jason@rasm.me> Co-authored-by: Alex <alex.tran1502@gmail.com> 2024-08-28 12:30:06 -04:00			`final redirectUri = '$callbackUrlScheme:///oauth-callback';`
chore: bump dart sdk to 3.8 (#20355) * chore: bump dart sdk to 3.8 * chore: make build * make pigeon * chore: format files --------- Co-authored-by: shenlong-tanwen <139912620+shalong-tanwen@users.noreply.github.com> 2025-07-29 00:34:03 +05:30			`log.info("Starting OAuth flow with redirect URI: $redirectUri");`
feat(mobile) Add OAuth Login On Mobile (#990) * Added return type for oauth/callback * Remove console.log * Redirect app * Wording * Added loading state change * Added OAuth login on mobile * Return correct status for correct redirection * Auto discovery OAuth Login 2022-11-20 11:43:10 -06:00
refactor(mobile): use startOAuth and server features flags (#6155) Co-authored-by: shenlong-tanwen <139912620+shalong-tanwen@users.noreply.github.com> 2024-01-04 20:44:40 +00:00			`final dto = await _apiService.oAuthApi.startOAuth(`
chore: bump dart sdk to 3.8 (#20355) * chore: bump dart sdk to 3.8 * chore: make build * make pigeon * chore: format files --------- Co-authored-by: shenlong-tanwen <139912620+shalong-tanwen@users.noreply.github.com> 2025-07-29 00:34:03 +05:30			`OAuthConfigDto(redirectUri: redirectUri, state: state, codeChallenge: codeChallenge),`
feat(mobile) Add OAuth Login On Mobile (#990) * Added return type for oauth/callback * Remove console.log * Redirect app * Wording * Added loading state change * Added OAuth login on mobile * Return correct status for correct redirection * Auto discovery OAuth Login 2022-11-20 11:43:10 -06:00			`);`
fix(mobile): use a valid OAuth callback URL (#10832) * add root resource path '/' to mobile oauth scheme * chore: add oauth-callback path * add root resource path '/' to mobile oauth scheme * chore: add oauth-callback path * fix: make sure there are three forward slash in callback URL --------- Co-authored-by: Jason Rasmussen <jason@rasm.me> Co-authored-by: Alex <alex.tran1502@gmail.com> 2024-08-28 12:30:06 -04:00
			`final authUrl = dto?.url;`
			`log.info('Received Authorization URL: $authUrl');`

			`return authUrl;`
feat(mobile) Add OAuth Login On Mobile (#990) * Added return type for oauth/callback * Remove console.log * Redirect app * Wording * Added loading state change * Added OAuth login on mobile * Return correct status for correct redirection * Auto discovery OAuth Login 2022-11-20 11:43:10 -06:00			`}`

chore: bump dart sdk to 3.8 (#20355) * chore: bump dart sdk to 3.8 * chore: make build * make pigeon * chore: format files --------- Co-authored-by: shenlong-tanwen <139912620+shalong-tanwen@users.noreply.github.com> 2025-07-29 00:34:03 +05:30			`Future<LoginResponseDto?> oAuthLogin(String oauthUrl, String state, String codeVerifier) async {`
			`String result = await FlutterWebAuth2.authenticate(url: oauthUrl, callbackUrlScheme: callbackUrlScheme);`
fix(mobile): use a valid OAuth callback URL (#10832) * add root resource path '/' to mobile oauth scheme * chore: add oauth-callback path * add root resource path '/' to mobile oauth scheme * chore: add oauth-callback path * fix: make sure there are three forward slash in callback URL --------- Co-authored-by: Jason Rasmussen <jason@rasm.me> Co-authored-by: Alex <alex.tran1502@gmail.com> 2024-08-28 12:30:06 -04:00
			`log.info('Received OAuth callback: $result');`
feat(mobile) Add OAuth Login On Mobile (#990) * Added return type for oauth/callback * Remove console.log * Redirect app * Wording * Added loading state change * Added OAuth login on mobile * Return correct status for correct redirection * Auto discovery OAuth Login 2022-11-20 11:43:10 -06:00
fix(mobile): use a valid OAuth callback URL (#10832) * add root resource path '/' to mobile oauth scheme * chore: add oauth-callback path * add root resource path '/' to mobile oauth scheme * chore: add oauth-callback path * fix: make sure there are three forward slash in callback URL --------- Co-authored-by: Jason Rasmussen <jason@rasm.me> Co-authored-by: Alex <alex.tran1502@gmail.com> 2024-08-28 12:30:06 -04:00			`if (result.startsWith('app.immich:/oauth-callback')) {`
chore: bump dart sdk to 3.8 (#20355) * chore: bump dart sdk to 3.8 * chore: make build * make pigeon * chore: format files --------- Co-authored-by: shenlong-tanwen <139912620+shalong-tanwen@users.noreply.github.com> 2025-07-29 00:34:03 +05:30			`result = result.replaceAll('app.immich:/oauth-callback', 'app.immich:///oauth-callback');`
feat(mobile) Add OAuth Login On Mobile (#990) * Added return type for oauth/callback * Remove console.log * Redirect app * Wording * Added loading state change * Added OAuth login on mobile * Return correct status for correct redirection * Auto discovery OAuth Login 2022-11-20 11:43:10 -06:00			`}`
fix(mobile): use a valid OAuth callback URL (#10832) * add root resource path '/' to mobile oauth scheme * chore: add oauth-callback path * add root resource path '/' to mobile oauth scheme * chore: add oauth-callback path * fix: make sure there are three forward slash in callback URL --------- Co-authored-by: Jason Rasmussen <jason@rasm.me> Co-authored-by: Alex <alex.tran1502@gmail.com> 2024-08-28 12:30:06 -04:00
			`return await _apiService.oAuthApi.finishOAuth(`
chore: bump dart sdk to 3.8 (#20355) * chore: bump dart sdk to 3.8 * chore: make build * make pigeon * chore: format files --------- Co-authored-by: shenlong-tanwen <139912620+shalong-tanwen@users.noreply.github.com> 2025-07-29 00:34:03 +05:30			`OAuthCallbackDto(url: result, state: state, codeVerifier: codeVerifier),`
fix(mobile): use a valid OAuth callback URL (#10832) * add root resource path '/' to mobile oauth scheme * chore: add oauth-callback path * add root resource path '/' to mobile oauth scheme * chore: add oauth-callback path * fix: make sure there are three forward slash in callback URL --------- Co-authored-by: Jason Rasmussen <jason@rasm.me> Co-authored-by: Alex <alex.tran1502@gmail.com> 2024-08-28 12:30:06 -04:00			`);`
feat(mobile) Add OAuth Login On Mobile (#990) * Added return type for oauth/callback * Remove console.log * Redirect app * Wording * Added loading state change * Added OAuth login on mobile * Return correct status for correct redirection * Auto discovery OAuth Login 2022-11-20 11:43:10 -06:00			`}`
			`}`