fix(server): don't publicly reveal user count (#4409)

* fix: don't reveal user count publicly * fix: mobile and user controller * fix: update other frontend endpoints * fix: revert openapi change * chore: open api * fix: initialize * openapi --------- Co-authored-by: Alex Tran <alex.tran1502@gmail.com>
2025-12-22 01:11:20 +03:00 · 2023-10-11 04:37:13 +02:00
parent 09bf1c9175
commit 41befc0948
20 changed files with 101 additions and 15 deletions
--- a/server/src/domain/repositories/user.repository.ts
+++ b/server/src/domain/repositories/user.repository.ts
@@ -18,6 +18,7 @@ export const IUserRepository = 'IUserRepository';
 export interface IUserRepository {
  get(id: string, withDeleted?: boolean): Promise<UserEntity | null>;
  getAdmin(): Promise<UserEntity | null>;
+  hasAdmin(): Promise<boolean>;
  getByEmail(email: string, withPassword?: boolean): Promise<UserEntity | null>;
  getByStorageLabel(storageLabel: string): Promise<UserEntity | null>;
  getByOAuthId(oauthId: string): Promise<UserEntity | null>;
--- a/server/src/domain/server-info/server-info.dto.ts
+++ b/server/src/domain/server-info/server-info.dto.ts
@@ -85,6 +85,7 @@ export class ServerConfigDto {
  mapTileUrl!: string;
  @ApiProperty({ type: 'integer' })
  trashDays!: number;
+  isInitialized!: boolean;
 }

 export class ServerFeaturesDto implements FeatureFlags {
--- a/server/src/domain/server-info/server-info.service.ts
+++ b/server/src/domain/server-info/server-info.service.ts
@@ -74,11 +74,14 @@ export class ServerInfoService {
    // TODO move to system config
    const loginPageMessage = process.env.PUBLIC_LOGIN_PAGE_MESSAGE || '';

+    const isInitialized = await this.userRepository.hasAdmin();
+
    return {
      loginPageMessage,
      mapTileUrl: config.map.tileUrl,
      trashDays: config.trash.days,
      oauthButtonText: config.oauth.buttonText,
+      isInitialized,
    };
  }

--- a/server/src/immich/controllers/user.controller.ts
+++ b/server/src/immich/controllers/user.controller.ts
@@ -26,7 +26,7 @@ import {
 } from '@nestjs/common';
 import { ApiBody, ApiConsumes, ApiTags } from '@nestjs/swagger';
 import { Response as Res } from 'express';
-import { AdminRoute, AuthUser, Authenticated, PublicRoute } from '../app.guard';
+import { AdminRoute, AuthUser, Authenticated } from '../app.guard';
 import { FileUploadInterceptor, Route } from '../app.interceptor';
 import { UseValidation } from '../app.utils';
 import { UUIDParamDto } from './dto/uuid-param.dto';
@@ -59,7 +59,7 @@ export class UserController {
    return this.service.create(createUserDto);
  }

-  @PublicRoute()
+  @AdminRoute()
  @Get('count')
  getUserCount(@Query() dto: CountDto): Promise<UserCountResponseDto> {
    return this.service.getCount(dto);
--- a/server/src/infra/repositories/user.repository.ts
+++ b/server/src/infra/repositories/user.repository.ts
@@ -16,6 +16,10 @@ export class UserRepository implements IUserRepository {
    return this.userRepository.findOne({ where: { isAdmin: true } });
  }

+  async hasAdmin(): Promise<boolean> {
+    return this.userRepository.exist({ where: { isAdmin: true } });
+  }
+
  async getByEmail(email: string, withPassword?: boolean): Promise<UserEntity | null> {
    let builder = this.userRepository.createQueryBuilder('user').where({ email });