refactor: server auth e2e (#7203)

e2e/src/api/setup.ts

@@ -0,0 +1,26 @@
+import { spawn, exec } from 'child_process';
+
+export default async () => {
+  let _resolve: () => unknown;
+  const promise = new Promise<void>((resolve, reject) => (_resolve = resolve));
+
+  const child = spawn('docker', ['compose', 'up'], { stdio: 'pipe' });
+
+  child.stdout.on('data', (data) => {
+    const input = data.toString();
+    console.log(input);
+    if (input.includes('Immich Server is listening')) {
+      _resolve();
+    }
+  });
+
+  child.stderr.on('data', (data) => console.log(data.toString()));
+
+  await promise;
+
+  return async () => {
+    await new Promise<void>((resolve) =>
+      exec('docker compose down', () => resolve())
+    );
+  };
+};

e2e/src/api/specs/auth.e2e-spec.ts

@@ -0,0 +1,291 @@
+import {
+  LoginResponseDto,
+  getAuthDevices,
+  login,
+  signUpAdmin,
+} from '@immich/sdk';
+import { loginDto, signupDto, uuidDto } from 'src/fixtures';
+import {
+  deviceDto,
+  errorDto,
+  loginResponseDto,
+  signupResponseDto,
+} from 'src/responses';
+import { app, asAuthHeader, dbUtils } from 'src/utils';
+import request from 'supertest';
+import { beforeAll, beforeEach, describe, expect, it } from 'vitest';
+
+const { name, email, password } = signupDto.admin;
+
+describe(`Registration`, () => {
+  beforeAll(() => {
+    dbUtils.setup();
+  });
+
+  beforeEach(async () => {
+    await dbUtils.reset();
+  });
+
+  describe('POST /auth/admin-sign-up', () => {
+    const invalid = [
+      {
+        should: 'require an email address',
+        data: { name, password },
+      },
+      {
+        should: 'require a password',
+        data: { name, email },
+      },
+      {
+        should: 'require a name',
+        data: { email, password },
+      },
+      {
+        should: 'require a valid email',
+        data: { name, email: 'immich', password },
+      },
+    ];
+
+    for (const { should, data } of invalid) {
+      it(`should ${should}`, async () => {
+        const { status, body } = await request(app)
+          .post('/auth/admin-sign-up')
+          .send(data);
+        expect(status).toEqual(400);
+        expect(body).toEqual(errorDto.badRequest());
+      });
+    }
+
+    it(`should sign up the admin`, async () => {
+      const { status, body } = await request(app)
+        .post('/auth/admin-sign-up')
+        .send(signupDto.admin);
+      expect(status).toBe(201);
+      expect(body).toEqual(signupResponseDto.admin);
+    });
+
+    it('should sign up the admin with a local domain', async () => {
+      const { status, body } = await request(app)
+        .post('/auth/admin-sign-up')
+        .send({ ...signupDto.admin, email: 'admin@local' });
+      expect(status).toEqual(201);
+      expect(body).toEqual({
+        ...signupResponseDto.admin,
+        email: 'admin@local',
+      });
+    });
+
+    it('should transform email to lower case', async () => {
+      const { status, body } = await request(app)
+        .post('/auth/admin-sign-up')
+        .send({ ...signupDto.admin, email: 'aDmIn@IMMICH.cloud' });
+      expect(status).toEqual(201);
+      expect(body).toEqual(signupResponseDto.admin);
+    });
+
+    it('should not allow a second admin to sign up', async () => {
+      await signUpAdmin({ signUpDto: signupDto.admin });
+
+      const { status, body } = await request(app)
+        .post('/auth/admin-sign-up')
+        .send(signupDto.admin);
+
+      expect(status).toBe(400);
+      expect(body).toEqual(errorDto.alreadyHasAdmin);
+    });
+  });
+});
+
+describe('Auth', () => {
+  let admin: LoginResponseDto;
+
+  beforeEach(async () => {
+    await dbUtils.reset();
+    await signUpAdmin({ signUpDto: signupDto.admin });
+    admin = await login({ loginCredentialDto: loginDto.admin });
+  });
+
+  describe(`POST /auth/login`, () => {
+    it('should reject an incorrect password', async () => {
+      const { status, body } = await request(app)
+        .post('/auth/login')
+        .send({ email, password: 'incorrect' });
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.incorrectLogin);
+    });
+
+    for (const key of Object.keys(loginDto.admin)) {
+      it(`should not allow null ${key}`, async () => {
+        const { status, body } = await request(app)
+          .post('/auth/login')
+          .send({ ...loginDto.admin, [key]: null });
+        expect(status).toBe(400);
+        expect(body).toEqual(errorDto.badRequest());
+      });
+    }
+
+    it('should accept a correct password', async () => {
+      const { status, body, headers } = await request(app)
+        .post('/auth/login')
+        .send({ email, password });
+      expect(status).toBe(201);
+      expect(body).toEqual(loginResponseDto.admin);
+
+      const token = body.accessToken;
+      expect(token).toBeDefined();
+
+      const cookies = headers['set-cookie'];
+      expect(cookies).toHaveLength(3);
+      expect(cookies[0]).toEqual(
+        `immich_access_token=${token}; HttpOnly; Path=/; Max-Age=34560000; SameSite=Lax;`
+      );
+      expect(cookies[1]).toEqual(
+        'immich_auth_type=password; HttpOnly; Path=/; Max-Age=34560000; SameSite=Lax;'
+      );
+      expect(cookies[2]).toEqual(
+        'immich_is_authenticated=true; Path=/; Max-Age=34560000; SameSite=Lax;'
+      );
+    });
+  });
+
+  describe('GET /auth/devices', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app).get('/auth/devices');
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
+    it('should get a list of authorized devices', async () => {
+      const { status, body } = await request(app)
+        .get('/auth/devices')
+        .set('Authorization', `Bearer ${admin.accessToken}`);
+      expect(status).toBe(200);
+      expect(body).toEqual([deviceDto.current]);
+    });
+  });
+
+  describe('DELETE /auth/devices', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app).delete(`/auth/devices`);
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
+    it('should logout all devices (except the current one)', async () => {
+      for (let i = 0; i < 5; i++) {
+        await login({ loginCredentialDto: loginDto.admin });
+      }
+
+      await expect(
+        getAuthDevices({ headers: asAuthHeader(admin.accessToken) })
+      ).resolves.toHaveLength(6);
+
+      const { status } = await request(app)
+        .delete(`/auth/devices`)
+        .set('Authorization', `Bearer ${admin.accessToken}`);
+      expect(status).toBe(204);
+
+      await expect(
+        getAuthDevices({ headers: asAuthHeader(admin.accessToken) })
+      ).resolves.toHaveLength(1);
+    });
+
+    it('should throw an error for a non-existent device id', async () => {
+      const { status, body } = await request(app)
+        .delete(`/auth/devices/${uuidDto.notFound}`)
+        .set('Authorization', `Bearer ${admin.accessToken}`);
+      expect(status).toBe(400);
+      expect(body).toEqual(
+        errorDto.badRequest('Not found or no authDevice.delete access')
+      );
+    });
+
+    it('should logout a device', async () => {
+      const [device] = await getAuthDevices({
+        headers: asAuthHeader(admin.accessToken),
+      });
+      const { status } = await request(app)
+        .delete(`/auth/devices/${device.id}`)
+        .set('Authorization', `Bearer ${admin.accessToken}`);
+      expect(status).toBe(204);
+
+      const response = await request(app)
+        .post('/auth/validateToken')
+        .set('Authorization', `Bearer ${admin.accessToken}`);
+      expect(response.body).toEqual(errorDto.invalidToken);
+      expect(response.status).toBe(401);
+    });
+  });
+
+  describe('POST /auth/validateToken', () => {
+    it('should reject an invalid token', async () => {
+      const { status, body } = await request(app)
+        .post(`/auth/validateToken`)
+        .set('Authorization', 'Bearer 123');
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.invalidToken);
+    });
+
+    it('should accept a valid token', async () => {
+      const { status, body } = await request(app)
+        .post(`/auth/validateToken`)
+        .send({})
+        .set('Authorization', `Bearer ${admin.accessToken}`);
+      expect(status).toBe(200);
+      expect(body).toEqual({ authStatus: true });
+    });
+  });
+
+  describe('POST /auth/change-password', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app)
+        .post(`/auth/change-password`)
+        .send({ password, newPassword: 'Password1234' });
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
+    it('should require the current password', async () => {
+      const { status, body } = await request(app)
+        .post(`/auth/change-password`)
+        .send({ password: 'wrong-password', newPassword: 'Password1234' })
+        .set('Authorization', `Bearer ${admin.accessToken}`);
+      expect(status).toBe(400);
+      expect(body).toEqual(errorDto.wrongPassword);
+    });
+
+    it('should change the password', async () => {
+      const { status } = await request(app)
+        .post(`/auth/change-password`)
+        .send({ password, newPassword: 'Password1234' })
+        .set('Authorization', `Bearer ${admin.accessToken}`);
+      expect(status).toBe(200);
+
+      await login({
+        loginCredentialDto: {
+          email: 'admin@immich.cloud',
+          password: 'Password1234',
+        },
+      });
+    });
+  });
+
+  describe('POST /auth/logout', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app).post(`/auth/logout`);
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
+    it('should logout the user', async () => {
+      const { status, body } = await request(app)
+        .post(`/auth/logout`)
+        .set('Authorization', `Bearer ${admin.accessToken}`);
+      expect(status).toBe(200);
+      expect(body).toEqual({
+        successful: true,
+        redirectUri: '/auth/login?autoLaunch=0',
+      });
+    });
+  });
+});

e2e/src/fixtures.ts

@@ -0,0 +1,19 @@
+export const uuidDto = {
+  invalid: 'invalid-uuid',
+  // valid uuid v4
+  notFound: '00000000-0000-4000-a000-000000000000',
+};
+
+const adminLoginDto = {
+  email: 'admin@immich.cloud',
+  password: 'password',
+};
+const adminSignupDto = { ...adminLoginDto, name: 'Immich Admin' };
+
+export const loginDto = {
+  admin: adminLoginDto,
+};
+
+export const signupDto = {
+  admin: adminSignupDto,
+};

e2e/src/responses.ts

@@ -0,0 +1,103 @@
+import { expect } from 'vitest';
+
+export const errorDto = {
+  unauthorized: {
+    error: 'Unauthorized',
+    statusCode: 401,
+    message: 'Authentication required',
+  },
+  forbidden: {
+    error: 'Forbidden',
+    statusCode: 403,
+    message: expect.any(String),
+  },
+  wrongPassword: {
+    error: 'Bad Request',
+    statusCode: 400,
+    message: 'Wrong password',
+  },
+  invalidToken: {
+    error: 'Unauthorized',
+    statusCode: 401,
+    message: 'Invalid user token',
+  },
+  invalidShareKey: {
+    error: 'Unauthorized',
+    statusCode: 401,
+    message: 'Invalid share key',
+  },
+  invalidSharePassword: {
+    error: 'Unauthorized',
+    statusCode: 401,
+    message: 'Invalid password',
+  },
+  badRequest: (message: any = null) => ({
+    error: 'Bad Request',
+    statusCode: 400,
+    message: message ?? expect.anything(),
+  }),
+  noPermission: {
+    error: 'Bad Request',
+    statusCode: 400,
+    message: expect.stringContaining('Not found or no'),
+  },
+  incorrectLogin: {
+    error: 'Unauthorized',
+    statusCode: 401,
+    message: 'Incorrect email or password',
+  },
+  alreadyHasAdmin: {
+    error: 'Bad Request',
+    statusCode: 400,
+    message: 'The server already has an admin',
+  },
+  noDeleteUploadLibrary: {
+    error: 'Bad Request',
+    statusCode: 400,
+    message: 'Cannot delete the last upload library',
+  },
+};
+
+export const signupResponseDto = {
+  admin: {
+    avatarColor: expect.any(String),
+    id: expect.any(String),
+    name: 'Immich Admin',
+    email: 'admin@immich.cloud',
+    storageLabel: 'admin',
+    externalPath: null,
+    profileImagePath: '',
+    // why? lol
+    shouldChangePassword: true,
+    isAdmin: true,
+    createdAt: expect.any(String),
+    updatedAt: expect.any(String),
+    deletedAt: null,
+    oauthId: '',
+    memoriesEnabled: true,
+    quotaUsageInBytes: 0,
+    quotaSizeInBytes: null,
+  },
+};
+
+export const loginResponseDto = {
+  admin: {
+    accessToken: expect.any(String),
+    name: 'Immich Admin',
+    isAdmin: true,
+    profileImagePath: '',
+    shouldChangePassword: true,
+    userEmail: 'admin@immich.cloud',
+    userId: expect.any(String),
+  },
+};
+export const deviceDto = {
+  current: {
+    id: expect.any(String),
+    createdAt: expect.any(String),
+    updatedAt: expect.any(String),
+    current: true,
+    deviceOS: '',
+    deviceType: '',
+  },
+};

e2e/src/utils.ts

@@ -0,0 +1,100 @@
+import {
+  LoginResponseDto,
+  defaults,
+  login,
+  setAdminOnboarding,
+  signUpAdmin,
+} from '@immich/sdk';
+import { BrowserContext } from '@playwright/test';
+import pg from 'pg';
+import { loginDto, signupDto } from 'src/fixtures';
+
+export const app = 'http://127.0.0.1:2283/api';
+
+defaults.baseUrl = app;
+
+const setBaseUrl = () => (defaults.baseUrl = app);
+export const asAuthHeader = (accessToken: string) => ({
+  Authorization: `Bearer ${accessToken}`,
+});
+
+let client: pg.Client | null = null;
+
+export const dbUtils = {
+  setup: () => {
+    setBaseUrl();
+  },
+  reset: async () => {
+    try {
+      if (!client) {
+        client = new pg.Client(
+          'postgres://postgres:postgres@127.0.0.1:5433/immich'
+        );
+        await client.connect();
+      }
+
+      for (const table of ['user_token', 'users', 'system_metadata']) {
+        await client.query(`DELETE FROM ${table} CASCADE;`);
+      }
+    } catch (error) {
+      console.error('Failed to reset database', error);
+      throw error;
+    }
+  },
+  teardown: async () => {
+    try {
+      if (client) {
+        await client.end();
+        client = null;
+      }
+    } catch (error) {
+      console.error('Failed to teardown database', error);
+      throw error;
+    }
+  },
+};
+
+export const apiUtils = {
+  adminSetup: async () => {
+    await signUpAdmin({ signUpDto: signupDto.admin });
+    const response = await login({ loginCredentialDto: loginDto.admin });
+    await setAdminOnboarding({ headers: asAuthHeader(response.accessToken) });
+    return response;
+  },
+};
+
+export const webUtils = {
+  setAuthCookies: async (context: BrowserContext, response: LoginResponseDto) =>
+    await context.addCookies([
+      {
+        name: 'immich_access_token',
+        value: response.accessToken,
+        domain: '127.0.0.1',
+        path: '/',
+        expires: 1742402728,
+        httpOnly: true,
+        secure: false,
+        sameSite: 'Lax',
+      },
+      {
+        name: 'immich_auth_type',
+        value: 'password',
+        domain: '127.0.0.1',
+        path: '/',
+        expires: 1742402728,
+        httpOnly: true,
+        secure: false,
+        sameSite: 'Lax',
+      },
+      {
+        name: 'immich_is_authenticated',
+        value: 'true',
+        domain: '127.0.0.1',
+        path: '/',
+        expires: 1742402728,
+        httpOnly: false,
+        secure: false,
+        sameSite: 'Lax',
+      },
+    ]),
+};

e2e/src/web/specs/auth.e2e-spec.ts

@@ -0,0 +1,82 @@
+import { test, expect } from '@playwright/test';
+import { apiUtils, dbUtils, webUtils } from 'src/utils';
+
+test.describe('Registration', () => {
+  test.beforeEach(async () => {
+    await dbUtils.reset();
+  });
+
+  test.afterAll(async () => {
+    await dbUtils.teardown();
+  });
+
+  test('admin registration', async ({ page }) => {
+    // welcome
+    await page.goto('/');
+    await page.getByRole('button', { name: 'Getting Started' }).click();
+
+    // register
+    await expect(page).toHaveTitle(/Admin Registration/);
+    await page.getByLabel('Admin Email').fill('admin@immich.app');
+    await page.getByLabel('Admin Password', { exact: true }).fill('password');
+    await page.getByLabel('Confirm Admin Password').fill('password');
+    await page.getByLabel('Name').fill('Immich Admin');
+    await page.getByRole('button', { name: 'Sign up' }).click();
+
+    // login
+    await expect(page).toHaveTitle(/Login/);
+    await page.goto('/auth/login');
+    await page.getByLabel('Email').fill('admin@immich.app');
+    await page.getByLabel('Password').fill('password');
+    await page.getByRole('button', { name: 'Login' }).click();
+
+    // onboarding
+    await expect(page).toHaveURL('/auth/onboarding');
+    await page.getByRole('button', { name: 'Theme' }).click();
+    await page.getByRole('button', { name: 'Storage Template' }).click();
+    await page.getByRole('button', { name: 'Done' }).click();
+
+    // success
+    await expect(page).toHaveURL('/photos');
+  });
+
+  test('user registration', async ({ context, page }) => {
+    const loginResponse = await apiUtils.adminSetup();
+    await webUtils.setAuthCookies(context, loginResponse);
+
+    // create user
+    await page.goto('/admin/user-management');
+    await expect(page).toHaveTitle(/User Management/);
+    await page.getByRole('button', { name: 'Create user' }).click();
+    await page.getByLabel('Email').fill('user@immich.cloud');
+    await page.getByLabel('Password', { exact: true }).fill('password');
+    await page.getByLabel('Confirm Password').fill('password');
+    await page.getByLabel('Name').fill('Immich User');
+    await page.getByRole('button', { name: 'Create', exact: true }).click();
+
+    // logout
+    await context.clearCookies();
+
+    // login
+    await page.goto('/auth/login');
+    await page.getByLabel('Email').fill('user@immich.cloud');
+    await page.getByLabel('Password').fill('password');
+    await page.getByRole('button', { name: 'Login' }).click();
+
+    // change password
+    expect(page.getByRole('heading')).toHaveText('Change Password');
+    await expect(page).toHaveURL('/auth/change-password');
+    await page.getByLabel('New Password').fill('new-password');
+    await page.getByLabel('Confirm Password').fill('new-password');
+    await page.getByRole('button', { name: 'Change password' }).click();
+
+    // login with new password
+    await expect(page).toHaveURL('/auth/login');
+    await page.getByLabel('Email').fill('user@immich.cloud');
+    await page.getByLabel('Password').fill('new-password');
+    await page.getByRole('button', { name: 'Login' }).click();
+
+    // success
+    await expect(page).toHaveURL(/\/photos/);
+  });
+});