feat: add oauth2 code verifier

* fix: ensure oauth state param matches before finishing oauth flow Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * chore: upgrade openid-client to v6 Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * feat: use PKCE for oauth2 on supported clients Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * feat: use state and PKCE in mobile app Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: remove obsolete oauth repository init Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: rewrite callback url if mobile redirect url is enabled Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: propagate oidc client error cause when oauth callback fails Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: adapt auth service tests to required state and PKCE params Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: update sdk types Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: adapt oauth e2e test to work with PKCE Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> * fix: allow insecure (http) oauth clients Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> --------- Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com> Co-authored-by: Jason Rasmussen <jason@rasm.me>
2025-12-23 09:15:05 +03:00 · 2025-04-23 16:05:00 +02:00
parent 13d6bd67b1
commit b7a0cf2470
18 changed files with 469 additions and 192 deletions
--- a/server/src/dtos/auth.dto.ts
+++ b/server/src/dtos/auth.dto.ts
@@ -3,11 +3,11 @@ import { Transform } from 'class-transformer';
 import { IsEmail, IsNotEmpty, IsString, MinLength } from 'class-validator';
 import { AuthApiKey, AuthSession, AuthSharedLink, AuthUser, UserAdmin } from 'src/database';
 import { ImmichCookie } from 'src/enum';
-import { toEmail } from 'src/validation';
+import { Optional, toEmail } from 'src/validation';

 export type CookieResponse = {
  isSecure: boolean;
-  values: Array<{ key: ImmichCookie; value: string }>;
+  values: Array<{ key: ImmichCookie; value: string | null }>;
 };

 export class AuthDto {
@@ -87,12 +87,28 @@ export class OAuthCallbackDto {
  @IsString()
  @ApiProperty()
  url!: string;
+
+  @Optional()
+  @IsString()
+  state?: string;
+
+  @Optional()
+  @IsString()
+  codeVerifier?: string;
 }

 export class OAuthConfigDto {
  @IsNotEmpty()
  @IsString()
  redirectUri!: string;
+
+  @Optional()
+  @IsString()
+  state?: string;
+
+  @Optional()
+  @IsString()
+  codeChallenge?: string;
 }

 export class OAuthAuthorizeResponseDto {