immich-app/immich
1
0
Fork 0
mirror of https://github.com/immich-app/immich.git synced 2026-02-05 00:30:57 +03:00
Code Issues 26 Packages Projects Releases 10 Wiki Activity

[BUG] External sharing uses the /api/user/me endpoint which requires Authentication #689

New Issue
Closed
opened 2026-02-04 21:55:17 +03:00 by OVERLORD · 1 comment
OVERLORD commented 2026-02-04 21:55:17 +03:00
Owner
Copy Link

Originally created by @AGJSpiegelenberg on GitHub (Feb 14, 2023).

The bug

I have shared several albums with external people. I noticed the page they load tries to load user data although they are not a signed in user.

Request URL: https:///api/user/me
Request Methond: GET
Status Code: 401
Response:
{"statusCode":401,"message":"Authentication required","error":"Unauthorized"}

The OS that Immich Server is running on

Docker

Version of Immich Server

v1.47.2

Version of Immich Mobile App

v1.47.0 buil;d 70

Platform with the issue

  • Server
  • Web
  • Mobile

Your docker-compose.yml content

version: "3.8"

services:
  immich-server:
    container_name: immich_server
    image: altran1502/immich-server:release
    entrypoint: ["/bin/sh", "./start-server.sh"]
    user: 1043:100
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
    env_file:
      - stack.env
    environment:
      - NODE_ENV=production
    depends_on:
      - redis
      - database
    restart: always
    labels:
      - "com.centurylinklabs.watchtower.enable=false"

  immich-microservices:
    container_name: immich_microservices
    image: altran1502/immich-server:release
    entrypoint: ["/bin/sh", "./start-microservices.sh"]
    user: 1043:100
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - /volume1/Immich/microservices:/usr/src/app/.reverse-geocoding-dump
    env_file:
      - stack.env
    environment:
      - NODE_ENV=production
    depends_on:
      - redis
      - database
    restart: always
    labels:
      - "com.centurylinklabs.watchtower.enable=false"

  immich-web:
    container_name: immich_web
    image: altran1502/immich-web:release
    entrypoint: ["/bin/sh", "./entrypoint.sh"]
    user: 1043:100
    env_file:
      - stack.env
    restart: always
    labels:
      - "com.centurylinklabs.watchtower.enable=false"

  redis:
    container_name: immich_redis
    image: redis:6.2
    user: 1043:100
    volumes:
      - /volume1/Immich/redis:/data
    restart: always
    labels:
      - "com.centurylinklabs.watchtower.enable=false"

  database:
    container_name: immich_postgres
    image: postgres:14
    user: 1043:100
    env_file:
      - stack.env
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
      PG_DATA: /var/lib/postgresql/data
    volumes:
/var/lib/postgresql/data
    restart: always
    labels:
      - "com.centurylinklabs.watchtower.enable=false"

  immich-proxy:
    container_name: immich_proxy
    image: altran1502/immich-proxy:release


    ports:
      - 10.88.10.1:2283:8080
    logging:
      driver: none
    depends_on:
      - immich-server
    restart: always
    labels:
      - "com.centurylinklabs.watchtower.enable=false"

Your .env content

DB_HOSTNAME=immich_postgres

DB_DATABASE_NAME=immich
REDIS_HOSTNAME=immich_redis
UPLOAD_LOCATION=/volume1/Immich
LOG_LEVEL=simple
PUBLIC_LOGIN_PAGE_MESSAGE=

Reproduction steps

1. Create a shared album
2. Share the link of the shared album
3. Open the shared link when not signed in to immich

Additional information

No response

Originally created by @AGJSpiegelenberg on GitHub (Feb 14, 2023). ### The bug I have shared several albums with external people. I noticed the page they load tries to load user data although they are not a signed in user. Request URL: https://<URL>/api/user/me Request Methond: GET Status Code: 401 Response: {"statusCode":401,"message":"Authentication required","error":"Unauthorized"} ### The OS that Immich Server is running on Docker ### Version of Immich Server v1.47.2 ### Version of Immich Mobile App v1.47.0 buil;d 70 ### Platform with the issue - [ ] Server - [X] Web - [ ] Mobile ### Your docker-compose.yml content ```YAML version: "3.8" services: immich-server: container_name: immich_server image: altran1502/immich-server:release entrypoint: ["/bin/sh", "./start-server.sh"] user: 1043:100 volumes: - ${UPLOAD_LOCATION}:/usr/src/app/upload env_file: - stack.env environment: - NODE_ENV=production depends_on: - redis - database restart: always labels: - "com.centurylinklabs.watchtower.enable=false" immich-microservices: container_name: immich_microservices image: altran1502/immich-server:release entrypoint: ["/bin/sh", "./start-microservices.sh"] user: 1043:100 volumes: - ${UPLOAD_LOCATION}:/usr/src/app/upload - /volume1/Immich/microservices:/usr/src/app/.reverse-geocoding-dump env_file: - stack.env environment: - NODE_ENV=production depends_on: - redis - database restart: always labels: - "com.centurylinklabs.watchtower.enable=false" immich-web: container_name: immich_web image: altran1502/immich-web:release entrypoint: ["/bin/sh", "./entrypoint.sh"] user: 1043:100 env_file: - stack.env restart: always labels: - "com.centurylinklabs.watchtower.enable=false" redis: container_name: immich_redis image: redis:6.2 user: 1043:100 volumes: - /volume1/Immich/redis:/data restart: always labels: - "com.centurylinklabs.watchtower.enable=false" database: container_name: immich_postgres image: postgres:14 user: 1043:100 env_file: - stack.env environment: POSTGRES_PASSWORD: ${DB_PASSWORD} POSTGRES_USER: ${DB_USERNAME} POSTGRES_DB: ${DB_DATABASE_NAME} PG_DATA: /var/lib/postgresql/data volumes: /var/lib/postgresql/data restart: always labels: - "com.centurylinklabs.watchtower.enable=false" immich-proxy: container_name: immich_proxy image: altran1502/immich-proxy:release ports: - 10.88.10.1:2283:8080 logging: driver: none depends_on: - immich-server restart: always labels: - "com.centurylinklabs.watchtower.enable=false" ``` ### Your .env content ```Shell DB_HOSTNAME=immich_postgres DB_DATABASE_NAME=immich REDIS_HOSTNAME=immich_redis UPLOAD_LOCATION=/volume1/Immich LOG_LEVEL=simple PUBLIC_LOGIN_PAGE_MESSAGE= ``` ### Reproduction steps ```bash 1. Create a shared album 2. Share the link of the shared album 3. Open the shared link when not signed in to immich ``` ### Additional information _No response_
OVERLORD commented 2026-02-04 21:55:25 +03:00
Author
Owner
Copy Link

@alextran1502 commented on GitHub (Feb 16, 2023):

This would further set the permission on the shared link. So it is expected.

@alextran1502 commented on GitHub (Feb 16, 2023): This would further set the permission on the shared link. So it is expected.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
accessibility
changelog:enhancement
changelog:security
changelog:skip
changelog:translation
cli
date-time
documentation
external-library
format
good first issue
needs-answer
nice to have
sharing
tech-debt
📱mobile
🖥️web
🗄️server
🧠machine-learning
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: immich-app/immich#689
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?