fix(cli): auth file should be chmod 600 (#6925)

* wip new tests * test for auth file mode * check perms internally * chore: lint
immich-app · Feb 5, 2024 · ce6dc3b · ce6dc3b
1 parent 6ed33da
commit ce6dc3b
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 23 deletions.
diff --git a/cli/package-lock.json b/cli/package-lock.json
diff --git a/cli/src/commands/base-command.ts b/cli/src/commands/base-command.ts
@@ -8,11 +8,11 @@ export abstract class BaseCommand {
   protected user!: UserResponseDto;
   protected serverVersion!: ServerVersionResponseDto;
 
-  constructor(options: { config?: string }) {
-    if (!options.config) {
+  constructor(options: { configDirectory?: string }) {
+    if (!options.configDirectory) {
       throw new Error('Config directory is required');
     }
-    this.sessionService = new SessionService(options.config);
+    this.sessionService = new SessionService(options.configDirectory);
   }
 
   public async connect(): Promise<void> {

diff --git a/cli/src/services/session.service.ts b/cli/src/services/session.service.ts
@@ -82,7 +82,7 @@ export class SessionService {
       }
     }
 
-    await writeFile(this.authPath, yaml.stringify({ instanceUrl, apiKey }));
+    await writeFile(this.authPath, yaml.stringify({ instanceUrl, apiKey }), { mode: 0o600 });
 
     console.log('Wrote auth info to ' + this.authPath);
 

diff --git a/cli/test/cli-test-utils.ts b/cli/test/cli-test-utils.ts
@@ -7,7 +7,7 @@ export const TEST_AUTH_FILE = path.join(TEST_CONFIG_DIR, 'auth.yml');
 export const TEST_IMMICH_INSTANCE_URL = 'https://test/api';
 export const TEST_IMMICH_API_KEY = 'pNussssKSYo5WasdgalvKJ1n9kdvaasdfbluPg';
 
-export const CLI_BASE_OPTIONS = { config: TEST_CONFIG_DIR };
+export const CLI_BASE_OPTIONS = { configDirectory: TEST_CONFIG_DIR };
 
 export const setup = async () => {
   const api = new ImmichApi(process.env.IMMICH_INSTANCE_URL as string, '');

diff --git a/cli/test/e2e/login-key.e2e-spec.ts b/cli/test/e2e/login-key.e2e-spec.ts
@@ -1,6 +1,8 @@
 import { restoreTempFolder, testApp } from '@test-utils';
-import { CLI_BASE_OPTIONS, setup, spyOnConsole } from 'test/cli-test-utils';
+import { CLI_BASE_OPTIONS, TEST_AUTH_FILE, deleteAuthFile, setup, spyOnConsole } from 'test/cli-test-utils';
+import { readFile, stat } from 'node:fs/promises';
 import { LoginCommand } from '../../src/commands/login';
+import yaml from 'yaml';
 
 describe(`login-key (e2e)`, () => {
   let apiKey: string;
@@ -20,6 +22,7 @@ describe(`login-key (e2e)`, () => {
   afterAll(async () => {
     await testApp.teardown();
     await restoreTempFolder();
+    deleteAuthFile();
   });
 
   beforeEach(async () => {
@@ -28,6 +31,8 @@ describe(`login-key (e2e)`, () => {
 
     const api = await setup();
     apiKey = api.apiKey;
+
+    deleteAuthFile();
   });
 
   it('should error when providing an invalid API key', async () => {
@@ -39,4 +44,23 @@ describe(`login-key (e2e)`, () => {
   it('should log in when providing the correct API key', async () => {
     await new LoginCommand(CLI_BASE_OPTIONS).run(instanceUrl, apiKey);
   });
+
+  it('should create an auth file when logging in', async () => {
+    await new LoginCommand(CLI_BASE_OPTIONS).run(instanceUrl, apiKey);
+
+    const data: string = await readFile(TEST_AUTH_FILE, 'utf8');
+    const parsedConfig = yaml.parse(data);
+
+    expect(parsedConfig).toEqual(expect.objectContaining({ instanceUrl, apiKey }));
+  });
+
+  it('should create an auth file with chmod 600', async () => {
+    await new LoginCommand(CLI_BASE_OPTIONS).run(instanceUrl, apiKey);
+
+    const stats = await stat(TEST_AUTH_FILE);
+
+    const mode = (stats.mode & 0o777).toString(8);
+
+    expect(mode).toEqual('600');
+  });
 });