immich-app · jrasm91 · May 9, 2024 · May 8, 2024
diff --git a/open-api/immich-openapi-specs.json b/open-api/immich-openapi-specs.json
@@ -5806,15 +5806,6 @@
           }
         },
         "security": [
-          {
-            "bearer": []
-          },
-          {
-            "cookie": []
-          },
-          {
-            "api_key": []
-          },
           {
             "bearer": []
           },
@@ -5942,15 +5933,6 @@
           }
         },
         "security": [
-          {
-            "bearer": []
-          },
-          {
-            "cookie": []
-          },
-          {
-            "api_key": []
-          },
           {
             "bearer": []
           },

@@ -15,21 +15,23 @@ import { UUIDParamDto } from 'src/validation';
 
 @ApiTags('Activity')
 @Controller('activity')
-@Authenticated()
 export class ActivityController {
   constructor(private service: ActivityService) {}
 
   @Get()
+  @Authenticated()
   getActivities(@Auth() auth: AuthDto, @Query() dto: ActivitySearchDto): Promise<ActivityResponseDto[]> {
     return this.service.getAll(auth, dto);
   }
 
   @Get('statistics')
+  @Authenticated()
   getActivityStatistics(@Auth() auth: AuthDto, @Query() dto: ActivityDto): Promise<ActivityStatisticsResponseDto> {
     return this.service.getStatistics(auth, dto);
   }
 
   @Post()
+  @Authenticated()
   async createActivity(
     @Auth() auth: AuthDto,
     @Body() dto: ActivityCreateDto,
@@ -44,6 +46,7 @@ export class ActivityController {
 
   @Delete(':id')
   @HttpCode(HttpStatus.NO_CONTENT)
+  @Authenticated()
   deleteActivity(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> {
     return this.service.delete(auth, id);
   }

@@ -12,32 +12,34 @@ import {
 } from 'src/dtos/album.dto';
 import { BulkIdResponseDto, BulkIdsDto } from 'src/dtos/asset-ids.response.dto';
 import { AuthDto } from 'src/dtos/auth.dto';
-import { Auth, Authenticated, SharedLinkRoute } from 'src/middleware/auth.guard';
+import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { AlbumService } from 'src/services/album.service';
 import { ParseMeUUIDPipe, UUIDParamDto } from 'src/validation';
 
 @ApiTags('Album')
 @Controller('album')
-@Authenticated()
 export class AlbumController {
   constructor(private service: AlbumService) {}
 
   @Get('count')
+  @Authenticated()
   getAlbumCount(@Auth() auth: AuthDto): Promise<AlbumCountResponseDto> {
     return this.service.getCount(auth);
   }
 
   @Get()
+  @Authenticated()
   getAllAlbums(@Auth() auth: AuthDto, @Query() query: GetAlbumsDto): Promise<AlbumResponseDto[]> {
     return this.service.getAll(auth, query);
   }
 
   @Post()
+  @Authenticated()
   createAlbum(@Auth() auth: AuthDto, @Body() dto: CreateAlbumDto): Promise<AlbumResponseDto> {
     return this.service.create(auth, dto);
   }
 
-  @SharedLinkRoute()
+  @Authenticated({ sharedLink: true })
   @Get(':id')
   getAlbumInfo(
     @Auth() auth: AuthDto,
@@ -48,6 +50,7 @@ export class AlbumController {
   }
 
   @Patch(':id')
+  @Authenticated()
   updateAlbumInfo(
     @Auth() auth: AuthDto,
     @Param() { id }: UUIDParamDto,
@@ -57,12 +60,13 @@ export class AlbumController {
   }
 
   @Delete(':id')
+  @Authenticated()
   deleteAlbum(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto) {
     return this.service.delete(auth, id);
   }
 
-  @SharedLinkRoute()
   @Put(':id/assets')
+  @Authenticated({ sharedLink: true })
   addAssetsToAlbum(
     @Auth() auth: AuthDto,
     @Param() { id }: UUIDParamDto,
@@ -72,6 +76,7 @@ export class AlbumController {
   }
 
   @Delete(':id/assets')
+  @Authenticated()
   removeAssetFromAlbum(
     @Auth() auth: AuthDto,
     @Body() dto: BulkIdsDto,
@@ -81,6 +86,7 @@ export class AlbumController {
   }
 
   @Put(':id/users')
+  @Authenticated()
   addUsersToAlbum(
     @Auth() auth: AuthDto,
     @Param() { id }: UUIDParamDto,
@@ -90,6 +96,7 @@ export class AlbumController {
   }
 
   @Put(':id/user/:userId')
+  @Authenticated()
   updateAlbumUser(
     @Auth() auth: AuthDto,
     @Param() { id }: UUIDParamDto,
@@ -100,6 +107,7 @@ export class AlbumController {
   }
 
   @Delete(':id/user/:userId')
+  @Authenticated()
   removeUserFromAlbum(
     @Auth() auth: AuthDto,
     @Param() { id }: UUIDParamDto,

@@ -8,26 +8,29 @@ import { UUIDParamDto } from 'src/validation';
 
 @ApiTags('API Key')
 @Controller('api-key')
-@Authenticated()
 export class APIKeyController {
   constructor(private service: APIKeyService) {}
 
   @Post()
+  @Authenticated()
   createApiKey(@Auth() auth: AuthDto, @Body() dto: APIKeyCreateDto): Promise<APIKeyCreateResponseDto> {
     return this.service.create(auth, dto);
   }
 
   @Get()
+  @Authenticated()
   getApiKeys(@Auth() auth: AuthDto): Promise<APIKeyResponseDto[]> {
     return this.service.getAll(auth);
   }
 
   @Get(':id')
+  @Authenticated()
   getApiKey(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<APIKeyResponseDto> {
     return this.service.getById(auth, id);
   }
 
   @Put(':id')
+  @Authenticated()
   updateApiKey(
     @Auth() auth: AuthDto,
     @Param() { id }: UUIDParamDto,
@@ -37,6 +40,7 @@ export class APIKeyController {
   }
 
   @Delete(':id')
+  @Authenticated()
   deleteApiKey(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> {
     return this.service.delete(auth, id);
   }

@@ -1,6 +1,5 @@
 import { Controller, Get, Header } from '@nestjs/common';
 import { ApiExcludeEndpoint } from '@nestjs/swagger';
-import { PublicRoute } from 'src/middleware/auth.guard';
 import { SystemConfigService } from 'src/services/system-config.service';
 
 @Controller()
@@ -18,7 +17,6 @@ export class AppController {
   }
 
   @ApiExcludeEndpoint()
-  @PublicRoute()
   @Get('custom.css')
   @Header('Content-Type', 'text/css')
   getCustomCss() {

@@ -31,7 +31,7 @@ import {
 } from 'src/dtos/asset-v1.dto';
 import { AuthDto, ImmichHeader } from 'src/dtos/auth.dto';
 import { AssetUploadInterceptor } from 'src/middleware/asset-upload.interceptor';
-import { Auth, Authenticated, FileResponse, SharedLinkRoute } from 'src/middleware/auth.guard';
+import { Auth, Authenticated, FileResponse } from 'src/middleware/auth.guard';
 import { FileUploadInterceptor, ImmichFile, Route, mapToUploadFile } from 'src/middleware/file-upload.interceptor';
 import { AssetServiceV1 } from 'src/services/asset-v1.service';
 import { sendFile } from 'src/utils/file';
@@ -45,11 +45,9 @@ interface UploadFiles {
 
 @ApiTags('Asset')
 @Controller(Route.ASSET)
-@Authenticated()
 export class AssetControllerV1 {
   constructor(private service: AssetServiceV1) {}
 
-  @SharedLinkRoute()
   @Post('upload')
   @UseInterceptors(AssetUploadInterceptor, FileUploadInterceptor)
   @ApiConsumes('multipart/form-data')
@@ -58,10 +56,8 @@ export class AssetControllerV1 {
     description: 'sha1 checksum that can be used for duplicate detection before the file is uploaded',
     required: false,
   })
-  @ApiBody({
-    description: 'Asset Upload Information',
-    type: CreateAssetDto,
-  })
+  @ApiBody({ description: 'Asset Upload Information', type: CreateAssetDto })
+  @Authenticated({ sharedLink: true })
   async uploadFile(
     @Auth() auth: AuthDto,
     @UploadedFiles(new ParseFilePipe({ validators: [new FileNotEmptyValidator(['assetData'])] })) files: UploadFiles,
@@ -89,9 +85,9 @@ export class AssetControllerV1 {
     return responseDto;
   }
 
-  @SharedLinkRoute()
   @Get('/file/:id')
   @FileResponse()
+  @Authenticated({ sharedLink: true })
   async serveFile(
     @Res() res: Response,
     @Next() next: NextFunction,
@@ -102,9 +98,9 @@ export class AssetControllerV1 {
     await sendFile(res, next, () => this.service.serveFile(auth, id, dto));
   }
 
-  @SharedLinkRoute()
   @Get('/thumbnail/:id')
   @FileResponse()
+  @Authenticated({ sharedLink: true })
   async getAssetThumbnail(
     @Res() res: Response,
     @Next() next: NextFunction,
@@ -125,6 +121,7 @@ export class AssetControllerV1 {
     required: false,
     schema: { type: 'string' },
   })
+  @Authenticated()
   getAllAssets(@Auth() auth: AuthDto, @Query() dto: AssetSearchDto): Promise<AssetResponseDto[]> {
     return this.service.getAllAssets(auth, dto);
   }
@@ -134,6 +131,7 @@ export class AssetControllerV1 {
    */
   @Post('/exist')
   @HttpCode(HttpStatus.OK)
+  @Authenticated()
   checkExistingAssets(
     @Auth() auth: AuthDto,
     @Body() dto: CheckExistingAssetsDto,
@@ -146,6 +144,7 @@ export class AssetControllerV1 {
    */
   @Post('/bulk-upload-check')
   @HttpCode(HttpStatus.OK)
+  @Authenticated()
   checkBulkUpload(
     @Auth() auth: AuthDto,
     @Body() dto: AssetBulkUploadCheckDto,

@@ -14,28 +14,30 @@ import {
 import { AuthDto } from 'src/dtos/auth.dto';
 import { MapMarkerDto, MapMarkerResponseDto, MemoryLaneDto } from 'src/dtos/search.dto';
 import { UpdateStackParentDto } from 'src/dtos/stack.dto';
-import { Auth, Authenticated, SharedLinkRoute } from 'src/middleware/auth.guard';
+import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { Route } from 'src/middleware/file-upload.interceptor';
 import { AssetService } from 'src/services/asset.service';
 import { UUIDParamDto } from 'src/validation';
 
 @ApiTags('Asset')
 @Controller(Route.ASSET)
-@Authenticated()
 export class AssetController {
   constructor(private service: AssetService) {}
 
   @Get('map-marker')
+  @Authenticated()
   getMapMarkers(@Auth() auth: AuthDto, @Query() options: MapMarkerDto): Promise<MapMarkerResponseDto[]> {
     return this.service.getMapMarkers(auth, options);
   }
 
   @Get('memory-lane')
+  @Authenticated()
   getMemoryLane(@Auth() auth: AuthDto, @Query() dto: MemoryLaneDto): Promise<MemoryLaneResponseDto[]> {
     return this.service.getMemoryLane(auth, dto);
   }
 
   @Get('random')
+  @Authenticated()
   getRandom(@Auth() auth: AuthDto, @Query() dto: RandomAssetsDto): Promise<AssetResponseDto[]> {
     return this.service.getRandom(auth, dto.count ?? 1);
   }
@@ -44,46 +46,53 @@ export class AssetController {
    * Get all asset of a device that are in the database, ID only.
    */
   @Get('/device/:deviceId')
+  @Authenticated()
   getAllUserAssetsByDeviceId(@Auth() auth: AuthDto, @Param() { deviceId }: DeviceIdDto) {
     return this.service.getUserAssetsByDeviceId(auth, deviceId);
   }
 
   @Get('statistics')
+  @Authenticated()
   getAssetStatistics(@Auth() auth: AuthDto, @Query() dto: AssetStatsDto): Promise<AssetStatsResponseDto> {
     return this.service.getStatistics(auth, dto);
   }
 
   @Post('jobs')
   @HttpCode(HttpStatus.NO_CONTENT)
+  @Authenticated()
   runAssetJobs(@Auth() auth: AuthDto, @Body() dto: AssetJobsDto): Promise<void> {
     return this.service.run(auth, dto);
   }
 
   @Put()
   @HttpCode(HttpStatus.NO_CONTENT)
+  @Authenticated()
   updateAssets(@Auth() auth: AuthDto, @Body() dto: AssetBulkUpdateDto): Promise<void> {
     return this.service.updateAll(auth, dto);
   }
 
   @Delete()
   @HttpCode(HttpStatus.NO_CONTENT)
+  @Authenticated()
   deleteAssets(@Auth() auth: AuthDto, @Body() dto: AssetBulkDeleteDto): Promise<void> {
     return this.service.deleteAll(auth, dto);
   }
 
   @Put('stack/parent')
   @HttpCode(HttpStatus.OK)
+  @Authenticated()
   updateStackParent(@Auth() auth: AuthDto, @Body() dto: UpdateStackParentDto): Promise<void> {
     return this.service.updateStackParent(auth, dto);
   }
 
-  @SharedLinkRoute()
   @Get(':id')
+  @Authenticated({ sharedLink: true })
   getAssetInfo(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<AssetResponseDto> {
     return this.service.get(auth, id) as Promise<AssetResponseDto>;
   }
 
   @Put(':id')
+  @Authenticated()
   updateAsset(
     @Auth() auth: AuthDto,
     @Param() { id }: UUIDParamDto,

@@ -7,11 +7,11 @@ import { AuditService } from 'src/services/audit.service';
 
 @ApiTags('Audit')
 @Controller('audit')
-@Authenticated()
 export class AuditController {
   constructor(private service: AuditService) {}
 
   @Get('deletes')
+  @Authenticated()
   getAuditDeletes(@Auth() auth: AuthDto, @Query() dto: AuditDeletesDto): Promise<AuditDeletesResponseDto> {
     return this.service.getDeletes(auth, dto);
   }