feat: reset oauth ids (#20798)

2025-10-31 20:07:41 +09:00 · 2025-08-08 15:42:38 -04:00
parent 9ecaa3fa9d
commit 538d5c81ea
15 changed files with 247 additions and 6 deletions
--- a/i18n/en.json
+++ b/i18n/en.json
@@ -355,6 +355,9 @@
    "trash_number_of_days_description": "Number of days to keep the assets in trash before permanently removing them",
    "trash_settings": "Trash Settings",
    "trash_settings_description": "Manage trash settings",
    "unlink_all_oauth_accounts": "Unlink all OAuth accounts",
    "unlink_all_oauth_accounts_description": "Remember to unlink all OAuth accounts before migrating to a new provider.",
    "unlink_all_oauth_accounts_prompt": "Are you sure you want to unlink all OAuth accounts? This will reset the OAuth ID for each user and cannot be undone.",
    "user_cleanup_job": "User cleanup",
    "user_delete_delay": "<b>{user}</b>'s account and assets will be scheduled for permanent deletion in {delay, plural, one {# day} other {# days}}.",
    "user_delete_delay_settings": "Delete delay",
@@ -921,6 +924,7 @@
    "paths_validation_failed": "{paths, plural, one {# path} other {# paths}} failed validation",
    "profile_picture_transparent_pixels": "Profile pictures cannot have transparent pixels. Please zoom in and/or move the image.",
    "quota_higher_than_disk_size": "You set a quota higher than the disk size",
    "something_went_wrong": "Something went wrong",
    "unable_to_add_album_users": "Unable to add users to album",
    "unable_to_add_assets_to_shared_link": "Unable to add assets to shared link",
    "unable_to_add_comment": "Unable to add comment",
--- a/mobile/openapi/README.md
+++ b/mobile/openapi/README.md
@@ -108,6 +108,7 @@ Class | Method | HTTP request | Description
 *AssetsApi* | [**updateAssets**](doc//AssetsApi.md#updateassets) | **PUT** /assets | 
 *AssetsApi* | [**uploadAsset**](doc//AssetsApi.md#uploadasset) | **POST** /assets | 
 *AssetsApi* | [**viewAsset**](doc//AssetsApi.md#viewasset) | **GET** /assets/{id}/thumbnail | 
 *AuthAdminApi* | [**unlinkAllOAuthAccountsAdmin**](doc//AuthAdminApi.md#unlinkalloauthaccountsadmin) | **POST** /admin/auth/unlink-all | 
 *AuthenticationApi* | [**changePassword**](doc//AuthenticationApi.md#changepassword) | **POST** /auth/change-password | 
 *AuthenticationApi* | [**changePinCode**](doc//AuthenticationApi.md#changepincode) | **PUT** /auth/pin-code | 
 *AuthenticationApi* | [**getAuthStatus**](doc//AuthenticationApi.md#getauthstatus) | **GET** /auth/status | 
--- a/mobile/openapi/lib/api.dart
+++ b/mobile/openapi/lib/api.dart
@@ -34,6 +34,7 @@ part 'api/api_keys_api.dart';
 part 'api/activities_api.dart';
 part 'api/albums_api.dart';
 part 'api/assets_api.dart';
 part 'api/auth_admin_api.dart';
 part 'api/authentication_api.dart';
 part 'api/deprecated_api.dart';
 part 'api/download_api.dart';
--- a/mobile/openapi/lib/api/auth_admin_api.dart
+++ b/mobile/openapi/lib/api/auth_admin_api.dart
@@ -0,0 +1,54 @@
 //
 // AUTO-GENERATED FILE, DO NOT MODIFY!
 //
 // @dart=2.18
 // ignore_for_file: unused_element, unused_import
 // ignore_for_file: always_put_required_named_parameters_first
 // ignore_for_file: constant_identifier_names
 // ignore_for_file: lines_longer_than_80_chars
 part of openapi.api;
 class AuthAdminApi {
  AuthAdminApi([ApiClient? apiClient]) : apiClient = apiClient ?? defaultApiClient;
  final ApiClient apiClient;
  /// This endpoint is an admin-only route, and requires the `adminAuth.unlinkAll` permission.
  ///
  /// Note: This method returns the HTTP [Response].
  Future<Response> unlinkAllOAuthAccountsAdminWithHttpInfo() async {
    // ignore: prefer_const_declarations
    final apiPath = r'/admin/auth/unlink-all';
    // ignore: prefer_final_locals
    Object? postBody;
    final queryParams = <QueryParam>[];
    final headerParams = <String, String>{};
    final formParams = <String, String>{};
    const contentTypes = <String>[];
    return apiClient.invokeAPI(
      apiPath,
      'POST',
      queryParams,
      postBody,
      headerParams,
      formParams,
      contentTypes.isEmpty ? null : contentTypes.first,
    );
  }
  /// This endpoint is an admin-only route, and requires the `adminAuth.unlinkAll` permission.
  Future<void> unlinkAllOAuthAccountsAdmin() async {
    final response = await unlinkAllOAuthAccountsAdminWithHttpInfo();
    if (response.statusCode >= HttpStatus.badRequest) {
      throw ApiException(response.statusCode, await _decodeBodyBytes(response));
    }
  }
 }
--- a/mobile/openapi/lib/model/permission.dart
+++ b/mobile/openapi/lib/model/permission.dart
@@ -150,6 +150,7 @@ class Permission {
  static const adminUserPeriodRead = Permission._(r'adminUser.read');
  static const adminUserPeriodUpdate = Permission._(r'adminUser.update');
  static const adminUserPeriodDelete = Permission._(r'adminUser.delete');
  static const adminAuthPeriodUnlinkAll = Permission._(r'adminAuth.unlinkAll');
  /// List of all possible values in this [enum][Permission].
  static const values = <Permission>[
@@ -280,6 +281,7 @@ class Permission {
    adminUserPeriodRead,
    adminUserPeriodUpdate,
    adminUserPeriodDelete,
    adminAuthPeriodUnlinkAll,
  ];
  static Permission? fromJson(dynamic value) => PermissionTypeTransformer().decode(value);
@@ -445,6 +447,7 @@ class PermissionTypeTransformer {
        case r'adminUser.read': return Permission.adminUserPeriodRead;
        case r'adminUser.update': return Permission.adminUserPeriodUpdate;
        case r'adminUser.delete': return Permission.adminUserPeriodDelete;
        case r'adminAuth.unlinkAll': return Permission.adminAuthPeriodUnlinkAll;
        default:
          if (!allowNull) {
            throw ArgumentError('Unknown enum value to decode: $data');
--- a/open-api/immich-openapi-specs.json
+++ b/open-api/immich-openapi-specs.json
@@ -214,6 +214,34 @@
        "description": "This endpoint requires the `activity.delete` permission."
      }
    },
    "/admin/auth/unlink-all": {
      "post": {
        "operationId": "unlinkAllOAuthAccountsAdmin",
        "parameters": [],
        "responses": {
          "204": {
            "description": ""
          }
        },
        "security": [
          {
            "bearer": []
          },
          {
            "cookie": []
          },
          {
            "api_key": []
          }
        ],
        "tags": [
          "Auth (admin)"
        ],
        "x-immich-admin-only": true,
        "x-immich-permission": "adminAuth.unlinkAll",
        "description": "This endpoint is an admin-only route, and requires the `adminAuth.unlinkAll` permission."
      }
    },
    "/admin/notifications": {
      "post": {
        "operationId": "createNotification",
@@ -12687,7 +12715,8 @@
          "adminUser.create",
          "adminUser.read",
          "adminUser.update",
-          "adminUser.delete"
+          "adminUser.delete",
          "adminAuth.unlinkAll"
        ],
        "type": "string"
      },
--- a/open-api/typescript-sdk/src/fetch-client.ts
+++ b/open-api/typescript-sdk/src/fetch-client.ts
@@ -1646,6 +1646,15 @@ export function deleteActivity({ id }: {
        method: "DELETE"
    }));
 }
 /**
 * This endpoint is an admin-only route, and requires the `adminAuth.unlinkAll` permission.
 */
 export function unlinkAllOAuthAccountsAdmin(opts?: Oazapfts.RequestOpts) {
    return oazapfts.ok(oazapfts.fetchText("/admin/auth/unlink-all", {
        ...opts,
        method: "POST"
    }));
 }
 export function createNotification({ notificationCreateDto }: {
    notificationCreateDto: NotificationCreateDto;
 }, opts?: Oazapfts.RequestOpts) {
@@ -4669,7 +4678,8 @@ export enum Permission {
    AdminUserCreate = "adminUser.create",
    AdminUserRead = "adminUser.read",
    AdminUserUpdate = "adminUser.update",
-    AdminUserDelete = "adminUser.delete"
+    AdminUserDelete = "adminUser.delete",
    AdminAuthUnlinkAll = "adminAuth.unlinkAll"
 }
 export enum AssetMediaStatus {
    Created = "created",
--- a/server/src/controllers/auth-admin.controller.ts
+++ b/server/src/controllers/auth-admin.controller.ts
@@ -0,0 +1,18 @@
 import { Controller, HttpCode, HttpStatus, Post } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
 import { AuthDto } from 'src/dtos/auth.dto';
 import { Permission } from 'src/enum';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { AuthAdminService } from 'src/services/auth-admin.service';
@ApiTags('Auth (admin)')
@Controller('admin/auth')
 export class AuthAdminController {
  constructor(private service: AuthAdminService) {}
  @Post('unlink-all')
  @Authenticated({ permission: Permission.AdminAuthUnlinkAll, admin: true })
  @HttpCode(HttpStatus.NO_CONTENT)
  unlinkAllOAuthAccountsAdmin(@Auth() auth: AuthDto): Promise<void> {
    return this.service.unlinkAll(auth);
  }
 }
--- a/server/src/controllers/index.ts
+++ b/server/src/controllers/index.ts
@@ -4,6 +4,7 @@ import { APIKeyController } from 'src/controllers/api-key.controller';
 import { AppController } from 'src/controllers/app.controller';
 import { AssetMediaController } from 'src/controllers/asset-media.controller';
 import { AssetController } from 'src/controllers/asset.controller';
 import { AuthAdminController } from 'src/controllers/auth-admin.controller';
 import { AuthController } from 'src/controllers/auth.controller';
 import { DownloadController } from 'src/controllers/download.controller';
 import { DuplicateController } from 'src/controllers/duplicate.controller';
@@ -40,6 +41,7 @@ export const controllers = [
  AssetController,
  AssetMediaController,
  AuthController,
  AuthAdminController,
  DownloadController,
  DuplicateController,
  FaceController,
--- a/server/src/enum.ts
+++ b/server/src/enum.ts
@@ -235,6 +235,8 @@ export enum Permission {
  AdminUserRead = 'adminUser.read',
  AdminUserUpdate = 'adminUser.update',
  AdminUserDelete = 'adminUser.delete',
  AdminAuthUnlinkAll = 'adminAuth.unlinkAll',
 }
 export enum SharedLinkType {
--- a/server/src/repositories/user.repository.ts
+++ b/server/src/repositories/user.repository.ts
@@ -194,6 +194,10 @@ export class UserRepository {
      .executeTakeFirstOrThrow();
  }
  async updateAll(dto: Updateable<UserTable>) {
    await this.db.updateTable('user').set(dto).execute();
  }
  restore(id: string) {
    return this.db
      .updateTable('user')
--- a/server/src/services/auth-admin.service.ts
+++ b/server/src/services/auth-admin.service.ts
@@ -0,0 +1,11 @@
 import { Injectable } from '@nestjs/common';
 import { AuthDto } from 'src/dtos/auth.dto';
 import { BaseService } from 'src/services/base.service';
@Injectable()
 export class AuthAdminService extends BaseService {
  async unlinkAll(_auth: AuthDto) {
    // TODO replace '' with null
    await this.userRepository.updateAll({ oauthId: '' });
  }
 }
--- a/server/src/services/index.ts
+++ b/server/src/services/index.ts
@@ -5,6 +5,7 @@ import { ApiService } from 'src/services/api.service';
 import { AssetMediaService } from 'src/services/asset-media.service';
 import { AssetService } from 'src/services/asset.service';
 import { AuditService } from 'src/services/audit.service';
 import { AuthAdminService } from 'src/services/auth-admin.service';
 import { AuthService } from 'src/services/auth.service';
 import { BackupService } from 'src/services/backup.service';
 import { CliService } from 'src/services/cli.service';
@@ -49,6 +50,7 @@ export const services = [
  AssetService,
  AuditService,
  AuthService,
  AuthAdminService,
  BackupService,
  CliService,
  DatabaseService,
--- a/server/test/medium/specs/services/auth-admin.service.spec.ts
+++ b/server/test/medium/specs/services/auth-admin.service.spec.ts
@@ -0,0 +1,66 @@
 import { Kysely } from 'kysely';
 import { LoggingRepository } from 'src/repositories/logging.repository';
 import { UserRepository } from 'src/repositories/user.repository';
 import { DB } from 'src/schema';
 import { AuthAdminService } from 'src/services/auth-admin.service';
 import { newMediumService } from 'test/medium.factory';
 import { factory } from 'test/small.factory';
 import { getKyselyDB } from 'test/utils';
 let defaultDatabase: Kysely<DB>;
 const setup = (db?: Kysely<DB>) => {
  return newMediumService(AuthAdminService, {
    database: db || defaultDatabase,
    real: [UserRepository],
    mock: [LoggingRepository],
  });
 };
 beforeAll(async () => {
  defaultDatabase = await getKyselyDB();
 });
 describe(AuthAdminService.name, () => {
  describe('unlinkAll', () => {
    it('should reset user.oauthId', async () => {
      const { sut, ctx } = setup();
      const userRepo = ctx.get(UserRepository);
      const { user } = await ctx.newUser({ oauthId: 'test-oauth-id' });
      const auth = factory.auth();
      await expect(sut.unlinkAll(auth)).resolves.toBeUndefined();
      await expect(userRepo.get(user.id, { withDeleted: true })).resolves.toEqual(
        expect.objectContaining({ oauthId: '' }),
      );
    });
    it('should reset a deleted user', async () => {
      const { sut, ctx } = setup();
      const userRepo = ctx.get(UserRepository);
      const { user } = await ctx.newUser({ oauthId: 'test-oauth-id', deletedAt: new Date() });
      const auth = factory.auth();
      await expect(sut.unlinkAll(auth)).resolves.toBeUndefined();
      await expect(userRepo.get(user.id, { withDeleted: true })).resolves.toEqual(
        expect.objectContaining({ oauthId: '' }),
      );
    });
    it('should reset multiple users', async () => {
      const { sut, ctx } = setup();
      const userRepo = ctx.get(UserRepository);
      const { user: user1 } = await ctx.newUser({ oauthId: '1' });
      const { user: user2 } = await ctx.newUser({ oauthId: '2', deletedAt: new Date() });
      const auth = factory.auth();
      await expect(sut.unlinkAll(auth)).resolves.toBeUndefined();
      await expect(userRepo.get(user1.id, { withDeleted: true })).resolves.toEqual(
        expect.objectContaining({ oauthId: '' }),
      );
      await expect(userRepo.get(user2.id, { withDeleted: true })).resolves.toEqual(
        expect.objectContaining({ oauthId: '' }),
      );
    });
  });
 });
--- a/web/src/lib/components/admin-page/settings/auth/auth-settings.svelte
+++ b/web/src/lib/components/admin-page/settings/auth/auth-settings.svelte
@@ -1,5 +1,9 @@
 <script lang="ts">
  import FormatMessage from '$lib/components/i18n/format-message.svelte';
  import {
    notificationController,
    NotificationType,
  } from '$lib/components/shared-components/notification/notification';
  import SettingAccordion from '$lib/components/shared-components/settings/setting-accordion.svelte';
  import SettingButtonsRow from '$lib/components/shared-components/settings/setting-buttons-row.svelte';
  import SettingInputField from '$lib/components/shared-components/settings/setting-input-field.svelte';
@@ -7,8 +11,10 @@
  import SettingSwitch from '$lib/components/shared-components/settings/setting-switch.svelte';
  import { SettingInputFieldType } from '$lib/constants';
  import AuthDisableLoginConfirmModal from '$lib/modals/AuthDisableLoginConfirmModal.svelte';
-  import { OAuthTokenEndpointAuthMethod, type SystemConfigDto } from '@immich/sdk';
+  import { handleError } from '$lib/utils/handle-error';
-  import { modalManager } from '@immich/ui';
+  import { OAuthTokenEndpointAuthMethod, unlinkAllOAuthAccountsAdmin, type SystemConfigDto } from '@immich/sdk';
  import { Button, modalManager, Text } from '@immich/ui';
  import { mdiRestart } from '@mdi/js';
  import { isEqual } from 'lodash-es';
  import { t } from 'svelte-i18n';
  import { fade } from 'svelte/transition';
@@ -44,6 +50,26 @@
    onSave({ passwordLogin: config.passwordLogin, oauth: config.oauth });
  };
  const handleUnlinkAllOAuthAccounts = async () => {
    const confirmed = await modalManager.showDialog({
      icon: mdiRestart,
      title: $t('admin.unlink_all_oauth_accounts'),
      prompt: $t('admin.unlink_all_oauth_accounts_prompt'),
      confirmColor: 'danger',
    });
    if (!confirmed) {
      return;
    }
    try {
      await unlinkAllOAuthAccountsAdmin({});
      notificationController.show({ message: $t('success'), type: NotificationType.Info });
    } catch (error) {
      handleError(error, $t('errors.something_went_wrong'));
    }
  };
 </script>
 <div>
@@ -56,7 +82,7 @@
          subtitle={$t('admin.oauth_settings_description')}
        >
          <div class="ms-4 mt-4 flex flex-col gap-4">
-            <p class="text-sm dark:text-immich-dark-fg">
+            <Text size="small">
              <FormatMessage key="admin.oauth_settings_more_details">
                {#snippet children({ message })}
                  <a
@@ -69,7 +95,7 @@
                  </a>
                {/snippet}
              </FormatMessage>
-            </p>
+            </Text>
            <SettingSwitch
              {disabled}
@@ -79,6 +105,14 @@
            {#if config.oauth.enabled}
              <hr />
              <div class="flex items-center gap-2 justify-between">
                <Text size="small">{$t('admin.unlink_all_oauth_accounts_description')}</Text>
                <Button size="small" onclick={handleUnlinkAllOAuthAccounts}
                  >{$t('admin.unlink_all_oauth_accounts')}</Button
                >
              </div>
              <SettingInputField
                inputType={SettingInputFieldType.TEXT}
                label="ISSUER_URL"