refactor: move e2e-auth-server to packages (#28358)

2026-06-12 19:11:52 -07:00 · 2026-05-11 15:39:59 -04:00
parent db589455f4
commit 03e042213c
8 changed files with 18 additions and 18 deletions
@@ -0,0 +1,6 @@
+FROM node:24.1.0-alpine3.20@sha256:8fe019e0d57dbdce5f5c27c0b63d2775cf34b00e3755a7dea969802d7e0c2b25
+RUN corepack enable
+ADD package.json *.ts ./
+RUN pnpm install
+EXPOSE 2286
+CMD ["pnpm", "run", "start"]
@@ -0,0 +1,182 @@
+import {
+  calculateJwkThumbprint,
+  exportJWK,
+  importPKCS8,
+  importSPKI,
+  SignJWT,
+} from 'jose';
+import Provider from 'oidc-provider';
+import { PRIVATE_KEY_PEM, PUBLIC_KEY_PEM } from './test-keys';
+
+export enum OAuthClient {
+  DEFAULT = 'client-default',
+  RS256_TOKENS = 'client-RS256-tokens',
+  RS256_PROFILE = 'client-RS256-profile',
+}
+
+export enum OAuthUser {
+  NO_EMAIL = 'no-email',
+  NO_NAME = 'no-name',
+  ID_TOKEN_CLAIMS = 'id-token-claims',
+  WITH_QUOTA = 'with-quota',
+  WITH_USERNAME = 'with-username',
+  WITH_ROLE = 'with-role',
+}
+
+const claims = [
+  { sub: OAuthUser.NO_EMAIL },
+  {
+    sub: OAuthUser.NO_NAME,
+    email: 'oauth-no-name@immich.app',
+    email_verified: true,
+  },
+  {
+    sub: OAuthUser.WITH_USERNAME,
+    email: 'oauth-with-username@immich.app',
+    email_verified: true,
+    immich_username: 'user-username',
+  },
+  {
+    sub: OAuthUser.WITH_QUOTA,
+    email: 'oauth-with-quota@immich.app',
+    email_verified: true,
+    preferred_username: 'user-quota',
+    immich_quota: 25,
+  },
+  {
+    sub: OAuthUser.WITH_ROLE,
+    email: 'oauth-with-role@immich.app',
+    email_verified: true,
+    immich_role: 'admin',
+  },
+];
+
+const privateKey = await importPKCS8(PRIVATE_KEY_PEM, 'RS256', {
+  extractable: true,
+});
+const publicKey = await importSPKI(PUBLIC_KEY_PEM, 'RS256', {
+  extractable: true,
+});
+const kid = await calculateJwkThumbprint(await exportJWK(publicKey));
+
+export async function generateLogoutToken(iss: string, sub: string) {
+  return await new SignJWT({
+    iss: iss,
+    aud: OAuthClient.DEFAULT,
+    iat: Math.floor(Date.now() / 1000),
+    jti: crypto.randomUUID(),
+    sub: sub,
+    events: {
+      'http://schemas.openid.net/event/backchannel-logout': {},
+    },
+  })
+    .setProtectedHeader({ alg: 'RS256', typ: 'logout+jwt', kid: kid })
+    .sign(privateKey);
+}
+
+const withDefaultClaims = (sub: string) => ({
+  sub,
+  email: `${sub}@immich.app`,
+  name: 'OAuth User',
+  given_name: `OAuth`,
+  family_name: 'User',
+  email_verified: true,
+});
+
+const getClaims = (sub: string, use?: string) => {
+  if (sub === OAuthUser.ID_TOKEN_CLAIMS) {
+    return {
+      sub,
+      email: `oauth-${sub}@immich.app`,
+      email_verified: true,
+      name: use === 'id_token' ? 'ID Token User' : 'Userinfo User',
+    };
+  }
+  return claims.find((user) => user.sub === sub) || withDefaultClaims(sub);
+};
+
+const setup = async () => {
+  const redirectUris = [
+    'http://127.0.0.1:2285/auth/login',
+    'https://photos.immich.app/oauth/mobile-redirect',
+  ];
+  const port = 2286;
+  const host = '0.0.0.0';
+  const oidc = new Provider(`http://${host}:${port}`, {
+    renderError: async (ctx, out, error) => {
+      console.error(out);
+      console.error(error);
+      ctx.body = 'Internal Server Error';
+    },
+    findAccount: (ctx, sub) => ({
+      accountId: sub,
+      claims: (use) => getClaims(sub, use),
+    }),
+    scopes: ['openid', 'email', 'profile'],
+    claims: {
+      openid: ['sub'],
+      email: ['email', 'email_verified'],
+      profile: [
+        'name',
+        'given_name',
+        'family_name',
+        'preferred_username',
+        'immich_quota',
+        'immich_username',
+        'immich_role',
+      ],
+    },
+    features: {
+      jwtUserinfo: {
+        enabled: true,
+      },
+    },
+    cookies: {
+      names: {
+        session: 'oidc.session',
+        interaction: 'oidc.interaction',
+        resume: 'oidc.resume',
+        state: 'oidc.state',
+      },
+    },
+    conformIdTokenClaims: false,
+    pkce: {
+      required: () => false,
+    },
+    jwks: { keys: [await exportJWK(privateKey)] },
+    clients: [
+      {
+        client_id: OAuthClient.DEFAULT,
+        client_secret: OAuthClient.DEFAULT,
+        redirect_uris: redirectUris,
+        grant_types: ['authorization_code'],
+        response_types: ['code'],
+      },
+      {
+        client_id: OAuthClient.RS256_TOKENS,
+        client_secret: OAuthClient.RS256_TOKENS,
+        redirect_uris: redirectUris,
+        grant_types: ['authorization_code'],
+        id_token_signed_response_alg: 'RS256',
+        jwks: { keys: [await exportJWK(publicKey)] },
+      },
+      {
+        client_id: OAuthClient.RS256_PROFILE,
+        client_secret: OAuthClient.RS256_PROFILE,
+        redirect_uris: redirectUris,
+        grant_types: ['authorization_code'],
+        userinfo_signed_response_alg: 'RS256',
+        jwks: { keys: [await exportJWK(publicKey)] },
+      },
+    ],
+  });
+
+  const onStart = () =>
+    console.log(
+      `[e2e-auth-server] http://${host}:${port}/.well-known/openid-configuration`,
+    );
+  const app = oidc.listen(port, host, onStart);
+  return () => app.close();
+};
+
+export default setup;
@@ -0,0 +1,17 @@
+{
+  "name": "@immich/e2e-auth-server",
+  "version": "0.1.0",
+  "private": true,
+  "type": "module",
+  "main": "auth-server.ts",
+  "scripts": {
+    "start": "tsx startup.ts"
+  },
+  "devDependencies": {
+    "jose": "^6.0.0",
+    "@types/oidc-provider": "^9.0.0",
+    "oidc-provider": "^9.0.0",
+    "tsx": "^4.20.6"
+  },
+  "packageManager": "pnpm@10.33.1"
+}
@@ -0,0 +1,8 @@
+import setup from './auth-server'
+
+const teardown = await setup()
+process.on('exit', () => {
+  teardown()
+  console.log('[e2e-auth-server] stopped')
+  process.exit(0)
+})
@@ -0,0 +1,38 @@
+export const PRIVATE_KEY_PEM = `-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCVj5C7hzN3E2HO
+TcJ+DN/e2NSTQFj4rPylz4J8xjm8Es7l0k2kK5EEGvUNVGZbw7s055c+6kwP9eqg
+B5XFE7+26Fcq1sou6Tbm310kU4dnMW5l2CgwrhaGyb1pNysao0AMLT60dFYqtUwn
+ha9ceCsa+ZU1JrknVf3rONtppBvhWoI7CO9XX1keVQ0unHPzCWUjpXTzC8OGEbmB
+2w7ZIUf8OfJkd5RZ4OtIpML71W9n13aDxT50x2/EW/pFLFtQ/oaleOKHpvlRXDRX
+W86G4moUJym3gHMXMUj2aOcFG2UJnpLruKz3i5qZwYiTRlBP6O9EIQNCVtYxchuN
+V1CCcBU1AgMBAAECggEAJLfXMu8Nx89ynPVyyUMMaFfoEpHC9iR0L5obQVpiPMYK
+VRqVVLecdftPS9s7eQ58BNBRzdC0ZVu841aRYs3HLNbsZZhPkYZQpAxU//Dg5okY
+fzj7Hv5yidt4HN9+Pd8z/3lRMnj4WapifLaBt8xJ2ujJBMBRxzJBsXDnT0+Kx7+y
+bYDeuVfyUTEikaK3QZTbuRF3D3eiuN16GG+hv8UqTF2eYbPxdiLjYpTSHa4mH88C
+qfJz2Xt4SEzmyeo3G+MO17wDFOwtEe8ojlJfULHnHJSFdUwTfYIFM1bg5/fJ9MOS
+/fO3TSG+wkQqjQa6eoGssAzP87fL2XNLzlDtGY/7uQKBgQDHuJHOtf1EjOvNYiP7
+EN+8QGs41ghzt9CQRQxWbHpusR3IW3P83KMXwYmrlG70oOUXBRGSB/ESXUofXc5W
+pu5+Y55S44aUnu/a9yOBttYW0dtHZSL0zFT+PlVASwUzFZ2zcH1KXlUkSpfL5OAD
+PyDDTnBZ2AWh45fRO9wLo6PPuQKBgQC/tI03RqU3mOjqukKbquYeIpXHfRU5Z0DM
+u9ru1THYEl6fmkMXycxo/mvW3awyFuyKy/VodqIgKnFgumEqCHZh6OAMm/LC7TfA
+l9tjFSs/MyOqQVD4kbX+z6Oq4c4GccDoXfsQ3gzECoBapegi/F+6/25y+/C8ghXb
+J/Jg1GQXXQKBgQDFgWbfzuVZZyrBfu4qGLPJDMN7/114YizknwPma3xf/tN/EcGQ
+K/k1QvWMMkvPq1UiAKcxjJ0AFjV482FcG9T6NDWbrtmmG88C8Sex3Ue2ZW2+GuwI
+vhDHJIlV/Vp0/Elp7DJa2xLDwuh+gCZvz3vs6KL+ljxrrhCyn8mp0PfsMQKBgFFZ
+KnuETOO0zVGdzFoGQTQUdP58A5+iQwsdxB+I9Ge+E80iRso3ZbhADj7VPhbbR3D2
+b6LuhImluQrUzBpsEOAnU7vGCVPSGdBuIDiBaSKebsn2gYeZPWNtdQQ0YZq2dqek
+Cb/0mfIuipzsvf7qnSza62F7q4IyqVegMegI+Jg5AoGATM3NMy7JZeKzSkm+3ohU
+3xZOwgqKV9SH+0OeYWpuBxT7D7FlrKKI4NJ3XN3hg2f/DJAF6dH11CPe7pk94yol
+HMbh+PQUQ6GYvAzxIOvagWboQ3lzeyubNMpyFjfOrIE/WOQCUBZ9tIwCHIarIuyi
+QRuNOj3+U8T/n1Ww352HBdw=
+-----END PRIVATE KEY-----`;
+
+export const PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlY+Qu4czdxNhzk3Cfgzf
+3tjUk0BY+Kz8pc+CfMY5vBLO5dJNpCuRBBr1DVRmW8O7NOeXPupMD/XqoAeVxRO/
+tuhXKtbKLuk25t9dJFOHZzFuZdgoMK4Whsm9aTcrGqNADC0+tHRWKrVMJ4WvXHgr
+GvmVNSa5J1X96zjbaaQb4VqCOwjvV19ZHlUNLpxz8wllI6V08wvDhhG5gdsO2SFH
+/DnyZHeUWeDrSKTC+9VvZ9d2g8U+dMdvxFv6RSxbUP6GpXjih6b5UVw0V1vOhuJq
+FCcpt4BzFzFI9mjnBRtlCZ6S67is94uamcGIk0ZQT+jvRCEDQlbWMXIbjVdQgnAV
+NQIDAQAB
+-----END PUBLIC KEY-----`;