Description
-----------
A while ago I asked on Discord if you people would be interested in removing incompatibilities with rootless docker. See: https://discord.com/channels/979116623879368755/1071165397228855327/1442974448776122592
The e2e tests in `e2e/src/api/specs/oauth.e2e-spec.ts` depend on a docker feature [host-gateway](https://docs.docker.com/reference/cli/dockerd/#configure-host-gateway-ip) that seemingly does not work on rootless docker.
So the suggested change is to dockerify the `auth-server` and not run it on the docker host.
I would love to receive feedback on this PR and feel free to request further improvements. Things that come to my mind:
* Compile typescript instead of using `tsx`
* Add hot-reloading of source files in `auth-server/` for development
* Add `eslint` configuration for the new folder
How Has This Been Tested?
------------------------
I'm running both default and rootless docker on my machine with [docker contexts](https://docs.docker.com/engine/manage-resources/contexts/):
```
docker context ls
NAME DESCRIPTION DOCKER ENDPOINT ERROR
default unix:///var/run/docker.sock
rootless * unix:///run/user/1000/docker.sock
```
If I follow the steps from the [documentation](https://docs.immich.app/developer/testing) then `oauth.e2e-spec.ts` will fail because the `auth-server` on my host can't be reached.
The tests pass after these steps:
1. `git switch refactor-auth-server-as-service`
2. `make e2e`
3. In another terminal `cd e2e`
4. `pnpm run test src/api/specs/oauth.e2e-spec.ts` passes
Checklist:
----------
- [x] I have performed a self-review of my own code
- [x] I have made corresponding changes to the documentation if applicable
- [x] I have no unrelated changes in the PR.
- [ ] I have confirmed that any new dependencies are strictly necessary.
- [ ] I have written tests for new code (if applicable)
- [ ] I have followed naming conventions/patterns in the surrounding code
- [ ] All code in `src/services/` uses repositories implementations for database calls, filesystem operations, etc.
- [ ] All code in `src/repositories/` is pretty basic/simple and does not have any immich specific logic (that belongs in `src/services/`)
* fix: ensure oauth state param matches before finishing oauth flow
Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com>
* chore: upgrade openid-client to v6
Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com>
* feat: use PKCE for oauth2 on supported clients
Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com>
* feat: use state and PKCE in mobile app
Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com>
* fix: remove obsolete oauth repository init
Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com>
* fix: rewrite callback url if mobile redirect url is enabled
Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com>
* fix: propagate oidc client error cause when oauth callback fails
Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com>
* fix: adapt auth service tests to required state and PKCE params
Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com>
* fix: update sdk types
Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com>
* fix: adapt oauth e2e test to work with PKCE
Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com>
* fix: allow insecure (http) oauth clients
Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com>
---------
Signed-off-by: Tin Pecirep <tin.pecirep@gmail.com>
Co-authored-by: Jason Rasmussen <jason@rasm.me>
