Expire asset decryption tokens
This commit is contained in:
parent
f78a02bb8d
commit
be66b16a08
3
.github/workflows/ci.yaml
vendored
3
.github/workflows/ci.yaml
vendored
@ -4,7 +4,7 @@ on:
|
|||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
push:
|
push:
|
||||||
tags:
|
tags:
|
||||||
- 'v*' # Only on version tags like v1.0, v2.0, etc.
|
- 'v*'
|
||||||
|
|
||||||
env:
|
env:
|
||||||
IMAGE_NAME: ${{ github.repository }}
|
IMAGE_NAME: ${{ github.repository }}
|
||||||
@ -12,7 +12,6 @@ env:
|
|||||||
jobs:
|
jobs:
|
||||||
build-and-push-image:
|
build-and-push-image:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
# Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
|
|
||||||
permissions:
|
permissions:
|
||||||
contents: read
|
contents: read
|
||||||
packages: write
|
packages: write
|
||||||
|
@ -17,7 +17,8 @@ ENV APP_VERSION=${PACKAGE_VERSION}
|
|||||||
ENV NODE_ENV=production
|
ENV NODE_ENV=production
|
||||||
|
|
||||||
# Build without type checking, as we have removed the Typescript
|
# Build without type checking, as we have removed the Typescript
|
||||||
# dev-dependencies above to save space in the final build
|
# dev-dependencies above to save space in the final build.
|
||||||
|
# Type checking is done in the repo before building the image.
|
||||||
RUN npx tsc --noCheck
|
RUN npx tsc --noCheck
|
||||||
|
|
||||||
HEALTHCHECK --interval=30s --start-period=10s --timeout=5s CMD node /app/healthcheck.js || exit 1
|
HEALTHCHECK --interval=30s --start-period=10s --timeout=5s CMD node /app/healthcheck.js || exit 1
|
||||||
|
@ -219,7 +219,9 @@ class Immich {
|
|||||||
/**
|
/**
|
||||||
* When loading assets from a password-protected link, make the decryption key valid for a
|
* When loading assets from a password-protected link, make the decryption key valid for a
|
||||||
* short time. If the visitor loads the share link again, it will renew that expiry time.
|
* short time. If the visitor loads the share link again, it will renew that expiry time.
|
||||||
* This prevents people from sharing the image links and bypassing password protection.
|
* Even though the recipient already knows the password, this is just in case - for example
|
||||||
|
* to protect against the password-protected link being revoked, but the asset links still
|
||||||
|
* being valid.
|
||||||
*/
|
*/
|
||||||
encryptPassword (password: string) {
|
encryptPassword (password: string) {
|
||||||
return encrypt(JSON.stringify({
|
return encrypt(JSON.stringify({
|
||||||
|
Loading…
Reference in New Issue
Block a user