Expire asset decryption tokens

This commit is contained in:
Alan Grainger 2024-11-03 20:28:37 +01:00
parent f78a02bb8d
commit be66b16a08
3 changed files with 6 additions and 4 deletions

View File

@ -4,7 +4,7 @@ on:
workflow_dispatch:
push:
tags:
- 'v*' # Only on version tags like v1.0, v2.0, etc.
- 'v*'
env:
IMAGE_NAME: ${{ github.repository }}
@ -12,7 +12,6 @@ env:
jobs:
build-and-push-image:
runs-on: ubuntu-latest
# Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
permissions:
contents: read
packages: write

View File

@ -17,7 +17,8 @@ ENV APP_VERSION=${PACKAGE_VERSION}
ENV NODE_ENV=production
# Build without type checking, as we have removed the Typescript
# dev-dependencies above to save space in the final build
# dev-dependencies above to save space in the final build.
# Type checking is done in the repo before building the image.
RUN npx tsc --noCheck
HEALTHCHECK --interval=30s --start-period=10s --timeout=5s CMD node /app/healthcheck.js || exit 1

View File

@ -219,7 +219,9 @@ class Immich {
/**
* When loading assets from a password-protected link, make the decryption key valid for a
* short time. If the visitor loads the share link again, it will renew that expiry time.
* This prevents people from sharing the image links and bypassing password protection.
* Even though the recipient already knows the password, this is just in case - for example
* to protect against the password-protected link being revoked, but the asset links still
* being valid.
*/
encryptPassword (password: string) {
return encrypt(JSON.stringify({