feat: migration api keys to use kysely (#15206)

server/src/dtos/auth.dto.ts

@@ -1,11 +1,11 @@
 import { ApiProperty } from '@nestjs/swagger';
 import { Transform } from 'class-transformer';
 import { IsEmail, IsNotEmpty, IsString, MinLength } from 'class-validator';
-import { APIKeyEntity } from 'src/entities/api-key.entity';
 import { SessionEntity } from 'src/entities/session.entity';
 import { SharedLinkEntity } from 'src/entities/shared-link.entity';
 import { UserEntity } from 'src/entities/user.entity';
 import { ImmichCookie } from 'src/enum';
+import { AuthApiKey } from 'src/types';
 import { toEmail } from 'src/validation';
 
 export type CookieResponse = {
@@ -16,7 +16,7 @@ export type CookieResponse = {
 export class AuthDto {
   user!: UserEntity;
 
-  apiKey?: APIKeyEntity;
+  apiKey?: AuthApiKey;
   sharedLink?: SharedLinkEntity;
   session?: SessionEntity;
 }

server/src/interfaces/api-key.interface.ts

@@ -1,16 +1,19 @@
+import { Insertable } from 'kysely';
+import { ApiKeys } from 'src/db';
 import { APIKeyEntity } from 'src/entities/api-key.entity';
+import { AuthApiKey } from 'src/types';
 
 export const IKeyRepository = 'IKeyRepository';
 
 export interface IKeyRepository {
-  create(dto: Partial<APIKeyEntity>): Promise<APIKeyEntity>;
+  create(dto: Insertable<ApiKeys>): Promise<APIKeyEntity>;
   update(userId: string, id: string, dto: Partial<APIKeyEntity>): Promise<APIKeyEntity>;
   delete(userId: string, id: string): Promise<void>;
   /**
    * Includes the hashed `key` for verification
    * @param id
    */
-  getKey(hashedToken: string): Promise<APIKeyEntity | null>;
+  getKey(hashedToken: string): Promise<AuthApiKey | undefined>;
   getById(userId: string, id: string): Promise<APIKeyEntity | null>;
   getByUserId(userId: string): Promise<APIKeyEntity[]>;
 }

server/src/queries/api.key.repository.sql

@@ -1,77 +1,59 @@
 -- NOTE: This file is auto generated by ./sql-generator
 
 -- ApiKeyRepository.getKey
-SELECT DISTINCT
+select
-  "distinctAlias"."APIKeyEntity_id" AS "ids_APIKeyEntity_id"
+  "api_keys"."id",
-FROM
+  "api_keys"."key",
-  (
+  "api_keys"."userId",
-    SELECT
+  "api_keys"."permissions",
-      "APIKeyEntity"."id" AS "APIKeyEntity_id",
+  to_json("user") as "user"
-      "APIKeyEntity"."key" AS "APIKeyEntity_key",
+from
-      "APIKeyEntity"."userId" AS "APIKeyEntity_userId",
+  "api_keys"
-      "APIKeyEntity"."permissions" AS "APIKeyEntity_permissions",
+  inner join lateral (
-      "APIKeyEntity__APIKeyEntity_user"."id" AS "APIKeyEntity__APIKeyEntity_user_id",
+    select
-      "APIKeyEntity__APIKeyEntity_user"."name" AS "APIKeyEntity__APIKeyEntity_user_name",
+      "users".*,
-      "APIKeyEntity__APIKeyEntity_user"."isAdmin" AS "APIKeyEntity__APIKeyEntity_user_isAdmin",
+      (
-      "APIKeyEntity__APIKeyEntity_user"."email" AS "APIKeyEntity__APIKeyEntity_user_email",
+        select
-      "APIKeyEntity__APIKeyEntity_user"."storageLabel" AS "APIKeyEntity__APIKeyEntity_user_storageLabel",
+          array_agg("user_metadata") as "metadata"
-      "APIKeyEntity__APIKeyEntity_user"."oauthId" AS "APIKeyEntity__APIKeyEntity_user_oauthId",
+        from
-      "APIKeyEntity__APIKeyEntity_user"."profileImagePath" AS "APIKeyEntity__APIKeyEntity_user_profileImagePath",
+          "user_metadata"
-      "APIKeyEntity__APIKeyEntity_user"."shouldChangePassword" AS "APIKeyEntity__APIKeyEntity_user_shouldChangePassword",
+        where
-      "APIKeyEntity__APIKeyEntity_user"."createdAt" AS "APIKeyEntity__APIKeyEntity_user_createdAt",
+          "users"."id" = "user_metadata"."userId"
-      "APIKeyEntity__APIKeyEntity_user"."deletedAt" AS "APIKeyEntity__APIKeyEntity_user_deletedAt",
+      ) as "metadata"
-      "APIKeyEntity__APIKeyEntity_user"."status" AS "APIKeyEntity__APIKeyEntity_user_status",
+    from
-      "APIKeyEntity__APIKeyEntity_user"."updatedAt" AS "APIKeyEntity__APIKeyEntity_user_updatedAt",
+      "users"
-      "APIKeyEntity__APIKeyEntity_user"."quotaSizeInBytes" AS "APIKeyEntity__APIKeyEntity_user_quotaSizeInBytes",
+    where
-      "APIKeyEntity__APIKeyEntity_user"."quotaUsageInBytes" AS "APIKeyEntity__APIKeyEntity_user_quotaUsageInBytes",
+      "users"."id" = "api_keys"."userId"
-      "APIKeyEntity__APIKeyEntity_user"."profileChangedAt" AS "APIKeyEntity__APIKeyEntity_user_profileChangedAt",
+      and "users"."deletedAt" is null
-      "7f5f7a38bf327bfbbf826778460704c9a50fe6f4"."userId" AS "7f5f7a38bf327bfbbf826778460704c9a50fe6f4_userId",
+  ) as "user" on true
-      "7f5f7a38bf327bfbbf826778460704c9a50fe6f4"."key" AS "7f5f7a38bf327bfbbf826778460704c9a50fe6f4_key",
+where
-      "7f5f7a38bf327bfbbf826778460704c9a50fe6f4"."value" AS "7f5f7a38bf327bfbbf826778460704c9a50fe6f4_value"
+  "api_keys"."key" = $1
-    FROM
-      "api_keys" "APIKeyEntity"
-      LEFT JOIN "users" "APIKeyEntity__APIKeyEntity_user" ON "APIKeyEntity__APIKeyEntity_user"."id" = "APIKeyEntity"."userId"
-      AND (
-        "APIKeyEntity__APIKeyEntity_user"."deletedAt" IS NULL
-      )
-      LEFT JOIN "user_metadata" "7f5f7a38bf327bfbbf826778460704c9a50fe6f4" ON "7f5f7a38bf327bfbbf826778460704c9a50fe6f4"."userId" = "APIKeyEntity__APIKeyEntity_user"."id"
-    WHERE
-      (("APIKeyEntity"."key" = $1))
-  ) "distinctAlias"
-ORDER BY
-  "APIKeyEntity_id" ASC
-LIMIT
-  1
 
 -- ApiKeyRepository.getById
-SELECT
+select
-  "APIKeyEntity"."id" AS "APIKeyEntity_id",
+  "id",
-  "APIKeyEntity"."name" AS "APIKeyEntity_name",
+  "name",
-  "APIKeyEntity"."userId" AS "APIKeyEntity_userId",
+  "userId",
-  "APIKeyEntity"."permissions" AS "APIKeyEntity_permissions",
+  "createdAt",
-  "APIKeyEntity"."createdAt" AS "APIKeyEntity_createdAt",
+  "updatedAt",
-  "APIKeyEntity"."updatedAt" AS "APIKeyEntity_updatedAt"
+  "permissions"
-FROM
+from
-  "api_keys" "APIKeyEntity"
+  "api_keys"
-WHERE
+where
-  (
+  "id" = $1::uuid
-    ("APIKeyEntity"."userId" = $1)
+  and "userId" = $2
-    AND ("APIKeyEntity"."id" = $2)
-  )
-LIMIT
-  1
 
 -- ApiKeyRepository.getByUserId
-SELECT
+select
-  "APIKeyEntity"."id" AS "APIKeyEntity_id",
+  "id",
-  "APIKeyEntity"."name" AS "APIKeyEntity_name",
+  "name",
-  "APIKeyEntity"."userId" AS "APIKeyEntity_userId",
+  "userId",
-  "APIKeyEntity"."permissions" AS "APIKeyEntity_permissions",
+  "createdAt",
-  "APIKeyEntity"."createdAt" AS "APIKeyEntity_createdAt",
+  "updatedAt",
-  "APIKeyEntity"."updatedAt" AS "APIKeyEntity_updatedAt"
+  "permissions"
-FROM
+from
-  "api_keys" "APIKeyEntity"
+  "api_keys"
-WHERE
+where
-  (("APIKeyEntity"."userId" = $1))
+  "userId" = $1
-ORDER BY
+order by
-  "APIKeyEntity"."createdAt" DESC
+  "createdAt" desc

server/src/repositories/api-key.repository.ts

@@ -1,52 +1,97 @@
 import { Injectable } from '@nestjs/common';
 import { InjectRepository } from '@nestjs/typeorm';
+import { Insertable, Kysely, Updateable } from 'kysely';
+import { InjectKysely } from 'nestjs-kysely';
+import { ApiKeys, DB } from 'src/db';
 import { DummyValue, GenerateSql } from 'src/decorators';
 import { APIKeyEntity } from 'src/entities/api-key.entity';
 import { IKeyRepository } from 'src/interfaces/api-key.interface';
+import { AuthApiKey } from 'src/types';
+import { asUuid } from 'src/utils/database';
 import { Repository } from 'typeorm';
 
+const columns = ['id', 'name', 'userId', 'createdAt', 'updatedAt', 'permissions'] as const;
+
 @Injectable()
 export class ApiKeyRepository implements IKeyRepository {
-  constructor(@InjectRepository(APIKeyEntity) private repository: Repository<APIKeyEntity>) {}
+  constructor(
+    @InjectRepository(APIKeyEntity) private repository: Repository<APIKeyEntity>,
+    @InjectKysely() private db: Kysely<DB>,
+  ) {}
 
-  async create(dto: Partial<APIKeyEntity>): Promise<APIKeyEntity> {
+  async create(dto: Insertable<ApiKeys>): Promise<APIKeyEntity> {
-    return this.repository.save(dto);
+    const { id, name, createdAt, updatedAt, permissions } = await this.db
+      .insertInto('api_keys')
+      .values(dto)
+      .returningAll()
+      .executeTakeFirstOrThrow();
+
+    return { id, name, createdAt, updatedAt, permissions } as APIKeyEntity;
   }
 
-  async update(userId: string, id: string, dto: Partial<APIKeyEntity>): Promise<APIKeyEntity> {
+  async update(userId: string, id: string, dto: Updateable<ApiKeys>): Promise<APIKeyEntity> {
-    await this.repository.update({ userId, id }, dto);
+    return this.db
-    return this.repository.findOneOrFail({ where: { id: dto.id } });
+      .updateTable('api_keys')
+      .set(dto)
+      .where('api_keys.userId', '=', userId)
+      .where('id', '=', asUuid(id))
+      .returningAll()
+      .executeTakeFirstOrThrow() as unknown as Promise<APIKeyEntity>;
   }
 
   async delete(userId: string, id: string): Promise<void> {
-    await this.repository.delete({ userId, id });
+    await this.db.deleteFrom('api_keys').where('userId', '=', userId).where('id', '=', asUuid(id)).execute();
   }
 
   @GenerateSql({ params: [DummyValue.STRING] })
-  getKey(hashedToken: string): Promise<APIKeyEntity | null> {
+  getKey(hashedToken: string): Promise<AuthApiKey | undefined> {
-    return this.repository.findOne({
+    return this.db
-      select: {
+      .selectFrom('api_keys')
-        id: true,
+      .innerJoinLateral(
-        key: true,
+        (eb) =>
-        userId: true,
+          eb
-        permissions: true,
+            .selectFrom('users')
-      },
+            .selectAll('users')
-      where: { key: hashedToken },
+            .select((eb) =>
-      relations: {
+              eb
-        user: {
+                .selectFrom('user_metadata')
-          metadata: true,
+                .whereRef('users.id', '=', 'user_metadata.userId')
-        },
+                .select((eb) => eb.fn('array_agg', [eb.table('user_metadata')]).as('metadata'))
-      },
+                .as('metadata'),
-    });
+            )
+            .whereRef('users.id', '=', 'api_keys.userId')
+            .where('users.deletedAt', 'is', null)
+            .as('user'),
+        (join) => join.onTrue(),
+      )
+      .select((eb) => [
+        'api_keys.id',
+        'api_keys.key',
+        'api_keys.userId',
+        'api_keys.permissions',
+        eb.fn.toJson('user').as('user'),
+      ])
+      .where('api_keys.key', '=', hashedToken)
+      .executeTakeFirst() as Promise<AuthApiKey | undefined>;
   }
 
   @GenerateSql({ params: [DummyValue.UUID, DummyValue.UUID] })
   getById(userId: string, id: string): Promise<APIKeyEntity | null> {
-    return this.repository.findOne({ where: { userId, id } });
+    return this.db
+      .selectFrom('api_keys')
+      .select(columns)
+      .where('id', '=', asUuid(id))
+      .where('userId', '=', userId)
+      .executeTakeFirst() as unknown as Promise<APIKeyEntity | null>;
   }
 
   @GenerateSql({ params: [DummyValue.UUID] })
   getByUserId(userId: string): Promise<APIKeyEntity[]> {
-    return this.repository.find({ where: { userId }, order: { createdAt: 'DESC' } });
+    return this.db
+      .selectFrom('api_keys')
+      .select(columns)
+      .where('userId', '=', userId)
+      .orderBy('createdAt', 'desc')
+      .execute() as unknown as Promise<APIKeyEntity[]>;
   }
 }

server/src/services/api-key.service.spec.ts

@@ -49,10 +49,7 @@ describe(APIKeyService.name, () => {
 
     it('should throw an error if the api key does not have sufficient permissions', async () => {
       await expect(
-        sut.create(
+        sut.create({ ...authStub.admin, apiKey: keyStub.authKey }, { permissions: [Permission.ASSET_READ] }),
-          { ...authStub.admin, apiKey: { ...keyStub.admin, permissions: [] } },
-          { permissions: [Permission.ASSET_READ] },
-        ),
       ).rejects.toBeInstanceOf(BadRequestException);
     });
   });

server/src/services/auth.service.spec.ts

@@ -405,7 +405,7 @@ describe('AuthService', () => {
 
   describe('validate - api key', () => {
     it('should throw an error if no api key is found', async () => {
-      keyMock.getKey.mockResolvedValue(null);
+      keyMock.getKey.mockResolvedValue(void 0);
       await expect(
         sut.authenticate({
           headers: { 'x-api-key': 'auth_token' },
@@ -417,7 +417,7 @@ describe('AuthService', () => {
     });
 
     it('should throw an error if api key has insufficient permissions', async () => {
-      keyMock.getKey.mockResolvedValue({ ...keyStub.admin, permissions: [] });
+      keyMock.getKey.mockResolvedValue(keyStub.authKey);
       await expect(
         sut.authenticate({
           headers: { 'x-api-key': 'auth_token' },
@@ -428,14 +428,14 @@ describe('AuthService', () => {
     });
 
     it('should return an auth dto', async () => {
-      keyMock.getKey.mockResolvedValue(keyStub.admin);
+      keyMock.getKey.mockResolvedValue(keyStub.authKey);
       await expect(
         sut.authenticate({
           headers: { 'x-api-key': 'auth_token' },
           queryParams: {},
           metadata: { adminRoute: false, sharedLinkRoute: false, uri: 'test' },
         }),
-      ).resolves.toEqual({ user: userStub.admin, apiKey: keyStub.admin });
+      ).resolves.toEqual({ user: userStub.admin, apiKey: keyStub.authKey });
       expect(keyMock.getKey).toHaveBeenCalledWith('auth_token (hashed)');
     });
   });

server/src/services/auth.service.ts

@@ -308,7 +308,7 @@ export class AuthService extends BaseService {
   private async validateApiKey(key: string): Promise<AuthDto> {
     const hashedKey = this.cryptoRepository.hashSha256(key);
     const apiKey = await this.keyRepository.getKey(hashedKey);
-    if (apiKey?.user) {
+    if (apiKey) {
       return { user: apiKey.user, apiKey };
     }
 

server/src/types.ts

@@ -0,0 +1,9 @@
+import { UserEntity } from 'src/entities/user.entity';
+import { Permission } from 'src/enum';
+
+export type AuthApiKey = {
+  id: string;
+  key: string;
+  user: UserEntity;
+  permissions: Permission[];
+};

server/test/fixtures/api-key.stub.ts

@@ -1,8 +1,16 @@
 import { APIKeyEntity } from 'src/entities/api-key.entity';
+import { AuthApiKey } from 'src/types';
 import { authStub } from 'test/fixtures/auth.stub';
 import { userStub } from 'test/fixtures/user.stub';
 
 export const keyStub = {
+  authKey: Object.freeze({
+    id: 'my-random-guid',
+    key: 'my-api-key (hashed)',
+    user: userStub.admin,
+    permissions: [],
+  } as AuthApiKey),
+
   admin: Object.freeze({
     id: 'my-random-guid',
     name: 'My Key',