refactor(server): guards, decorators, and utils (#3060)

2025-11-03 19:17:11 -05:00 · 2023-07-01 14:27:34 -04:00 · 2023-07-01 14:27:34 -04:00 · d69fa3ceae
commit d69fa3ceae
parent f55b3add80
54 changed files with 243 additions and 255 deletions
--- a/server/e2e/album.e2e-spec.ts
+++ b/server/e2e/album.e2e-spec.ts
@ -1,13 +1,13 @@
 import {
  AlbumResponseDto,
  AuthService,
+  AuthUserDto,
  CreateAlbumDto,
  SharedLinkCreateDto,
  SharedLinkResponseDto,
  UserService,
 } from '@app/domain';
 import { AppModule } from '@app/immich/app.module';
-import { AuthUserDto } from '@app/immich/decorators/auth-user.decorator';
 import { SharedLinkType } from '@app/infra/entities';
 import { INestApplication } from '@nestjs/common';
 import { Test, TestingModule } from '@nestjs/testing';
--- a/server/src/domain/album/dto/album-add-users.dto.ts
+++ b/server/src/domain/album/dto/album-add-users.dto.ts
@ -1,5 +1,5 @@
-import { ValidateUUID } from '@app/immich/decorators/validate-uuid.decorator';
 import { ArrayNotEmpty } from 'class-validator';
+import { ValidateUUID } from '../../domain.util';

 export class AddUsersDto {
  @ValidateUUID({ each: true })
--- a/server/src/domain/album/dto/album-create.dto.ts
+++ b/server/src/domain/album/dto/album-create.dto.ts
@ -1,6 +1,6 @@
-import { ValidateUUID } from '@app/immich/decorators/validate-uuid.decorator';
 import { ApiProperty } from '@nestjs/swagger';
 import { IsNotEmpty, IsString } from 'class-validator';
+import { ValidateUUID } from '../../domain.util';

 export class CreateAlbumDto {
  @IsNotEmpty()
--- a/server/src/domain/album/dto/album-update.dto.ts
+++ b/server/src/domain/album/dto/album-update.dto.ts
@ -1,6 +1,6 @@
-import { ValidateUUID } from '@app/immich/decorators/validate-uuid.decorator';
 import { ApiProperty } from '@nestjs/swagger';
 import { IsOptional } from 'class-validator';
+import { ValidateUUID } from '../../domain.util';

 export class UpdateAlbumDto {
  @IsOptional()
--- a/server/src/domain/album/dto/get-albums.dto.ts
+++ b/server/src/domain/album/dto/get-albums.dto.ts
@ -1,8 +1,7 @@
-import { ValidateUUID } from '@app/immich/decorators/validate-uuid.decorator';
-import { toBoolean } from '@app/immich/utils/transform.util';
 import { ApiProperty } from '@nestjs/swagger';
 import { Transform } from 'class-transformer';
 import { IsBoolean, IsOptional } from 'class-validator';
+import { toBoolean, ValidateUUID } from '../../domain.util';

 export class GetAlbumsDto {
  @IsOptional()
--- a/server/src/domain/asset/dto/asset-ids.dto.ts
+++ b/server/src/domain/asset/dto/asset-ids.dto.ts
@ -1,4 +1,4 @@
-import { ValidateUUID } from '@app/immich/decorators/validate-uuid.decorator';
+import { ValidateUUID } from '../../domain.util';

 export class AssetIdsDto {
  @ValidateUUID({ each: true })
--- a/server/src/domain/asset/dto/download.dto.ts
+++ b/server/src/domain/asset/dto/download.dto.ts
@ -1,6 +1,6 @@
-import { ValidateUUID } from '@app/immich/decorators/validate-uuid.decorator';
 import { ApiProperty } from '@nestjs/swagger';
 import { IsInt, IsOptional, IsPositive } from 'class-validator';
+import { ValidateUUID } from '../../domain.util';

 export class DownloadDto {
  @ValidateUUID({ each: true, optional: true })
--- a/server/src/domain/asset/dto/map-marker.dto.ts
+++ b/server/src/domain/asset/dto/map-marker.dto.ts
@ -1,7 +1,7 @@
-import { toBoolean } from '@app/immich/utils/transform.util';
 import { ApiProperty } from '@nestjs/swagger';
 import { Transform, Type } from 'class-transformer';
 import { IsBoolean, IsDate, IsOptional } from 'class-validator';
+import { toBoolean } from '../../domain.util';

 export class MapMarkerDto {
  @ApiProperty()
--- a/server/src/domain/domain.util.ts
+++ b/server/src/domain/domain.util.ts
@ -1,4 +1,39 @@
+import { applyDecorators } from '@nestjs/common';
+import { ApiProperty } from '@nestjs/swagger';
+import { IsArray, IsNotEmpty, IsOptional, IsString, IsUUID } from 'class-validator';
 import { basename, extname } from 'node:path';
+import sanitize from 'sanitize-filename';
+
+export type Options = {
+  optional?: boolean;
+  each?: boolean;
+};
+
+export function ValidateUUID({ optional, each }: Options = { optional: false, each: false }) {
+  return applyDecorators(
+    IsUUID('4', { each }),
+    ApiProperty({ format: 'uuid' }),
+    optional ? IsOptional() : IsNotEmpty(),
+    each ? IsArray() : IsString(),
+  );
+}
+
+interface IValue {
+  value?: string;
+}
+
+export const toBoolean = ({ value }: IValue) => {
+  if (value == 'true') {
+    return true;
+  } else if (value == 'false') {
+    return false;
+  }
+  return value;
+};
+
+export const toEmail = ({ value }: IValue) => value?.toLowerCase();
+
+export const toSanitized = ({ value }: IValue) => sanitize((value || '').replace(/\./g, ''));

 export function getFileNameWithoutExtension(path: string): string {
  return basename(path, extname(path));
--- a/server/src/domain/search/dto/search.dto.ts
+++ b/server/src/domain/search/dto/search.dto.ts
@ -1,7 +1,7 @@
-import { toBoolean } from '@app/immich/utils/transform.util';
 import { AssetType } from '@app/infra/entities';
 import { Transform } from 'class-transformer';
 import { IsArray, IsBoolean, IsEnum, IsNotEmpty, IsOptional, IsString } from 'class-validator';
+import { toBoolean } from '../../domain.util';

 export class SearchDto {
  @IsString()
--- a/server/src/domain/shared-link/shared-link.dto.ts
+++ b/server/src/domain/shared-link/shared-link.dto.ts
@ -2,7 +2,7 @@ import { SharedLinkType } from '@app/infra/entities';
 import { ApiProperty } from '@nestjs/swagger';
 import { Type } from 'class-transformer';
 import { IsBoolean, IsDate, IsEnum, IsOptional, IsString } from 'class-validator';
-import { ValidateUUID } from '../../immich/decorators/validate-uuid.decorator';
+import { ValidateUUID } from '../domain.util';

 export class SharedLinkCreateDto {
  @IsEnum(SharedLinkType)
--- a/server/src/domain/user/dto/create-user.dto.ts
+++ b/server/src/domain/user/dto/create-user.dto.ts
@ -1,6 +1,6 @@
-import { toEmail, toSanitized } from '@app/immich/utils/transform.util';
 import { Transform } from 'class-transformer';
 import { IsEmail, IsNotEmpty, IsOptional, IsString } from 'class-validator';
+import { toEmail, toSanitized } from '../../domain.util';

 export class CreateUserDto {
  @IsEmail({ require_tld: false })
--- a/server/src/domain/user/dto/update-user.dto.ts
+++ b/server/src/domain/user/dto/update-user.dto.ts
@ -1,7 +1,7 @@
-import { toEmail, toSanitized } from '@app/immich/utils/transform.util';
 import { ApiProperty } from '@nestjs/swagger';
 import { Transform } from 'class-transformer';
 import { IsBoolean, IsEmail, IsNotEmpty, IsOptional, IsString, IsUUID } from 'class-validator';
+import { toEmail, toSanitized } from '../../domain.util';

 export class UpdateUserDto {
  @IsOptional()
--- a/server/src/immich/api-v1/album/album.controller.ts
+++ b/server/src/immich/api-v1/album/album.controller.ts
@ -1,10 +1,9 @@
-import { AlbumResponseDto } from '@app/domain';
+import { AlbumResponseDto, AuthUserDto } from '@app/domain';
 import { Body, Controller, Delete, Get, Param, Put } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
+import { Authenticated, AuthUser, SharedLinkRoute } from '../../app.guard';
+import { UseValidation } from '../../app.utils';
 import { UUIDParamDto } from '../../controllers/dto/uuid-param.dto';
-import { AuthUser, AuthUserDto } from '../../decorators/auth-user.decorator';
-import { Authenticated, SharedLinkRoute } from '../../decorators/authenticated.decorator';
-import { UseValidation } from '../../decorators/use-validation.decorator';
 import { AlbumService } from './album.service';
 import { AddAssetsDto } from './dto/add-assets.dto';
 import { RemoveAssetsDto } from './dto/remove-assets.dto';
--- a/server/src/immich/api-v1/album/album.service.spec.ts
+++ b/server/src/immich/api-v1/album/album.service.spec.ts
@ -1,8 +1,7 @@
-import { AlbumResponseDto, mapUser } from '@app/domain';
+import { AlbumResponseDto, AuthUserDto, mapUser } from '@app/domain';
 import { AlbumEntity, UserEntity } from '@app/infra/entities';
 import { ForbiddenException, NotFoundException } from '@nestjs/common';
 import { userEntityStub } from '@test';
-import { AuthUserDto } from '../../decorators/auth-user.decorator';
 import { IAlbumRepository } from './album-repository';
 import { AlbumService } from './album.service';
 import { AddAssetsResponseDto } from './response-dto/add-assets-response.dto';
--- a/server/src/immich/api-v1/album/album.service.ts
+++ b/server/src/immich/api-v1/album/album.service.ts
@ -1,7 +1,6 @@
-import { AlbumResponseDto, mapAlbum } from '@app/domain';
+import { AlbumResponseDto, AuthUserDto, mapAlbum } from '@app/domain';
 import { AlbumEntity } from '@app/infra/entities';
 import { BadRequestException, ForbiddenException, Inject, Injectable, Logger, NotFoundException } from '@nestjs/common';
-import { AuthUserDto } from '../../decorators/auth-user.decorator';
 import { IAlbumRepository } from './album-repository';
 import { AddAssetsDto } from './dto/add-assets.dto';
 import { RemoveAssetsDto } from './dto/remove-assets.dto';
--- a/server/src/immich/api-v1/album/dto/add-assets.dto.ts
+++ b/server/src/immich/api-v1/album/dto/add-assets.dto.ts
@ -1,4 +1,4 @@
-import { ValidateUUID } from '@app/immich/decorators/validate-uuid.decorator';
+import { ValidateUUID } from '@app/domain';

 export class AddAssetsDto {
  @ValidateUUID({ each: true })
--- a/server/src/immich/api-v1/album/dto/add-users.dto.ts
+++ b/server/src/immich/api-v1/album/dto/add-users.dto.ts
@ -1,4 +1,4 @@
-import { ValidateUUID } from '@app/immich/decorators/validate-uuid.decorator';
+import { ValidateUUID } from '@app/domain';

 export class AddUsersDto {
  @ValidateUUID({ each: true })
--- a/server/src/immich/api-v1/album/dto/remove-assets.dto.ts
+++ b/server/src/immich/api-v1/album/dto/remove-assets.dto.ts
@ -1,4 +1,4 @@
-import { ValidateUUID } from '@app/immich/decorators/validate-uuid.decorator';
+import { ValidateUUID } from '@app/domain';

 export class RemoveAssetsDto {
  @ValidateUUID({ each: true })
--- a/server/src/immich/api-v1/asset/asset.controller.ts
+++ b/server/src/immich/api-v1/asset/asset.controller.ts
@ -1,4 +1,4 @@
-import { AssetResponseDto } from '@app/domain';
+import { AssetResponseDto, AuthUserDto } from '@app/domain';
 import {
  Body,
  Controller,
@ -21,10 +21,9 @@ import {
 import { FileFieldsInterceptor } from '@nestjs/platform-express';
 import { ApiBody, ApiConsumes, ApiHeader, ApiOkResponse, ApiTags } from '@nestjs/swagger';
 import { Response as Res } from 'express';
+import { Authenticated, AuthUser, SharedLinkRoute } from '../../app.guard';
 import { assetUploadOption, ImmichFile } from '../../config/asset-upload.config';
 import { UUIDParamDto } from '../../controllers/dto/uuid-param.dto';
-import { AuthUser, AuthUserDto } from '../../decorators/auth-user.decorator';
-import { Authenticated, SharedLinkRoute } from '../../decorators/authenticated.decorator';
 import FileNotEmptyValidator from '../validation/file-not-empty-validator';
 import { AssetService } from './asset.service';
 import { AssetBulkUploadCheckDto } from './dto/asset-check.dto';
--- a/server/src/immich/api-v1/asset/dto/asset-search.dto.ts
+++ b/server/src/immich/api-v1/asset/dto/asset-search.dto.ts
@ -1,7 +1,7 @@
+import { toBoolean } from '@app/domain';
 import { ApiProperty } from '@nestjs/swagger';
 import { Transform } from 'class-transformer';
 import { IsBoolean, IsNotEmpty, IsNumber, IsOptional, IsUUID } from 'class-validator';
-import { toBoolean } from '../../../utils/transform.util';

 export class AssetSearchDto {
  @IsOptional()
--- a/server/src/immich/api-v1/asset/dto/create-asset.dto.ts
+++ b/server/src/immich/api-v1/asset/dto/create-asset.dto.ts
@ -1,9 +1,9 @@
+import { toBoolean, toSanitized } from '@app/domain';
 import { AssetType } from '@app/infra/entities';
 import { ApiProperty } from '@nestjs/swagger';
 import { Transform } from 'class-transformer';
 import { IsBoolean, IsEnum, IsNotEmpty, IsOptional, IsString } from 'class-validator';
 import { ImmichFile } from '../../../config/asset-upload.config';
-import { toBoolean, toSanitized } from '../../../utils/transform.util';

 export class CreateAssetBase {
  @IsNotEmpty()
--- a/server/src/immich/api-v1/asset/dto/get-asset-by-time-bucket.dto.ts
+++ b/server/src/immich/api-v1/asset/dto/get-asset-by-time-bucket.dto.ts
@ -1,7 +1,7 @@
+import { toBoolean } from '@app/domain';
 import { ApiProperty } from '@nestjs/swagger';
 import { Transform } from 'class-transformer';
 import { IsBoolean, IsNotEmpty, IsOptional, IsUUID } from 'class-validator';
-import { toBoolean } from '../../../utils/transform.util';

 export class GetAssetByTimeBucketDto {
  @IsNotEmpty()
--- a/server/src/immich/api-v1/asset/dto/get-asset-count-by-time-bucket.dto.ts
+++ b/server/src/immich/api-v1/asset/dto/get-asset-count-by-time-bucket.dto.ts
@ -1,7 +1,7 @@
+import { toBoolean } from '@app/domain';
 import { ApiProperty } from '@nestjs/swagger';
 import { Transform } from 'class-transformer';
 import { IsBoolean, IsNotEmpty, IsOptional, IsUUID } from 'class-validator';
-import { toBoolean } from '../../../utils/transform.util';

 export enum TimeGroupEnum {
  Day = 'day',
--- a/server/src/immich/api-v1/asset/dto/serve-file.dto.ts
+++ b/server/src/immich/api-v1/asset/dto/serve-file.dto.ts
@ -1,7 +1,7 @@
+import { toBoolean } from '@app/domain';
 import { ApiProperty } from '@nestjs/swagger';
 import { Transform } from 'class-transformer';
 import { IsBoolean, IsOptional } from 'class-validator';
-import { toBoolean } from '../../../utils/transform.util';

 export class ServeFileDto {
  @IsOptional()
--- a/server/src/immich/app.guard.ts
+++ b/server/src/immich/app.guard.ts
@ -0,0 +1,118 @@
+import { AuthService, AuthUserDto, IMMICH_API_KEY_NAME, LoginDetails } from '@app/domain';
+import {
+  applyDecorators,
+  CanActivate,
+  createParamDecorator,
+  ExecutionContext,
+  Injectable,
+  Logger,
+  SetMetadata,
+} from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { ApiBearerAuth, ApiCookieAuth, ApiQuery, ApiSecurity } from '@nestjs/swagger';
+import { Request } from 'express';
+import { UAParser } from 'ua-parser-js';
+
+export enum Metadata {
+  AUTH_ROUTE = 'auth_route',
+  ADMIN_ROUTE = 'admin_route',
+  SHARED_ROUTE = 'shared_route',
+  PUBLIC_SECURITY = 'public_security',
+}
+
+const adminDecorator = SetMetadata(Metadata.ADMIN_ROUTE, true);
+
+const sharedLinkDecorators = [
+  SetMetadata(Metadata.SHARED_ROUTE, true),
+  ApiQuery({ name: 'key', type: String, required: false }),
+];
+
+export interface AuthenticatedOptions {
+  admin?: boolean;
+  isShared?: boolean;
+}
+
+export const Authenticated = (options: AuthenticatedOptions = {}) => {
+  const decorators: MethodDecorator[] = [
+    ApiBearerAuth(),
+    ApiCookieAuth(),
+    ApiSecurity(IMMICH_API_KEY_NAME),
+    SetMetadata(Metadata.AUTH_ROUTE, true),
+  ];
+
+  if (options.admin) {
+    decorators.push(adminDecorator);
+  }
+
+  if (options.isShared) {
+    decorators.push(...sharedLinkDecorators);
+  }
+
+  return applyDecorators(...decorators);
+};
+
+export const PublicRoute = () =>
+  applyDecorators(SetMetadata(Metadata.AUTH_ROUTE, false), ApiSecurity(Metadata.PUBLIC_SECURITY));
+export const SharedLinkRoute = () => applyDecorators(...sharedLinkDecorators);
+export const AdminRoute = () => adminDecorator;
+
+export const AuthUser = createParamDecorator((data, ctx: ExecutionContext): AuthUserDto => {
+  return ctx.switchToHttp().getRequest<{ user: AuthUserDto }>().user;
+});
+
+export const GetLoginDetails = createParamDecorator((data, ctx: ExecutionContext): LoginDetails => {
+  const req = ctx.switchToHttp().getRequest();
+  const userAgent = UAParser(req.headers['user-agent']);
+
+  return {
+    clientIp: req.clientIp,
+    isSecure: req.secure,
+    deviceType: userAgent.browser.name || userAgent.device.type || req.headers.devicemodel || '',
+    deviceOS: userAgent.os.name || req.headers.devicetype || '',
+  };
+});
+
+export interface AuthRequest extends Request {
+  user?: AuthUserDto;
+}
+
+@Injectable()
+export class AppGuard implements CanActivate {
+  private logger = new Logger(AppGuard.name);
+
+  constructor(private reflector: Reflector, private authService: AuthService) {}
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const targets = [context.getHandler(), context.getClass()];
+
+    const isAuthRoute = this.reflector.getAllAndOverride(Metadata.AUTH_ROUTE, targets);
+    const isAdminRoute = this.reflector.getAllAndOverride(Metadata.ADMIN_ROUTE, targets);
+    const isSharedRoute = this.reflector.getAllAndOverride(Metadata.SHARED_ROUTE, targets);
+
+    if (!isAuthRoute) {
+      return true;
+    }
+
+    const req = context.switchToHttp().getRequest<AuthRequest>();
+
+    const authDto = await this.authService.validate(req.headers, req.query as Record<string, string>);
+    if (!authDto) {
+      this.logger.warn(`Denied access to authenticated route: ${req.path}`);
+      return false;
+    }
+
+    if (authDto.isPublicUser && !isSharedRoute) {
+      this.logger.warn(`Denied access to non-shared route: ${req.path}`);
+      return false;
+    }
+
+    if (isAdminRoute && !authDto.isAdmin) {
+      this.logger.warn(`Denied access to admin only route: ${req.path}`);
+      return false;
+    }
+
+    req.user = authDto;
+
+    return true;
+  }
+}
--- a/server/src/immich/app.module.ts
+++ b/server/src/immich/app.module.ts
@ -5,6 +5,7 @@ import { APP_GUARD } from '@nestjs/core';
 import { ScheduleModule } from '@nestjs/schedule';
 import { AlbumModule } from './api-v1/album/album.module';
 import { AssetModule } from './api-v1/asset/asset.module';
+import { AppGuard } from './app.guard';
 import { AppService } from './app.service';
 import {
  AlbumController,
@ -23,7 +24,6 @@ import {
  TagController,
  UserController,
 } from './controllers';
-import { AuthGuard } from './middlewares/auth.guard';

@Module({
  imports: [
@ -52,8 +52,8 @@ import { AuthGuard } from './middlewares/auth.guard';
  ],
  providers: [
    //
-    { provide: APP_GUARD, useExisting: AuthGuard },
-    AuthGuard,
+    { provide: APP_GUARD, useExisting: AppGuard },
+    AppGuard,
    AppService,
  ],
 })
--- a/server/src/immich/app.utils.ts
+++ b/server/src/immich/app.utils.ts
@ -15,12 +15,29 @@ import {
 } from '@nestjs/swagger';
 import { writeFileSync } from 'fs';
 import path from 'path';
-import { Metadata } from './decorators/authenticated.decorator';
+
+import { applyDecorators, UsePipes, ValidationPipe } from '@nestjs/common';
+import { Metadata } from './app.guard';
+
+export function UseValidation() {
+  return applyDecorators(
+    UsePipes(
+      new ValidationPipe({
+        transform: true,
+        whitelist: true,
+      }),
+    ),
+  );
+}

 export const asStreamableFile = ({ stream, type, length }: ImmichReadStream) => {
  return new StreamableFile(stream, { type, length });
 };

+export function patchFormData(latin1: string) {
+  return Buffer.from(latin1, 'latin1').toString('utf8');
+}
+
 function sortKeys<T extends object>(obj: T): T {
  if (!obj) {
    return obj;
--- a/server/src/immich/config/asset-upload.config.spec.ts
+++ b/server/src/immich/config/asset-upload.config.spec.ts
@ -1,6 +1,6 @@
 import { Request } from 'express';
 import * as fs from 'fs';
-import { AuthRequest } from '../decorators/auth-user.decorator';
+import { AuthRequest } from '../app.guard';
 import { multerUtils } from './asset-upload.config';

 const { fileFilter, destination, filename } = multerUtils;
--- a/server/src/immich/config/asset-upload.config.ts
+++ b/server/src/immich/config/asset-upload.config.ts
@ -1,4 +1,4 @@
-import { isSidecarFileType, isSupportedFileType } from '@app/domain';
+import { AuthUserDto, isSidecarFileType, isSupportedFileType } from '@app/domain';
 import { StorageCore, StorageFolder } from '@app/domain/storage';
 import { BadRequestException, Logger, UnauthorizedException } from '@nestjs/common';
 import { MulterOptions } from '@nestjs/platform-express/multer/interfaces/multer-options.interface';
@ -7,8 +7,8 @@ import { existsSync, mkdirSync } from 'fs';
 import { diskStorage, StorageEngine } from 'multer';
 import { extname } from 'path';
 import sanitize from 'sanitize-filename';
-import { AuthRequest, AuthUserDto } from '../decorators/auth-user.decorator';
-import { patchFormData } from '../utils/path-form-data.util';
+import { AuthRequest } from '../app.guard';
+import { patchFormData } from '../app.utils';

 export interface ImmichFile extends Express.Multer.File {
  /** sha1 hash of file */
--- a/server/src/immich/config/profile-image-upload.config.spec.ts
+++ b/server/src/immich/config/profile-image-upload.config.spec.ts
@ -1,6 +1,6 @@
 import { Request } from 'express';
 import * as fs from 'fs';
-import { AuthRequest } from '../decorators/auth-user.decorator';
+import { AuthRequest } from '../app.guard';
 import { multerUtils } from './profile-image-upload.config';

 const { fileFilter, destination, filename } = multerUtils;
--- a/server/src/immich/config/profile-image-upload.config.ts
+++ b/server/src/immich/config/profile-image-upload.config.ts
@ -1,12 +1,12 @@
-import { StorageCore, StorageFolder } from '@app/domain/storage';
+import { AuthUserDto, StorageCore, StorageFolder } from '@app/domain';
 import { BadRequestException, UnauthorizedException } from '@nestjs/common';
 import { MulterOptions } from '@nestjs/platform-express/multer/interfaces/multer-options.interface';
 import { existsSync, mkdirSync } from 'fs';
 import { diskStorage } from 'multer';
 import { extname } from 'path';
 import sanitize from 'sanitize-filename';
-import { AuthRequest, AuthUserDto } from '../decorators/auth-user.decorator';
-import { patchFormData } from '../utils/path-form-data.util';
+import { AuthRequest } from '../app.guard';
+import { patchFormData } from '../app.utils';

 export const profileImageUploadOption: MulterOptions = {
  fileFilter,
--- a/server/src/immich/controllers/album.controller.ts
+++ b/server/src/immich/controllers/album.controller.ts
@ -10,9 +10,8 @@ import { GetAlbumsDto } from '@app/domain/album/dto/get-albums.dto';
 import { Body, Controller, Delete, Get, Param, Patch, Post, Put, Query } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
 import { ParseMeUUIDPipe } from '../api-v1/validation/parse-me-uuid-pipe';
-import { AuthUser } from '../decorators/auth-user.decorator';
-import { Authenticated } from '../decorators/authenticated.decorator';
-import { UseValidation } from '../decorators/use-validation.decorator';
+import { Authenticated, AuthUser } from '../app.guard';
+import { UseValidation } from '../app.utils';
 import { UUIDParamDto } from './dto/uuid-param.dto';

@ApiTags('Album')
--- a/server/src/immich/controllers/api-key.controller.ts
+++ b/server/src/immich/controllers/api-key.controller.ts
@ -8,9 +8,8 @@ import {
 } from '@app/domain';
 import { Body, Controller, Delete, Get, Param, Post, Put } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
-import { AuthUser } from '../decorators/auth-user.decorator';
-import { Authenticated } from '../decorators/authenticated.decorator';
-import { UseValidation } from '../decorators/use-validation.decorator';
+import { Authenticated, AuthUser } from '../app.guard';
+import { UseValidation } from '../app.utils';
 import { UUIDParamDto } from './dto/uuid-param.dto';

@ApiTags('API Key')
--- a/server/src/immich/controllers/asset.controller.ts
+++ b/server/src/immich/controllers/asset.controller.ts
@ -11,10 +11,8 @@ import { MapMarkerDto } from '@app/domain/asset/dto/map-marker.dto';
 import { MemoryLaneResponseDto } from '@app/domain/asset/response-dto/memory-lane-response.dto';
 import { Body, Controller, Get, HttpCode, HttpStatus, Param, Post, Query, StreamableFile } from '@nestjs/common';
 import { ApiOkResponse, ApiTags } from '@nestjs/swagger';
-import { asStreamableFile } from '../app.utils';
-import { AuthUser } from '../decorators/auth-user.decorator';
-import { Authenticated, SharedLinkRoute } from '../decorators/authenticated.decorator';
-import { UseValidation } from '../decorators/use-validation.decorator';
+import { Authenticated, AuthUser, SharedLinkRoute } from '../app.guard';
+import { asStreamableFile, UseValidation } from '../app.utils';
 import { UUIDParamDto } from './dto/uuid-param.dto';

@ApiTags('Asset')
--- a/server/src/immich/controllers/auth.controller.ts
+++ b/server/src/immich/controllers/auth.controller.ts
@ -18,9 +18,8 @@ import {
 import { Body, Controller, Delete, Get, Param, Post, Req, Res } from '@nestjs/common';
 import { ApiBadRequestResponse, ApiTags } from '@nestjs/swagger';
 import { Request, Response } from 'express';
-import { AuthUser, GetLoginDetails } from '../decorators/auth-user.decorator';
-import { Authenticated, PublicRoute } from '../decorators/authenticated.decorator';
-import { UseValidation } from '../decorators/use-validation.decorator';
+import { Authenticated, AuthUser, GetLoginDetails, PublicRoute } from '../app.guard';
+import { UseValidation } from '../app.utils';
 import { UUIDParamDto } from './dto/uuid-param.dto';

@ApiTags('Authentication')
--- a/server/src/immich/controllers/job.controller.ts
+++ b/server/src/immich/controllers/job.controller.ts
@ -1,8 +1,8 @@
 import { AllJobStatusResponseDto, JobCommandDto, JobIdParamDto, JobService, JobStatusDto } from '@app/domain';
 import { Body, Controller, Get, Param, Put } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
-import { Authenticated } from '../decorators/authenticated.decorator';
-import { UseValidation } from '../decorators/use-validation.decorator';
+import { Authenticated } from '../app.guard';
+import { UseValidation } from '../app.utils';

@ApiTags('Job')
@Controller('jobs')
--- a/server/src/immich/controllers/oauth.controller.ts
+++ b/server/src/immich/controllers/oauth.controller.ts
@ -11,9 +11,8 @@ import {
 import { Body, Controller, Get, HttpStatus, Post, Redirect, Req, Res } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
 import { Request, Response } from 'express';
-import { AuthUser, GetLoginDetails } from '../decorators/auth-user.decorator';
-import { Authenticated, PublicRoute } from '../decorators/authenticated.decorator';
-import { UseValidation } from '../decorators/use-validation.decorator';
+import { Authenticated, AuthUser, GetLoginDetails, PublicRoute } from '../app.guard';
+import { UseValidation } from '../app.utils';

@ApiTags('OAuth')
@Controller('oauth')
--- a/server/src/immich/controllers/partner.controller.ts
+++ b/server/src/immich/controllers/partner.controller.ts
@ -1,9 +1,8 @@
-import { PartnerDirection, PartnerService, UserResponseDto } from '@app/domain';
+import { AuthUserDto, PartnerDirection, PartnerService, UserResponseDto } from '@app/domain';
 import { Controller, Delete, Get, Param, Post, Query } from '@nestjs/common';
 import { ApiQuery, ApiTags } from '@nestjs/swagger';
-import { AuthUser, AuthUserDto } from '../decorators/auth-user.decorator';
-import { Authenticated } from '../decorators/authenticated.decorator';
-import { UseValidation } from '../decorators/use-validation.decorator';
+import { Authenticated, AuthUser } from '../app.guard';
+import { UseValidation } from '../app.utils';
 import { UUIDParamDto } from './dto/uuid-param.dto';

@ApiTags('Partner')
--- a/server/src/immich/controllers/person.controller.ts
+++ b/server/src/immich/controllers/person.controller.ts
@ -8,9 +8,8 @@ import {
 } from '@app/domain';
 import { Body, Controller, Get, Param, Put, StreamableFile } from '@nestjs/common';
 import { ApiOkResponse, ApiTags } from '@nestjs/swagger';
-import { AuthUser } from '../decorators/auth-user.decorator';
-import { Authenticated } from '../decorators/authenticated.decorator';
-import { UseValidation } from '../decorators/use-validation.decorator';
+import { Authenticated, AuthUser } from '../app.guard';
+import { UseValidation } from '../app.utils';
 import { UUIDParamDto } from './dto/uuid-param.dto';

 function asStreamableFile({ stream, type, length }: ImmichReadStream) {
--- a/server/src/immich/controllers/search.controller.ts
+++ b/server/src/immich/controllers/search.controller.ts
@ -8,9 +8,8 @@ import {
 } from '@app/domain';
 import { Controller, Get, Query } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
-import { AuthUser } from '../decorators/auth-user.decorator';
-import { Authenticated } from '../decorators/authenticated.decorator';
-import { UseValidation } from '../decorators/use-validation.decorator';
+import { Authenticated, AuthUser } from '../app.guard';
+import { UseValidation } from '../app.utils';

@ApiTags('Search')
@Controller('search')
--- a/server/src/immich/controllers/server-info.controller.ts
+++ b/server/src/immich/controllers/server-info.controller.ts
@ -7,8 +7,8 @@ import {
 } from '@app/domain';
 import { Controller, Get } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
-import { AdminRoute, Authenticated, PublicRoute } from '../decorators/authenticated.decorator';
-import { UseValidation } from '../decorators/use-validation.decorator';
+import { AdminRoute, Authenticated, PublicRoute } from '../app.guard';
+import { UseValidation } from '../app.utils';

@ApiTags('Server Info')
@Controller('server-info')
--- a/server/src/immich/controllers/shared-link.controller.ts
+++ b/server/src/immich/controllers/shared-link.controller.ts
@ -9,9 +9,8 @@ import {
 } from '@app/domain';
 import { Body, Controller, Delete, Get, Param, Patch, Post, Put } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
-import { AuthUser } from '../decorators/auth-user.decorator';
-import { Authenticated, SharedLinkRoute } from '../decorators/authenticated.decorator';
-import { UseValidation } from '../decorators/use-validation.decorator';
+import { Authenticated, AuthUser, SharedLinkRoute } from '../app.guard';
+import { UseValidation } from '../app.utils';
 import { UUIDParamDto } from './dto/uuid-param.dto';

@ApiTags('Shared Link')
--- a/server/src/immich/controllers/system-config.controller.ts
+++ b/server/src/immich/controllers/system-config.controller.ts
@ -1,8 +1,8 @@
 import { SystemConfigDto, SystemConfigService, SystemConfigTemplateStorageOptionDto } from '@app/domain';
 import { Body, Controller, Get, Put } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
-import { Authenticated } from '../decorators/authenticated.decorator';
-import { UseValidation } from '../decorators/use-validation.decorator';
+import { Authenticated } from '../app.guard';
+import { UseValidation } from '../app.utils';

@ApiTags('System Config')
@Controller('system-config')
--- a/server/src/immich/controllers/tag.controller.ts
+++ b/server/src/immich/controllers/tag.controller.ts
@ -2,6 +2,7 @@ import {
  AssetIdsDto,
  AssetIdsResponseDto,
  AssetResponseDto,
+  AuthUserDto,
  CreateTagDto,
  TagResponseDto,
  TagService,
@ -9,9 +10,8 @@ import {
 } from '@app/domain';
 import { Body, Controller, Delete, Get, Param, Patch, Post, Put } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
-import { AuthUser, AuthUserDto } from '../decorators/auth-user.decorator';
-import { Authenticated } from '../decorators/authenticated.decorator';
-import { UseValidation } from '../decorators/use-validation.decorator';
+import { Authenticated, AuthUser } from '../app.guard';
+import { UseValidation } from '../app.utils';
 import { UUIDParamDto } from './dto/uuid-param.dto';

@ApiTags('Tag')
--- a/server/src/immich/controllers/user.controller.ts
+++ b/server/src/immich/controllers/user.controller.ts
@ -1,4 +1,5 @@
 import {
+  AuthUserDto,
  CreateProfileImageDto,
  CreateProfileImageResponseDto,
  CreateUserDto,
@ -27,10 +28,9 @@ import {
 import { FileInterceptor } from '@nestjs/platform-express';
 import { ApiBody, ApiConsumes, ApiTags } from '@nestjs/swagger';
 import { Response as Res } from 'express';
+import { AdminRoute, Authenticated, AuthUser, PublicRoute } from '../app.guard';
+import { UseValidation } from '../app.utils';
 import { profileImageUploadOption } from '../config/profile-image-upload.config';
-import { AuthUser, AuthUserDto } from '../decorators/auth-user.decorator';
-import { AdminRoute, Authenticated, PublicRoute } from '../decorators/authenticated.decorator';
-import { UseValidation } from '../decorators/use-validation.decorator';

@ApiTags('User')
@Controller('user')
--- a/server/src/immich/decorators/auth-user.decorator.ts
+++ b/server/src/immich/decorators/auth-user.decorator.ts
@ -1,25 +0,0 @@
-export { AuthUserDto } from '@app/domain';
-import { AuthUserDto, LoginDetails } from '@app/domain';
-import { createParamDecorator, ExecutionContext } from '@nestjs/common';
-import { Request } from 'express';
-import { UAParser } from 'ua-parser-js';
-
-export interface AuthRequest extends Request {
-  user?: AuthUserDto;
-}
-
-export const AuthUser = createParamDecorator((data, ctx: ExecutionContext): AuthUserDto => {
-  return ctx.switchToHttp().getRequest<{ user: AuthUserDto }>().user;
-});
-
-export const GetLoginDetails = createParamDecorator((data, ctx: ExecutionContext): LoginDetails => {
-  const req = ctx.switchToHttp().getRequest();
-  const userAgent = UAParser(req.headers['user-agent']);
-
-  return {
-    clientIp: req.clientIp,
-    isSecure: req.secure,
-    deviceType: userAgent.browser.name || userAgent.device.type || req.headers.devicemodel || '',
-    deviceOS: userAgent.os.name || req.headers.devicetype || '',
-  };
-});
--- a/server/src/immich/decorators/authenticated.decorator.ts
+++ b/server/src/immich/decorators/authenticated.decorator.ts
@ -1,46 +0,0 @@
-import { IMMICH_API_KEY_NAME } from '@app/domain';
-import { applyDecorators, SetMetadata } from '@nestjs/common';
-import { ApiBearerAuth, ApiCookieAuth, ApiQuery, ApiSecurity } from '@nestjs/swagger';
-
-interface AuthenticatedOptions {
-  admin?: boolean;
-  isShared?: boolean;
-}
-
-export enum Metadata {
-  AUTH_ROUTE = 'auth_route',
-  ADMIN_ROUTE = 'admin_route',
-  SHARED_ROUTE = 'shared_route',
-  PUBLIC_SECURITY = 'public_security',
-}
-
-const adminDecorator = SetMetadata(Metadata.ADMIN_ROUTE, true);
-
-const sharedLinkDecorators = [
-  SetMetadata(Metadata.SHARED_ROUTE, true),
-  ApiQuery({ name: 'key', type: String, required: false }),
-];
-
-export const Authenticated = (options: AuthenticatedOptions = {}) => {
-  const decorators: MethodDecorator[] = [
-    ApiBearerAuth(),
-    ApiCookieAuth(),
-    ApiSecurity(IMMICH_API_KEY_NAME),
-    SetMetadata(Metadata.AUTH_ROUTE, true),
-  ];
-
-  if (options.admin) {
-    decorators.push(adminDecorator);
-  }
-
-  if (options.isShared) {
-    decorators.push(...sharedLinkDecorators);
-  }
-
-  return applyDecorators(...decorators);
-};
-
-export const PublicRoute = () =>
-  applyDecorators(SetMetadata(Metadata.AUTH_ROUTE, false), ApiSecurity(Metadata.PUBLIC_SECURITY));
-export const SharedLinkRoute = () => applyDecorators(...sharedLinkDecorators);
-export const AdminRoute = () => adminDecorator;
--- a/server/src/immich/decorators/use-validation.decorator.ts
+++ b/server/src/immich/decorators/use-validation.decorator.ts
@ -1,12 +0,0 @@
-import { applyDecorators, UsePipes, ValidationPipe } from '@nestjs/common';
-
-export function UseValidation() {
-  return applyDecorators(
-    UsePipes(
-      new ValidationPipe({
-        transform: true,
-        whitelist: true,
-      }),
-    ),
-  );
-}
--- a/server/src/immich/decorators/validate-uuid.decorator.ts
+++ b/server/src/immich/decorators/validate-uuid.decorator.ts
@ -1,17 +0,0 @@
-import { applyDecorators } from '@nestjs/common';
-import { ApiProperty } from '@nestjs/swagger';
-import { IsArray, IsNotEmpty, IsOptional, IsString, IsUUID } from 'class-validator';
-
-export type Options = {
-  optional?: boolean;
-  each?: boolean;
-};
-
-export function ValidateUUID({ optional, each }: Options = { optional: false, each: false }) {
-  return applyDecorators(
-    IsUUID('4', { each }),
-    ApiProperty({ format: 'uuid' }),
-    optional ? IsOptional() : IsNotEmpty(),
-    each ? IsArray() : IsString(),
-  );
-}
--- a/server/src/immich/middlewares/auth.guard.ts
+++ b/server/src/immich/middlewares/auth.guard.ts
@ -1,46 +0,0 @@
-import { AuthService } from '@app/domain';
-import { CanActivate, ExecutionContext, Injectable, Logger } from '@nestjs/common';
-import { Reflector } from '@nestjs/core';
-import { AuthRequest } from '../decorators/auth-user.decorator';
-import { Metadata } from '../decorators/authenticated.decorator';
-
-@Injectable()
-export class AuthGuard implements CanActivate {
-  private logger = new Logger(AuthGuard.name);
-
-  constructor(private reflector: Reflector, private authService: AuthService) {}
-
-  async canActivate(context: ExecutionContext): Promise<boolean> {
-    const targets = [context.getHandler(), context.getClass()];
-
-    const isAuthRoute = this.reflector.getAllAndOverride(Metadata.AUTH_ROUTE, targets);
-    const isAdminRoute = this.reflector.getAllAndOverride(Metadata.ADMIN_ROUTE, targets);
-    const isSharedRoute = this.reflector.getAllAndOverride(Metadata.SHARED_ROUTE, targets);
-
-    if (!isAuthRoute) {
-      return true;
-    }
-
-    const req = context.switchToHttp().getRequest<AuthRequest>();
-
-    const authDto = await this.authService.validate(req.headers, req.query as Record<string, string>);
-    if (!authDto) {
-      this.logger.warn(`Denied access to authenticated route: ${req.path}`);
-      return false;
-    }
-
-    if (authDto.isPublicUser && !isSharedRoute) {
-      this.logger.warn(`Denied access to non-shared route: ${req.path}`);
-      return false;
-    }
-
-    if (isAdminRoute && !authDto.isAdmin) {
-      this.logger.warn(`Denied access to admin only route: ${req.path}`);
-      return false;
-    }
-
-    req.user = authDto;
-
-    return true;
-  }
-}
--- a/server/src/immich/utils/path-form-data.util.ts
+++ b/server/src/immich/utils/path-form-data.util.ts
@ -1,3 +0,0 @@
-export function patchFormData(latin1: string) {
-  return Buffer.from(latin1, 'latin1').toString('utf8');
-}
--- a/server/src/immich/utils/transform.util.ts
+++ b/server/src/immich/utils/transform.util.ts
@ -1,18 +0,0 @@
-import sanitize from 'sanitize-filename';
-
-interface IValue {
-  value?: string;
-}
-
-export const toBoolean = ({ value }: IValue) => {
-  if (value == 'true') {
-    return true;
-  } else if (value == 'false') {
-    return false;
-  }
-  return value;
-};
-
-export const toEmail = ({ value }: IValue) => value?.toLowerCase();
-
-export const toSanitized = ({ value }: IValue) => sanitize((value || '').replace(/\./g, ''));
--- a/server/test/test-utils.ts
+++ b/server/test/test-utils.ts
@ -1,5 +1,5 @@
-import { AuthUserDto } from '@app/immich/decorators/auth-user.decorator';
-import { AuthGuard } from '@app/immich/middlewares/auth.guard';
+import { AuthUserDto } from '@app/domain';
+import { AppGuard } from '@app/immich/app.guard';
 import { CanActivate, ExecutionContext } from '@nestjs/common';
 import { TestingModuleBuilder } from '@nestjs/testing';
 import { DataSource } from 'typeorm';
@ -34,5 +34,5 @@ export function authCustom(builder: TestingModuleBuilder, callback: CustomAuthCa
      return true;
    },
  };
-  return builder.overrideProvider(AuthGuard).useValue(canActivate);
+  return builder.overrideProvider(AppGuard).useValue(canActivate);
 }