Commit graph

21 commits

Author SHA1 Message Date
Ömer Duran
b2b1785126
Tests: Add unit tests for recent metadata, auth, and config changes #5697 2026-06-26 14:12:59 +02:00
Michael Mayer
c45ee6e54f Auth: Revoke derived sessions & gate app passwords by login state #5647
- Add scoped session revocation (RevokeSessions / RevokeDerivedSessions)
  shared by the user-update API and the CLI: a privilege-level change now
  revokes logins and app-password-derived sessions while keeping the app
  passwords themselves, so configured devices keep working.
- Identify app-password-derived sessions by auth_method "session".
- Deny app passwords on the REST API when the account cannot log in
  (DenyLogIn); WebDAV access stays governed by CanUseWebDAV.
- Reduce the WebDAV auth cache expiration to one minute.
- Add IsSystemOrInvalid; allow deleting the initial admin account and skip
  re-initializing a deactivated or deleted admin in InitAccount.
- Move session-revocation scopes to pkg/authn and extend tests.
2026-06-15 23:41:01 +00:00
Michael Mayer
cb48c209b6 Auth: Gate app passwords behind a settings feature flag #5647
Adds an AppPasswords feature flag (default on) so app passwords can be disabled, closing the bypass where an app password minted by an OIDC-provisioned user keeps working after the account expires. When off, minting (oauth/token and auth add) is rejected and existing app passwords are no longer accepted on the REST API (403) or WebDAV (401). App passwords are identified by their session auth provider (IsApplication), covering every grant type. The Apps and Devices affordance is hidden for sessions that may not change a password; operators can force it off via PHOTOPRISM_DISABLE_FEATURES.
2026-06-09 17:36:24 +00:00
Michael Mayer
cc7064b5a9 Logs: Improve log messages in API and share audit paths
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-03-08 12:53:20 +01:00
Michael Mayer
92d222a308 Config: Gate node roles by edition and align tests/lint
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-02-26 15:37:55 +01:00
Michael Mayer
c1467cb3f5 Cluster: Rename the "tenant" node role to "instance" for accuracy
This more accurately reflects the multi-instance architecture.

Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-02-23 04:27:43 +01:00
Michael Mayer
5f50802384 Cluster: Rename the "app" node role to "tenant"
Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-02-23 03:27:11 +01:00
Michael Mayer
755ebe0aee Cluster: Rename RoleInstance to RoleApp in service/cluster/roles.go #98
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-10-31 16:46:42 +01:00
Michael Mayer
42edf100ee Vision: Allow use of configured service key for API authentication #5299
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-10-30 10:02:16 +01:00
Michael Mayer
e1e673be7f API: Refactor "GET /api/v1/config" endpoint for JWT sessions #5230
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-10-29 12:29:12 +01:00
Michael Mayer
e93ceba659 Auth: Enhance JWT session creation and token IDs #5230
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-10-29 10:23:44 +01:00
Michael Mayer
a921f82a17 Pkg: Move /service/http/... to /http/... and add package /http/dns
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-10-19 21:08:48 +02:00
Michael Mayer
660c0a89db Backend: Introduce optimized test config helpers to improve performance
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-09-25 23:09:52 +02:00
Michael Mayer
bae8ceb3a7 Auth: Support asymmetric JSON Web Tokens (JWT) and Key Sets (JWKS) #5230
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-09-25 17:52:44 +02:00
Michael Mayer
887a39e7d9 Auth: Add "node" and "portal" roles, refactor session entity #98
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-09-18 13:33:18 +02:00
Michael Mayer
023fbe3a1d Pkg: Add service/cluster package & rename media/http → service/http #98
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-09-13 12:58:28 +02:00
Michael Mayer
6a89519e63 Videos: Refactor codec, content and file type specifications #4770
Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-02-05 00:30:45 +01:00
Michael Mayer
1f4f65e988 Server: Add "force" and "mode" flags for sockets #4673 #4767 #4765 #4467
These changes allow you to force the re-creation of existing Unix domain
sockets and set the permissions of sockets after they have been created.

The flag or variable value for this must be formatted as follows:
--http-host="unix:/var/run/photoprism.sock?force=true&mode=660"

Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-02-04 12:03:00 +01:00
Michael Mayer
fb186bf34d Backend: Move session package to /internal/auth/session
Signed-off-by: Michael Mayer <michael@photoprism.app>
2024-07-02 08:11:17 +02:00
Michael Mayer
a97f8d0795 API: Implement OIDC redirect endpoint #782
Requires further testing and refinement before it can be released.

Signed-off-by: Michael Mayer <michael@photoprism.app>
2024-07-01 16:50:53 +02:00
Michael Mayer
3e924b70c7 API: Move handling of HTTP auth headers to pkg/header #808 #3943 #3959
Signed-off-by: Michael Mayer <michael@photoprism.app>
2024-01-09 10:58:47 +01:00
Renamed from internal/api/api_acl_test.go (Browse further)