search

immich-app / immich

High performance self-hosted photo and video management solution.
https://immich.app
GNU Affero General Public License v3.0
48.77k stars 2.56k forks source link

Cannot create passwordless user, even though passwords are disabled #13274

Open Thinkscape opened 1 week ago

Thinkscape commented 1 week ago

The bug

Unable to create accounts without providing a password, even though I have password logins disabled and I'm using OAuth2 (working)

The OS that Immich Server is running on

Debian

Version of Immich Server

v1.117.0

Version of Immich Mobile App

N/A

Platform with the issue

Your docker-compose.yml content

N/A

Your .env content

N/A

Reproduction steps

Steps

  1. Go to Administration
  2. Settings
  3. Auth settings
  4. Oauth -> enabled and working
  5. Password Login -> disabled
  6. Go to Users
  7. Create user
  8. Provide Email, disable Require user to change password on first login
  9. Click Create

Expected

User gets created and can auth with OAuth2, assuming user has account with matching email with the OAuth2 provider.

Actual

Error Please fill in this field appears at the password field.

Relevant log output

N/A

Additional information

No response

C-Otto commented 1 week ago

I can confirm. The "required" attribute for "PasswordField" is left at the default "true". We might want to change this, if OAuth is enabled.

https://github.com/immich-app/immich/blob/a11d45458b3fef322afbdb049a95658ec7aebd96/web/src/lib/components/forms/create-user-form.svelte#L91-L94

https://github.com/immich-app/immich/blob/main/web/src/lib/components/shared-components/password-field.svelte

jedi04 commented 1 week ago

Hello @C-Otto , I looked up code for this also when we accept body for creating user there also we are validating for empty password.

If User switches to normal login flow at that time what should we do for the user created for OAuth?

Thinkscape commented 1 week ago

If User switches to normal login flow at that time what should we do for the user created for OAuth?

Empty passwords would fail bcrypt hash validation, so those users would be unable to log in until admin created a password for them.

jedi04 commented 1 week ago

I was looking up to solve this issue. I tried to solve it in my local environment with following approach

For web :- The user creation form will allow empty password if OAuth is enabled in System Config

For Server :- When creating user there will be check for OAuth and if only it is enabled then we would allow request without any password and user will be created.

Is this right approach to solve this issue?

Thank you.