diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md new file mode 100644 index 00000000000..5cb84196722 --- /dev/null +++ b/.github/copilot-instructions.md @@ -0,0 +1,324 @@ +# InvokeAI Copilot Instructions + +## Project Overview + +InvokeAI is a leading creative engine built to empower professionals and enthusiasts alike. It's a full-featured AI-assisted image generation environment designed for creatives and enthusiasts, with an industry-leading web-based UI. The project serves as the foundation for multiple commercial products and is free to use under a commercially-friendly license. + +**Key Technologies:** +- Backend: Python 3.11-3.12, FastAPI, Socket.IO, PyTorch +- Frontend: React, TypeScript, Vite, Redux +- AI/ML: Stable Diffusion (SD1.5, SD2.0, SDXL, FLUX), Diffusers, Transformers +- Database: SQLite +- Package Management: uv (backend), pnpm (frontend) + +## Repository Structure + +``` +invokeai/ +├── app/ # Main application code +│ ├── api/ # FastAPI routes and API endpoints +│ ├── invocations/ # Node-based invocation system +│ └── services/ # Core services (model management, image storage, etc.) +├── backend/ # AI/ML core functionality +│ ├── image_util/ # Image processing utilities +│ ├── model_management/ # Model loading and management +│ └── stable_diffusion/ # SD pipeline implementations +├── frontend/web/ # React web UI +│ └── src/ +│ ├── app/ # App setup and configuration +│ ├── common/ # Shared utilities and types +│ ├── features/ # Feature-specific components and logic +│ └── services/ # API clients and services +├── configs/ # Configuration files +└── tests/ # Test suite +``` + +## Development Environment Setup + +### Prerequisites +- Python 3.11 or 3.12 (as specified in pyproject.toml: `>=3.11, <3.13`) +- Node.js v22.14.0 or compatible v22.x LTS version (see .nvmrc) +- pnpm v10.x (minimum v10 required, see package.json) +- Git LFS +- uv (Python package manager) + +### Initial Setup + +1. **Clone and configure Git LFS:** + ```bash + git clone https://github.com/invoke-ai/InvokeAI.git + cd InvokeAI + git config lfs.fetchinclude "*" + git lfs pull + ``` + +2. **Backend Setup:** + ```bash + # Install Python dependencies with dev extras (adjust --python version as needed: 3.11 or 3.12) + uv pip install -e ".[dev,test,docs,xformers]" --python 3.12 --python-preference only-managed --index=https://download.pytorch.org/whl/cu128 --reinstall + ``` + +3. **Frontend Setup:** + ```bash + cd invokeai/frontend/web + pnpm install + pnpm build # For production build + # OR + pnpm dev # For development mode (hot reload on localhost:5173) + ``` + +4. **Database:** Use an ephemeral in-memory database for development by setting `use_memory_db: true` and `scan_models_on_startup: true` in your `invokeai.yaml` file. + +### Common Development Commands + +**Backend:** +```bash +make ruff # Run ruff linter and formatter +make ruff-unsafe # Run ruff with unsafe fixes +make mypy # Run type checker +make test # Run unit tests +pytest tests/ # Run fast tests only +pytest tests/ -m slow # Run slow tests +``` + +**Frontend:** +```bash +cd invokeai/frontend/web +pnpm lint # Run all linters +pnpm lint:eslint # Check ESLint issues +pnpm lint:prettier # Check formatting +pnpm lint:tsc # Check TypeScript issues +pnpm fix # Auto-fix issues +pnpm test:no-watch # Run tests +``` + +**Documentation:** +```bash +make docs # Serve mkdocs with live reload +mkdocs serve # Alternative command +``` + +## Code Style and Conventions + +### Python (Backend) + +**Style Guidelines:** +- Use **uv tool run ruff@0.11.2 check** for linting and formatting (replaces Black, isort, flake8) +- Line length: 120 characters +- Type hints are required (mypy strict mode with Pydantic plugin) +- Use absolute imports (no relative imports allowed) +- Follow PEP 8 conventions + +**Key Conventions:** +- All invocations must inherit from `BaseInvocation` +- Use the `@invocation` decorator for invocation classes +- Invocation class names should end with "Invocation" (e.g., `ResizeImageInvocation`) +- Use `InputField()` for invocation inputs and `OutputField()` for outputs +- All invocations must have a docstring +- Services should provide an abstract base class interface + +**Import Style:** +```python +# Use absolute imports from invokeai +from invokeai.invocation_api import BaseInvocation, invocation, InputField +from invokeai.app.services.image_records.image_records_common import ImageCategory +``` + +**Example Invocation:** +```python +from invokeai.invocation_api import ( + BaseInvocation, + invocation, + InputField, + OutputField, +) + +@invocation('my_invocation', title='My Invocation', tags=['image'], category='image') +class MyInvocation(BaseInvocation): + """Does something with an image.""" + + image: ImageField = InputField(description="The input image") + width: int = InputField(default=512, description="Output width") + + def invoke(self, context: InvocationContext) -> ImageOutput: + # Implementation + pass +``` + +### TypeScript/JavaScript (Frontend) + +**Style Guidelines:** +- Use **ESLint** and **Prettier** for linting and formatting +- Prefer TypeScript over JavaScript +- Use functional components with hooks +- Use Redux Toolkit for state management +- Colocate tests with source files using `.test.ts` suffix +- If pydantic schema has changed run `cd invokeai/frontend/web && python ../../../scripts/generate_openapi_schema.py | pnpm typegen` + +**Key Conventions:** +- Tests should use Vitest +- No tests needed for trivial code (type definitions, re-exports) +- UI tests are not currently implemented +- Keep components focused and composable + +**Import Organization:** +```typescript +// External imports first +import { useCallback } from 'react'; +import { useDispatch } from 'react-redux'; + +// Internal app imports +import { setActiveTab } from 'features/ui/store/uiSlice'; +import type { AppDispatch } from 'app/store/store'; +``` + +## Architecture + +### Backend Architecture + +**Invocation System:** +- **Invocations**: Modular nodes that represent single operations with inputs and outputs +- **Sessions**: Maintain graphs of linked invocations and execution history +- **Invoker**: Manages sessions and the invocation queue +- **Services**: Provide functionality to invocations (model management, image storage, etc.) + +**Key Principles:** +- Invocations form directed acyclic graphs (no loops) +- All invocations are auto-discovered from `invokeai/app/invocations/` +- Services use abstract base classes for flexibility +- Applications interact through the invoker, not directly with core code + +### Frontend Architecture + +**State Management:** +- Redux Toolkit for global state +- Feature-based organization +- Slices for different app areas (ui, gallery, generation, etc.) + +**API Communication:** +- REST API via FastAPI +- Real-time updates via Socket.IO +- OpenAPI-generated TypeScript types + +## Testing Practices + +### Backend Testing + +**Test Organization:** +- All tests in `tests/` directory, mirroring `invokeai/` structure +- Use pytest with markers: `@pytest.mark.slow` for tests >1s +- Default: fast tests only (`-m "not slow"`) +- Coverage target: 85% + +**Test Commands:** +```bash +pytest tests/ # Fast tests +pytest tests/ -m slow # Slow tests +pytest tests/ -m "" # All tests +pytest tests/ --cov # With coverage report +``` + +**Model Testing:** +- Auto-download models if not present +- Avoid re-downloading existing models +- Reuse models across tests when possible +- Use fixtures: `model_installer`, `torch_device` + +### Frontend Testing + +**Test Guidelines:** +- Use Vitest for unit tests +- Colocate tests with source files (`.test.ts`) +- No UI/integration tests currently +- Skip tests for trivial code + +## Common Tasks + +### Adding a New Invocation + +1. Create a new file in `invokeai/app/invocations/` +2. Define class inheriting from `BaseInvocation` +3. Add `@invocation` decorator with unique ID +4. Define inputs with `InputField()` +5. Implement `invoke()` method +6. Return appropriate output type +7. Add to `__init__.py` in the invocations directory + +### Adding a New Service + +1. Create abstract base class interface in `invokeai/app/services/` +2. Implement default local implementation +3. Register service in invoker setup +4. Avoid loading heavy dependencies unless implementation is used + +### Frontend Development + +1. Make changes in `invokeai/frontend/web/src/` +2. Run linters: `pnpm lint` +3. Fix issues: `pnpm fix` +4. Test in dev mode: `pnpm dev` (localhost:5173) +5. Build for production: `pnpm build` + +### Updating OpenAPI Types + +When backend API changes: +```bash +cd invokeai/frontend/web +python ../../../scripts/generate_openapi_schema.py | pnpm typegen +``` + +## Build and Deployment + +**Backend Build:** +```bash +# Build wheel +cd scripts && ./build_wheel.sh +``` + +**Frontend Build:** +```bash +make frontend-build +# OR +cd invokeai/frontend/web && pnpm build +``` + +**Running the Application:** +```bash +invokeai-web # Starts server on localhost:9090 +``` + +## Contributing Guidelines + +1. **Before starting:** Check in with maintainers to ensure alignment with project vision +2. **Development:** + - Fork and clone the repository + - Create a feature branch + - Make changes following style guidelines + - Add/update tests as needed + - Run linters and tests +3. **Pull Requests:** + - Use the PR template + - Provide clear summary and QA instructions + - Link related issues (use "Closes #123" to auto-close) + - Check all items in the PR checklist + - Update documentation if needed + - Update migration if redux slice changes +4. **Code Review:** Be responsive to feedback and ready to iterate + +## Important Notes + +- **Database Migrations:** Redux slice changes require corresponding migrations +- **Python Linting/Formatting:** The project uses **Ruff** for new code (via `make ruff`), which replaces black, flake8, and isort. However, pre-commit hooks still reference the older tools - this is a known transition state. +- **Model Management:** Models are auto-registered on startup if configured +- **External Code:** Some directories contain external code (mediapipe_face, mlsd, normal_bae, etc.) and are excluded from linting +- **Platform Support:** Cross-platform (Linux, macOS, Windows) with GPU support (CUDA, ROCm) +- **Localization:** UI supports 20+ languages via Weblate + +## Resources + +- [Documentation](https://invoke-ai.github.io/InvokeAI/) +- [Discord Community](https://discord.gg/ZmtBAhwWhy) +- [GitHub Issues](https://github.com/invoke-ai/InvokeAI/issues) +- [Contributing Guide](https://invoke-ai.github.io/InvokeAI/contributing/) +- [Architecture Overview](docs/contributing/ARCHITECTURE.md) +- [Invocations Guide](docs/contributing/INVOCATIONS.md) diff --git a/Makefile b/Makefile index c19dd97038c..f1e81429e73 100644 --- a/Makefile +++ b/Makefile @@ -16,20 +16,20 @@ help: @echo "frontend-build Build the frontend in order to run on localhost:9090" @echo "frontend-dev Run the frontend in developer mode on localhost:5173" @echo "frontend-typegen Generate types for the frontend from the OpenAPI schema" - @echo "wheel Build the wheel for the current version" + @echo "frontend-prettier Format the frontend using lint:prettier" + @echo "wheel Build the wheel for the current version" @echo "tag-release Tag the GitHub repository with the current version (use at release time only!)" @echo "openapi Generate the OpenAPI schema for the app, outputting to stdout" @echo "docs Serve the mkdocs site with live reload" # Runs ruff, fixing any safely-fixable errors and formatting ruff: - ruff check . --fix - ruff format . + cd invokeai && uv tool run ruff@0.11.2 format # Runs ruff, fixing all errors it can fix and formatting ruff-unsafe: ruff check . --fix --unsafe-fixes - ruff format . + ruff format # Runs mypy, using the config in pyproject.toml mypy: @@ -64,6 +64,13 @@ frontend-dev: frontend-typegen: cd invokeai/frontend/web && python ../../../scripts/generate_openapi_schema.py | pnpm typegen +frontend-lint: + cd invokeai/frontend/web/src && \ + pnpm lint:tsc && \ + pnpm lint:dpdm && \ + pnpm lint:eslint --fix && \ + pnpm lint:prettier --write + # Tag the release wheel: cd scripts && ./build_wheel.sh @@ -79,4 +86,4 @@ openapi: # Serve the mkdocs site w/ live reload .PHONY: docs docs: - mkdocs serve \ No newline at end of file + mkdocs serve diff --git a/USER_ISOLATION_IMPLEMENTATION.md b/USER_ISOLATION_IMPLEMENTATION.md new file mode 100644 index 00000000000..324c40db562 --- /dev/null +++ b/USER_ISOLATION_IMPLEMENTATION.md @@ -0,0 +1,169 @@ +# User Isolation Implementation Summary + +This document describes the implementation of user isolation features in the InvokeAI session queue and processing system to address issues identified in the enhancement request. + +## Issues Addressed + +### 1. Cross-User Image/Preview Visibility +**Problem:** When two users are logged in simultaneously and one initiates a generation, the generation preview shows up in both users' browsers and the generated image gets saved to both users' image boards. + +**Solution:** Implemented socket-level event filtering based on user authentication: + +#### Backend Changes (`invokeai/app/api/sockets.py`): +- Added socket authentication middleware in `_handle_connect()` method +- Extracts JWT token from socket auth data or HTTP headers +- Verifies token using existing `verify_token()` function +- Stores `user_id` and `is_admin` in socket session for later use +- Modified `_handle_queue_event()` to filter events by user: + - For `QueueItemEventBase` events, only emit to: + - The user who owns the queue item (`user_id` matches) + - Admin users (`is_admin` is True) + - For general queue events, emit to all subscribers + +#### Event System Changes (`invokeai/app/services/events/events_common.py`): +- Added `user_id` field to `QueueItemEventBase` class +- Updated all event builders to include `user_id` from queue items: + - `InvocationStartedEvent.build()` + - `InvocationProgressEvent.build()` + - `InvocationCompleteEvent.build()` + - `InvocationErrorEvent.build()` + - `QueueItemStatusChangedEvent.build()` + +### 2. Batch Field Values Privacy +**Problem:** Users can see batch field values from generation processes launched by other users. + +**Solution:** Implemented field value sanitization at the API level: + +#### API Router Changes (`invokeai/app/api/routers/session_queue.py`): +- Created `sanitize_queue_item_for_user()` helper function + - Clears `field_values` for non-admin users viewing other users' items + - Admins and item owners can see all field values +- Updated endpoints to require authentication and sanitize responses: + - `list_all_queue_items()` - Added `CurrentUser` dependency + - `get_queue_items_by_item_ids()` - Added `CurrentUser` dependency + - `get_queue_item()` - Added `CurrentUser` dependency + +### 3. Queue Updates Across Browser Windows +**Problem:** When the job queue tab is open in multiple browsers and a generation is begun in one browser window, the queue does not update in the other window. + +**Status:** This issue is likely resolved by the socket authentication and event filtering changes. The existing socket subscription mechanism (`subscribe_queue` event) already supports multiple connections per user. Testing is required to confirm this works correctly with the new authentication flow. + +### 4. User Information Display +**Problem:** Queue table lacks user identification, making it difficult to know who launched which job. + +**Solution:** Added user information to queue items and UI: + +#### Database Layer (`invokeai/app/services/session_queue/session_queue_sqlite.py`): +- Updated SQL queries to JOIN with `users` table +- Modified methods to fetch user information: + - `get_queue_item()` - Now selects `display_name` and `email` from users table + - `dequeue()` - Includes user info + - `get_next()` - Includes user info + - `get_current()` - Includes user info + - `list_all_queue_items()` - Includes user info + +#### Data Model Changes (`invokeai/app/services/session_queue/session_queue_common.py`): +- Added optional fields to `SessionQueueItem`: + - `user_display_name: Optional[str]` - Display name from users table + - `user_email: Optional[str]` - Email from users table + - Note: `user_id` field already existed from Migration 25 + +#### Frontend UI Changes: +- **Constants** (`constants.ts`): Added `user: '8rem'` column width +- **Header** (`QueueListHeader.tsx`): Added "User" column header +- **Item Component** (`QueueItemComponent.tsx`): + - Added logic to display user information (display_name → email → user_id) + - Added user column to queue item row + - Added tooltip with full username on hover + - Added "Hidden for privacy" message when field_values are null for non-owned items +- **Localization** (`en.json`): Added translations: + - `"user": "User"` + - `"fieldValuesHidden": "Hidden for privacy"` + +## Security Considerations + +### Token Verification +- Tokens are verified using the existing `verify_token()` function from `invokeai.app.services.auth.token_service` +- Invalid or missing tokens default to "system" user with non-admin privileges +- Socket connections without valid tokens are still accepted for backward compatibility but have limited access + +### Data Privacy +- Field values are only visible to: + - The user who created the queue item + - Admin users +- Non-admin users viewing other users' queue items see "Hidden for privacy" instead of field values + +### Admin Privileges +- Admin users can see all queue events and field values across all users +- Admin status is determined from the JWT token's `is_admin` field + +## Migration Notes + +No database migration is required. The changes leverage: +- Existing `user_id` column in `session_queue` table (added in Migration 25) +- Existing `users` table (added in Migration 25) +- SQL LEFT JOINs to fetch user information (gracefully handles missing user records) + +## Testing Requirements + +### Backend Testing +1. **Socket Authentication:** + - Verify valid tokens are accepted and user context is stored + - Verify invalid tokens default to system user + - Verify expired tokens are rejected + +2. **Event Filtering:** + - User A should only receive events for their own queue items + - Admin users should receive all events + - Non-admin users should not receive events from other users + +3. **Field Value Sanitization:** + - Non-admin users should see null field_values for other users' items + - Admins should see all field values + - Users should see their own field values + +### Frontend Testing +1. **UI Display:** + - User column should display in queue list + - Display name should be shown when available + - Email should be shown as fallback when display name is missing + - User ID should be shown when both display name and email are missing + - Tooltip should show full username on hover + +2. **Field Values Display:** + - "Hidden for privacy" message should appear when viewing other users' items + - Own items should show field values normally + +3. **Multi-Browser Testing:** + - Open queue tab in two browsers with different users + - Start generation in one browser + - Verify other browser doesn't see the preview/progress + - Verify admin user can see all generations + +### Integration Testing +1. Multi-user scenarios with simultaneous generations +2. Queue updates across multiple browser windows +3. Admin vs. non-admin privilege differentiation +4. Socket reconnection handling + +## Known Limitations + +1. **TypeScript Types:** + - The OpenAPI schema needs to be regenerated to include new fields + - Run: `cd invokeai/frontend/web && python ../../../scripts/generate_openapi_schema.py | pnpm typegen` + +2. **Backward Compatibility:** + - System user ("system") entries will not have display name or email + - Existing queue items from before Migration 25 will have user_id="system" + +3. **Socket.IO Session Storage:** + - Socket.IO's in-memory session storage may not persist across server restarts + - Consider implementing persistent session storage if needed for production + +## Future Enhancements + +1. Add user filtering to queue list (show only my items vs. all items) +2. Add permission system for queue management operations (cancel, retry, delete) +3. Implement queue item ownership transfer for administrative purposes +4. Add audit logging for queue operations with user attribution +5. Consider implementing user-specific queue limits or quotas diff --git a/docs/installation/requirements.md b/docs/installation/requirements.md index 7fcdd14b52c..b120eeadbc2 100644 --- a/docs/installation/requirements.md +++ b/docs/installation/requirements.md @@ -6,7 +6,9 @@ Invoke runs on Windows 10+, macOS 14+ and Linux (Ubuntu 20.04+ is well-tested). Hardware requirements vary significantly depending on model and image output size. -The requirements below are rough guidelines for best performance. GPUs with less VRAM typically still work, if a bit slower. Follow the [Low-VRAM mode guide](./features/low-vram.md) to optimize performance. +The requirements below are rough guidelines for best performance. GPUs +with less VRAM typically still work, if a bit slower. Follow the +[Low-VRAM mode guide](../features/low-vram.md) to optimize performance. - All Apple Silicon (M1, M2, etc) Macs work, but 16GB+ memory is recommended. - AMD GPUs are supported on Linux only. The VRAM requirements are the same as Nvidia GPUs. diff --git a/docs/multiuser/admin_guide.md b/docs/multiuser/admin_guide.md new file mode 100644 index 00000000000..d0f797feab3 --- /dev/null +++ b/docs/multiuser/admin_guide.md @@ -0,0 +1,876 @@ +# InvokeAI Multi-User Administrator Guide + +## Overview + +This guide is for administrators managing a multi-user InvokeAI installation. It covers initial setup, user management, security best practices, and troubleshooting. + +## Prerequisites + +Before enabling multi-user support, ensure you have: + +- InvokeAI installed and running +- Access to the server filesystem (for initial setup) +- Understanding of your deployment environment +- Backup of your existing data (recommended) + +## Initial Setup + +### Activating Multiuser Mode + +To put InvokeAI into multiuser mode, you will need to add the option +`multiuser: true` to its configuration file. This file is located at +`INVOKEAI_ROOT/invokeai.yaml` With the InvokeAI backend halted, add +the new configuration option to the end of the file with a text editor +so that it looks like this: + +```yaml +# Internal metadata - do not edit: +schema_version: 4.0.2 + +# Enable/disable multi-user mode +multiuser: true +``` + +Then restart the InvokeAI server backend from the command line or +using the launcher. + +!!! note "Reverting to single-user mode" + If at any time you wish to revert to single-user mode, simply comment + out the `multiuser` line, or change "true" to "false". Then + restart the server. Because of the way that browsers cache pages, + users with open InvokeAI sessions may need to force-refresh their + browsers. + + +### First Administrator Account + +When InvokeAI starts for the first time in multi-user mode, you'll see the **Administrator Setup** dialog. + +**Setup Steps:** + +1. **Email Address**: Enter a valid email address (this becomes your username) + + * Example: `admin@example.com` or `admin@localhost` for testing + * Must be a valid email format + * Cannot be changed later without database access + +2. **Display Name**: Enter a friendly name + + * Example: "System Administrator" or your real name + * Can be changed later in your profile + * Visible to other users in shared contexts + +3. **Password**: Create a strong administrator password + + * **Minimum requirements:** + + * At least 8 characters long + * Contains uppercase letters (A-Z) + * Contains lowercase letters (a-z) + * Contains numbers (0-9) + + * **Recommended:** + + * Use 12+ characters + * Include special characters (!@#$%^&*) + * Use a password manager to generate and store + * Don't reuse passwords from other services + +4. **Confirm Password**: Re-enter the password + +5. Click **Create Administrator Account** + +!!! warning "Important" + Store these credentials securely! The + first administrator account can reset + the password to something new, but cannot + retrieve a lost one. + +### Configuration + +InvokeAI can run in single-user or multi-user mode, controlled by the `multiuser` configuration option in `invokeai.yaml`: + +```yaml +# Enable/disable multi-user mode +multiuser: true # Enable multi-user mode (requires authentication) +# multiuser: false # Single-user mode (no authentication required) +# If the multiuser option is absent, single-user mode is used + +# Database configuration +use_memory_db: false # Use persistent database +db_path: databases/invokeai.db # Database location + +# Session configuration (multi-user mode only) +jwt_secret_key: "your-secret-key-here" # Auto-generated if not specified +jwt_token_expiry_hours: 24 # Default session timeout +jwt_remember_me_days: 7 # "Remember me" duration +``` + +**Single-User Mode** (`multiuser: false` or option absent): +- No authentication required +- All functionality enabled by default +- All boards and images visible in unified view +- Ideal for personal use or trusted environments + +**Multi-User Mode** (`multiuser: true`): +- Authentication required for access +- User isolation for boards, images, and workflows +- Role-based permissions enforced +- Ideal for shared servers or team environments + +!!! warning "Mode Switching Behavior" + **Switching to Single-User Mode:** If boards or images were created in multi-user mode, they will all be combined into a single unified view when switching to single-user mode. + + **Switching to Multi-User Mode:** Legacy boards and images created under single-user mode will be owned by an internal user named "system." Only the Administrator will have access to these legacy assets. A utility to migrate these legacy assets to another user will be part of a future release. + +### Migration from Single-User + +When upgrading from a single-user installation or switching modes: + +1. **Automatic Migration**: The database will automatically migrate to multi-user schema when multi-user mode is first enabled +2. **Legacy Data Ownership**: Existing data (boards, images, workflows) created in single-user mode is assigned to an internal user named "system" +3. **Administrator Access**: Only administrators will have access to legacy "system"-owned assets when in multi-user mode +4. **No Data Loss**: All existing content is preserved + +**Migration Process:** + +```bash +# Backup your database first +cp databases/invokeai.db databases/invokeai.db.backup + +# Enable multi-user mode in invokeai.yaml +# multiuser: true + +# Start InvokeAI (migration happens automatically) +invokeai-web + +# Complete the administrator setup dialog +# Legacy data will be owned by "system" user +``` + +!!! note "Legacy Asset Migration" + A utility to migrate legacy "system"-owned assets to specific user accounts will be available in a future release. Until then, administrators can access and manage all legacy content. + +## User Management + +### Creating Users + +**Via Web Interface (Coming Soon):** + +!!! info "Web UI for User Management" + A web-based user interface that allows administrators to manage users is coming in a future release. Until then, use the command-line scripts described below. + +**Via Command Line Scripts:** + +InvokeAI provides several command-line scripts in the `scripts/` directory for user management: + +**useradd.py** - Add a new user: + +```bash +# Interactive mode (prompts for details) +python scripts/useradd.py + +# Create a regular user +python scripts/useradd.py \ + --email user@example.com \ + --password TempPass123 \ + --name "User Name" + +# Create an administrator +python scripts/useradd.py \ + --email admin@example.com \ + --password AdminPass123 \ + --name "Admin Name" \ + --admin +``` + +**userlist.py** - List all users: + +```bash +# List all users +python scripts/userlist.py + +# Show detailed information +python scripts/userlist.py --verbose +``` + +**usermod.py** - Modify an existing user: + +```bash +# Change display name +python scripts/usermod.py --email user@example.com --name "New Name" + +# Promote to administrator +python scripts/usermod.py --email user@example.com --admin + +# Demote from administrator +python scripts/usermod.py --email user@example.com --no-admin + +# Deactivate account +python scripts/usermod.py --email user@example.com --deactivate + +# Reactivate account +python scripts/usermod.py --email user@example.com --activate + +# Change password +python scripts/usermod.py --email user@example.com --password NewPassword123 +``` + +**userdel.py** - Delete a user: + +```bash +# Delete a user (prompts for confirmation) +python scripts/userdel.py --email user@example.com + +# Delete without confirmation +python scripts/userdel.py --email user@example.com --force +``` + +!!! tip "Script Usage" + Run any script with `--help` to see all available options: + ```bash + python scripts/useradd.py --help + ``` + +!!! warning "Command Line Management" + - These scripts directly modify the database + - Always backup your database before making changes + - Changes take effect immediately (users may need to log in again) + - Deleting a user permanently removes all their content + +### Editing Users + +**Via Command Line:** + +Use `usermod.py` as described above to modify user properties. + +!!! warning "Last Administrator" + You cannot remove admin privileges from the last remaining administrator account. + +### Resetting User Passwords + +**Via Web Interface (Coming Soon):** + +Web-based password reset functionality for administrators is coming in a future release. + +**Via Command Line:** + +```bash +# Reset a user's password +python scripts/usermod.py --email user@example.com --password NewTempPassword123 +``` + +**Security Note:** Never send passwords via email or unsecured channels. Use secure communication methods. + +### Deactivating Users + +**Via Command Line:** + +```bash +# Deactivate a user account +python scripts/usermod.py --email user@example.com --deactivate + +# Reactivate a user account +python scripts/usermod.py --email user@example.com --activate +``` + +**Effects:** + +- User cannot log in when deactivated +- Existing sessions are immediately invalidated +- User's data is preserved +- Can be reactivated at any time + +### Deleting Users + +**Via Command Line:** + +```bash +# Delete a user (prompts for confirmation) +python scripts/userdel.py --email user@example.com + +# Delete without confirmation prompt +python scripts/userdel.py --email user@example.com --force +``` + +**Important:** + +- ⚠️ This action is **permanent** +- User's boards, images, and workflows are deleted +- Cannot be undone +- Consider deactivating instead of deleting + +!!! warning "Data Loss" + Deleting a user permanently removes all their content. Back up the database first if recovery might be needed. + +### Viewing User Activity + +**Queue Management:** + +1. Navigate to **Admin** → **Queue Overview** +2. View all users' active and pending generations +3. Filter by user +4. Cancel stuck or problematic tasks + +**User Statistics:** + +- Number of boards created +- Number of images generated +- Storage usage (if enabled) +- Last login time + +## Model Management + +As an administrator, you have full access to model management. + +### Adding Models + +**Via Model Manager UI:** + +1. Go to **Models** tab +2. Click **Add Model** +3. Choose installation method: + - **From URL**: Provide HuggingFace repo or download URL + - **From Local Path**: Scan local directories + - **Import**: Import model from filesystem + +**Supported Model Types:** + +- Main models (Stable Diffusion, SDXL, FLUX) +- LoRA models +- ControlNet models +- VAE models +- Textual Inversions +- IP-Adapters + +### Configuring Models + +**Model Settings:** + +- Display name +- Description +- Default generation settings (CFG, steps, scheduler) +- Variant selection (fp16/fp32) +- Model thumbnail image + +**Default Settings:** + +Set default parameters that users will start with: + +1. Select a model +2. Go to **Default Settings** tab +3. Configure: + - CFG Scale + - Steps + - Scheduler + - VAE selection +4. Save settings + +### Removing Models + +1. Go to **Models** tab +2. Select model(s) to remove +3. Click **Delete** +4. Confirm deletion + +!!! warning "Impact" + Removing a model affects all users who may be using it in workflows or saved settings. + +## Shared Boards + +Shared boards enable collaboration between users while maintaining control. + +!!! note "Future Feature" + Board sharing will be implemented in a future release. + +### Creating Shared Boards + +1. Log in as administrator +2. Create a new board (or use existing board) +3. Right-click the board → **Share Board** +4. Add users and set permissions +5. Click **Save Sharing Settings** + +### Permission Levels + +| Level | View | Add Images | Edit/Delete | Manage Sharing | +|-------|------|------------|-------------|----------------| +| **Read** | ✅ | ❌ | ❌ | ❌ | +| **Write** | ✅ | ✅ | ✅ | ❌ | +| **Admin** | ✅ | ✅ | ✅ | ✅ | + +**Permission Recommendations:** + +- **Read**: For viewers who should see but not modify content +- **Write**: For active collaborators who add and organize images +- **Admin**: For trusted users who help manage the shared board + +### Managing Shared Boards + +**Add Users to Shared Board:** + +1. Right-click shared board → **Manage Sharing** +2. Click **Add User** +3. Select user from dropdown +4. Choose permission level +5. Save changes + +**Remove Users from Shared Board:** + +1. Right-click shared board → **Manage Sharing** +2. Find user in list +3. Click **Remove** +4. Confirm removal + +**Change User Permissions:** + +1. Right-click shared board → **Manage Sharing** +2. Find user in list +3. Change permission dropdown +4. Save changes + +### Shared Board Best Practices + +- Give meaningful names to shared boards +- Document the board's purpose in the description +- Assign minimum necessary permissions +- Regularly audit access lists +- Remove users who no longer need access + +## Security + +### Password Policies + +**Enforced Requirements:** + +- Minimum 8 characters +- Must contain uppercase letters +- Must contain lowercase letters +- Must contain numbers + +**Recommended Policies:** + +- Require 12+ character passwords +- Include special characters +- Implement password rotation every 90 days +- Prevent password reuse +- Use multi-factor authentication (when available) + +### Session Management + +**Session Security and Token Management:** + +This system uses stateless JWT tokens with HMAC signatures to +identify users after they provide their initial credentials. The +tokens will persist for 24 hours by default, or for 7 days if the user +clicks the "Remember me" checkbox at login. Expired tokens are +automatically rejected and the user will have to log in again. + +At the client side, tokens are stored in browser localStorage. Logging +out clears them. No server-side session storage is required. + +The tokens include the user's ID, email, and admin status, along with +an HMAC signature. + +### Secret Key Management + +**Important:** The JWT secret key must be kept confidential. + +To generate tokens, each InvokeAI instance has a distinct secret JWT key that must be +kept confidential. The key is stored in the `app_settings` table of +the InvokeAI database with in a field value named `jwt_secret`. + +The secret key is automatically generated during database creation or +migration. If you wish to change the key, you may generate a +replacement using either of these commands: + + +```bash +# Python +python -c "import secrets; print(secrets.token_urlsafe(32))" + +# OpenSSL +openssl rand -base64 32 +``` + +Then cut and paste the printed secret into this Sqlite3 command: + +```bash +sqlite3 INVOKE_ROOT/databases/invokeai.db 'update app_settings set value="THE_SECRET" where key="jwt_secret"' +``` + +(replace INVOKE_ROOT with your InvokeAI root directory and THE_SECRET +with the new secret). + +After this, restart the server. All logged in users will be logged out +and will need to provide their usernames and passwords again. + +### Hosting a Shared InvokeAI Instance + +The multiuser feature allows you to run an InvokeAI backend that can +be accessed by your friends and family across your home network. It is +also possible to host a backend that is accessible over the Internet. + +By default, InvokeAI runs on `localhost`, IP address `127.0.0.1`, +which is only accessible to browsers running on the same machine as +the backend. To make the backend accessible to any machine on your +home or work LAN, add the line `host: 0.0.0.0` to the InvokeAI +configuration file, usually stored at `INVOKE_ROOT/invokeai.yaml`. + +Here is a minimal example. + +```yaml +# Internal metadata - do not edit: +schema_version: 4.0.2 + +# Put user settings here - see https://invoke-ai.github.io/InvokeAI/configuration/: +multiuser: true +host: 0.0.0.0 +``` + +After relaunching the backend you will be able to reach the server +from other machines on the LAN using the server machine's IP address +or hostname and port 9090. + +#### Connecting to the Internet + +!!! warning "Use at your own risk" + The InvokeAI team has done its best to make the software free of + exploitable bugs, but the software has not undergone a rigorous security + audit or intrusion testing. Use at your own risk + +It is also possible to create a (semi) public server accessible from +the Internet. The details of how to do this depend very much on your +home or corporate router/firewall system and are beyond the scope of +this document. + +If you expose InvokeAI to the Internet, there are a number of +precautions to take. Here is a brief list of recommended network +security practices. + +**HTTPS Configuration:** + +For internet deployments, always use HTTPS: + +```yaml +# Use a reverse proxy like nginx or Traefik +# Example nginx configuration: + +server { + listen 443 ssl http2; + server_name invoke.example.com; + + ssl_certificate /path/to/cert.pem; + ssl_certificate_key /path/to/key.pem; + + location / { + proxy_pass http://localhost:9090; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # WebSocket support + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} +``` + +**Firewall Rules:** + +It is best to restrict access to trusted networks and remote IP +addresses, or use a VPN to connect to your home network. Rate limit +connections to InvokeAI's authentication endpoint +`http://your.host:9090/login`. + +**Backup and Recovery:** + +It is a good idea to periodically backup your InvokeAI database, +images, and possibly models in the event of unauthorized use of a +publicly-accessible server. + +**Manual Backup:** + +```bash +# Stop InvokeAI +# Copy database file +cd INVOKE_ROOT +cp databases/invokeai.db databases/invokeai.db.$(date +%Y%m%d) + +# Or create compressed backup +tar -czf invokeai_backup_$(date +%Y%m%d).tar.gz databases/ +``` + +**Automated Backup Script:** + +```bash +#!/bin/bash +# backup_invokeai.sh + +INVOKE_ROOT="/path/to/invoke_root" +BACKUP_DIR="/path/to/backups" +DB_PATH="$INVOKE_ROOT/databases/invokeai.db" +DATE=$(date +%Y%m%d_%H%M%S) + +# Create backup directory +mkdir -p "$BACKUP_DIR" + +# Copy database +cp "$DB_PATH" "$BACKUP_DIR/invokeai_$DATE.db" + +# Keep only last 30 days +find "$BACKUP_DIR" -name "invokeai_*.db" -mtime +30 -delete + +echo "Backup completed: invokeai_$DATE.db" +``` + +**Schedule with cron:** + +```bash +# Edit crontab +crontab -e + +# Add daily backup at 2 AM +0 2 * * * /path/to/backup_invokeai.sh +``` + + + +```bash +# Stop InvokeAI +# Replace current database with backup +cd INVOKE_ROOT +cp databases/invokeai.db databases/invokeai.db.old # Save current +cp databases/invokeai_backup.db databases/invokeai.db + +# Restart InvokeAI +invokeai-web +``` + +**Disaster Recover - Complete System Backup:** + +Include these directories/files: + +- `databases/` - All database files +- `models/` - Installed models (if locally stored) +- `outputs/` - Generated images +- `invokeai.yaml` - Configuration file +- Any custom scripts or modifications + +**Recovery Process:** + +1. Install InvokeAI on new system +2. Restore configuration file +3. Restore database directory +4. Restore models and outputs +5. Verify file permissions +6. Start InvokeAI and test + +## Troubleshooting + +### User Cannot Login + +**Symptom:** User reports unable to log in + +**Diagnosis:** + +1. Verify account exists and is active + ```bash + sqlite3 databases/invokeai.db "SELECT * FROM users WHERE email = 'user@example.com';" + ``` + +2. Check password (have user try resetting) +3. Verify account is active (`is_active = 1`) +4. Check for account lockout (if implemented) + +**Solutions:** + +- Reset user password +- Reactivate disabled account +- Verify email address is correct +- Check system logs for auth errors + +### Database Locked Errors + +**Symptom:** "Database is locked" errors + +**Causes:** + +- Concurrent write operations +- Long-running transactions +- Backup process accessing database +- File system issues + +**Solutions:** + +```bash +# Check for locks +fuser databases/invokeai.db + +# Increase timeout (in config) +# Or switch to WAL mode: +sqlite3 databases/invokeai.db "PRAGMA journal_mode=WAL;" +``` + +### Forgotten Admin Password + +**Recovery Process:** + +1. Stop InvokeAI +2. Direct database access: + ```bash + sqlite3 databases/invokeai.db + ``` + +3. Reset admin password (requires password hash): + ```sql + -- Generate hash first using Python: + -- from passlib.context import CryptContext + -- pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") + -- print(pwd_context.hash("NewPassword123")) + + UPDATE users + SET password_hash = '$2b$12$...' + WHERE email = 'admin@example.com'; + ``` + +4. Restart InvokeAI + +**Alternative:** Remove `jwt_secret_key` from config to trigger setup wizard (will create new admin). + +### Performance Issues + +**Symptom:** Slow generation or UI + +**Diagnosis:** + +1. Check active generation count +2. Review resource usage (CPU/GPU/RAM) +3. Check database size and performance +4. Review network latency + +**Solutions:** + +- Limit concurrent generations +- Increase hardware resources +- Optimize database (`VACUUM`, `ANALYZE`) +- Add indexes for slow queries +- Consider load balancing + +### Migration Failures + +**Symptom:** Database migration fails on upgrade + +**Prevention:** + +- Always backup before upgrading +- Test migration on copy of database +- Review migration logs + +**Recovery:** + +```bash +# Restore backup +cp databases/invokeai.db.backup databases/invokeai.db + +# Try migration again with verbose logging +invokeai-web --log-level DEBUG +``` + +## Configuration Reference + +### Complete Configuration Example for a Public Site + +```yaml +# invokeai.yaml - Multi-user configuration + +# Internal metadata - do not edit: +schema_version: 4.0.2 + +# Put user settings here +multiuser: true + +# Server +host: "0.0.0.0" +port: 9090 + +# Performance +enable_partial_loading: true +precision: float16 +pytorch_cuda_alloc_conf: "backend:cudaMallocAsync" +hashing_algorithm: blake3_multi +``` +## Frequently Asked Questions + +### How many users can InvokeAI support? + +The backend will support dozens of concurrent users. However, because +the image generation queue is single-threaded, image generation tasks +are processed on a first-come, first-serve basis. This means that a +user may have to wait for all the other users' image generation jobs +to complete before their generation job starts to execute. + +A future version of InvokeAI may support concurrent execution on +systems with multiple GPUs/graphics cards. + +### Can I integrate with existing authentication systems? + +OAuth2/OpenID Connect support is planned for a future release. Currently, InvokeAI uses its own authentication system. + +### How do I audit user actions? + +Full audit logging is planned for a future release. Currently, you can: + +- Monitor the generation queue +- Review database changes +- Check application logs + +### Can users have different model access? + +Not in the current release. All users can view and use all installed models. Per-user model access is a possible enhancement. + +### How do I handle user data when they leave? + +Best practice: + +1. Deactivate the account first +2. Transfer ownership of shared boards +3. After transition period, delete the account +4. Or keep the account deactivated for audit purposes + +### What's the licensing impact of multi-user mode? + +InvokeAI remains under its existing license. Multi-user mode does not change licensing terms. + +## Getting Help + +### Support Resources + +- **Documentation**: [InvokeAI Docs](https://invoke-ai.github.io/InvokeAI/) +- **Discord**: [Join Community](https://discord.gg/ZmtBAhwWhy) +- **GitHub Issues**: [Report Problems](https://github.com/invoke-ai/InvokeAI/issues) +- **User Guide**: [For Users](user_guide.md) +- **API Guide**: [For Developers](api_guide.md) + +### Reporting Issues + +When reporting administrator issues, include: + +- InvokeAI version +- Operating system and version +- Database size and user count +- Relevant log excerpts +- Steps to reproduce +- Expected vs actual behavior + +## Additional Resources + +- [User Guide](user_guide.md) - For end users +- [API Guide](api_guide.md) - For API consumers +- [Multiuser Specification](specification.md) - Technical details + +--- + +**Need additional assistance?** Visit the [InvokeAI Discord](https://discord.gg/ZmtBAhwWhy) or file an issue on [GitHub](https://github.com/invoke-ai/InvokeAI/issues). diff --git a/docs/multiuser/api_guide.md b/docs/multiuser/api_guide.md new file mode 100644 index 00000000000..e521e881e77 --- /dev/null +++ b/docs/multiuser/api_guide.md @@ -0,0 +1,1224 @@ +# InvokeAI Multi-User API Guide + +## Overview + +This guide explains how to interact with InvokeAI's API in both single-user and multi-user modes. The API behavior depends on the `multiuser` configuration setting. + +### Single-User vs Multi-User Mode + +**Single-User Mode** (`multiuser: false` or option absent): +- No authentication required +- All API endpoints accessible without tokens +- Direct API access like previous InvokeAI versions +- All content visible in unified view + +**Multi-User Mode** (`multiuser: true`): +- JWT token authentication required +- User-scoped access to resources +- Role-based authorization (admin vs regular user) +- Data isolation between users + +## Authentication (Multi-User Mode Only) + +### Authentication Flow + +When multi-user mode is enabled, all API endpoints (except `/api/v1/auth/setup` and `/api/v1/auth/login`) require authentication using JWT (JSON Web Token) bearer tokens. + +**Authentication Process:** + +1. **Obtain Token**: POST credentials to `/api/v1/auth/login` +2. **Store Token**: Save the JWT token securely +3. **Use Token**: Include token in `Authorization` header for all requests +4. **Refresh**: Re-authenticate when token expires + +!!! note "Single-User Mode" + When running in single-user mode (`multiuser: false`), authentication endpoints are not available and authentication headers are not required. + +### Login Endpoint + +**Endpoint:** `POST /api/v1/auth/login` + +**Request:** + +```json +{ + "email": "user@example.com", + "password": "SecurePassword123", + "remember_me": false +} +``` + +**Response (Success):** + +```json +{ + "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", + "user": { + "user_id": "abc123", + "email": "user@example.com", + "display_name": "John Doe", + "is_admin": false, + "is_active": true, + "created_at": "2024-01-15T10:00:00Z" + }, + "expires_in": 86400 +} +``` + +**Response (Error):** + +```json +{ + "detail": "Incorrect email or password" +} +``` + +**Status Codes:** + +- `200 OK` - Authentication successful +- `401 Unauthorized` - Invalid credentials +- `403 Forbidden` - Account disabled +- `422 Unprocessable Entity` - Invalid request format + +### Using the Token + +Include the JWT token in the `Authorization` header with the `Bearer` scheme: + +**HTTP Header:** + +``` +Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... +``` + +**Example HTTP Request:** + +```http +GET /api/v1/boards HTTP/1.1 +Host: localhost:9090 +Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... +Content-Type: application/json +``` + +### Token Expiration + +Tokens have a limited lifetime: + +- **Default**: 24 hours (86400 seconds) +- **Remember Me**: 7 days (604800 seconds) + +**Handling Expiration:** + +```python +import requests +import time + +def api_request(url, token, max_retries=1): + headers = {"Authorization": f"Bearer {token}"} + response = requests.get(url, headers=headers) + + if response.status_code == 401: # Token expired + # Re-authenticate and retry + new_token = login() + headers = {"Authorization": f"Bearer {new_token}"} + response = requests.get(url, headers=headers) + + return response +``` + +### Logout Endpoint + +**Endpoint:** `POST /api/v1/auth/logout` + +**Request:** + +```http +POST /api/v1/auth/logout HTTP/1.1 +Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... +``` + +**Response:** + +```json +{ + "success": true +} +``` + +**Note:** With JWT tokens, logout is primarily client-side (delete token). Server-side session invalidation may be added in future releases. + +## Code Examples + +### Python + +**Using `requests` library:** + +```python +import requests +import json + +class InvokeAIClient: + def __init__(self, base_url="http://localhost:9090"): + self.base_url = base_url + self.token = None + + def login(self, email, password, remember_me=False): + """Authenticate and store token.""" + url = f"{self.base_url}/api/v1/auth/login" + payload = { + "email": email, + "password": password, + "remember_me": remember_me + } + + response = requests.post(url, json=payload) + response.raise_for_status() + + data = response.json() + self.token = data["token"] + return data["user"] + + def _get_headers(self): + """Get headers with authentication token.""" + if not self.token: + raise Exception("Not authenticated. Call login() first.") + + return { + "Authorization": f"Bearer {self.token}", + "Content-Type": "application/json" + } + + def get_boards(self): + """Get user's boards.""" + url = f"{self.base_url}/api/v1/boards/" + response = requests.get(url, headers=self._get_headers()) + response.raise_for_status() + return response.json() + + def create_board(self, board_name): + """Create a new board.""" + url = f"{self.base_url}/api/v1/boards/" + payload = {"board_name": board_name} + + response = requests.post( + url, + json=payload, + headers=self._get_headers() + ) + response.raise_for_status() + return response.json() + + def logout(self): + """Logout and clear token.""" + url = f"{self.base_url}/api/v1/auth/logout" + response = requests.post(url, headers=self._get_headers()) + self.token = None + return response.json() + +# Usage +client = InvokeAIClient() +user = client.login("user@example.com", "SecurePassword123") +print(f"Logged in as: {user['display_name']}") + +boards = client.get_boards() +print(f"User has {len(boards['items'])} boards") + +new_board = client.create_board("My New Board") +print(f"Created board: {new_board['board_name']}") + +client.logout() +``` + +**Error Handling:** + +```python +import requests +from requests.exceptions import HTTPError + +def safe_api_call(client, method, *args, **kwargs): + """Make API call with error handling.""" + try: + func = getattr(client, method) + return func(*args, **kwargs) + + except HTTPError as e: + if e.response.status_code == 401: + print("Authentication failed or token expired") + # Re-authenticate + client.login(email, password) + # Retry + return func(*args, **kwargs) + elif e.response.status_code == 403: + print("Permission denied") + elif e.response.status_code == 404: + print("Resource not found") + else: + print(f"API error: {e.response.status_code}") + print(e.response.text) + + raise + +# Usage +try: + boards = safe_api_call(client, "get_boards") +except Exception as e: + print(f"Failed to get boards: {e}") +``` + +### JavaScript/TypeScript + +**Using `fetch` API:** + +```javascript +class InvokeAIClient { + constructor(baseUrl = 'http://localhost:9090') { + this.baseUrl = baseUrl; + this.token = null; + } + + async login(email, password, rememberMe = false) { + const response = await fetch(`${this.baseUrl}/api/v1/auth/login`, { + method: 'POST', + headers: { + 'Content-Type': 'application/json', + }, + body: JSON.stringify({ + email, + password, + remember_me: rememberMe, + }), + }); + + if (!response.ok) { + throw new Error(`Login failed: ${response.statusText}`); + } + + const data = await response.json(); + this.token = data.token; + + // Store token in localStorage + localStorage.setItem('invokeai_token', data.token); + + return data.user; + } + + getHeaders() { + if (!this.token) { + throw new Error('Not authenticated. Call login() first.'); + } + + return { + 'Authorization': `Bearer ${this.token}`, + 'Content-Type': 'application/json', + }; + } + + async getBoards() { + const response = await fetch(`${this.baseUrl}/api/v1/boards/`, { + headers: this.getHeaders(), + }); + + if (!response.ok) { + throw new Error(`Failed to get boards: ${response.statusText}`); + } + + return response.json(); + } + + async createBoard(boardName) { + const response = await fetch(`${this.baseUrl}/api/v1/boards/`, { + method: 'POST', + headers: this.getHeaders(), + body: JSON.stringify({ board_name: boardName }), + }); + + if (!response.ok) { + throw new Error(`Failed to create board: ${response.statusText}`); + } + + return response.json(); + } + + async logout() { + const response = await fetch(`${this.baseUrl}/api/v1/auth/logout`, { + method: 'POST', + headers: this.getHeaders(), + }); + + this.token = null; + localStorage.removeItem('invokeai_token'); + + return response.json(); + } +} + +// Usage +(async () => { + const client = new InvokeAIClient(); + + try { + const user = await client.login('user@example.com', 'SecurePassword123'); + console.log(`Logged in as: ${user.display_name}`); + + const boards = await client.getBoards(); + console.log(`User has ${boards.items.length} boards`); + + const newBoard = await client.createBoard('My New Board'); + console.log(`Created board: ${newBoard.board_name}`); + + await client.logout(); + } catch (error) { + console.error('Error:', error.message); + } +})(); +``` + +**TypeScript with Types:** + +```typescript +interface LoginRequest { + email: string; + password: string; + remember_me?: boolean; +} + +interface User { + user_id: string; + email: string; + display_name: string; + is_admin: boolean; + is_active: boolean; + created_at: string; +} + +interface LoginResponse { + token: string; + user: User; + expires_in: number; +} + +interface Board { + board_id: string; + board_name: string; + created_at: string; + updated_at: string; + deleted_at?: string; + cover_image_name?: string; +} + +class InvokeAIClient { + private baseUrl: string; + private token: string | null = null; + + constructor(baseUrl: string = 'http://localhost:9090') { + this.baseUrl = baseUrl; + } + + async login( + email: string, + password: string, + rememberMe: boolean = false + ): Promise { + const response = await fetch(`${this.baseUrl}/api/v1/auth/login`, { + method: 'POST', + headers: { 'Content-Type': 'application/json' }, + body: JSON.stringify({ email, password, remember_me: rememberMe }), + }); + + if (!response.ok) { + const error = await response.json(); + throw new Error(error.detail || 'Login failed'); + } + + const data: LoginResponse = await response.json(); + this.token = data.token; + return data.user; + } + + private getHeaders(): HeadersInit { + if (!this.token) { + throw new Error('Not authenticated'); + } + return { + 'Authorization': `Bearer ${this.token}`, + 'Content-Type': 'application/json', + }; + } + + async getBoards(): Promise<{ items: Board[] }> { + const response = await fetch(`${this.baseUrl}/api/v1/boards/`, { + headers: this.getHeaders(), + }); + + if (!response.ok) { + throw new Error('Failed to get boards'); + } + + return response.json(); + } +} +``` + +### cURL + +**Login:** + +```bash +# Login and extract token +TOKEN=$(curl -X POST http://localhost:9090/api/v1/auth/login \ + -H "Content-Type: application/json" \ + -d '{ + "email": "user@example.com", + "password": "SecurePassword123", + "remember_me": false + }' | jq -r '.token') + +echo "Token: $TOKEN" +``` + +**Get Boards:** + +```bash +curl -X GET http://localhost:9090/api/v1/boards/ \ + -H "Authorization: Bearer $TOKEN" \ + -H "Content-Type: application/json" +``` + +**Create Board:** + +```bash +curl -X POST http://localhost:9090/api/v1/boards/ \ + -H "Authorization: Bearer $TOKEN" \ + -H "Content-Type: application/json" \ + -d '{ + "board_name": "My API Board" + }' +``` + +**Generate Image:** + +```bash +curl -X POST http://localhost:9090/api/v1/sessions/ \ + -H "Authorization: Bearer $TOKEN" \ + -H "Content-Type: application/json" \ + -d '{ + "prompt": "A beautiful landscape", + "width": 512, + "height": 512, + "steps": 30 + }' +``` + +## API Endpoint Changes + +### Authentication Required + +All endpoints now require authentication except: + +- `POST /api/v1/auth/setup` - Initial admin setup +- `POST /api/v1/auth/login` - User login + +### User-Scoped Resources + +Resources are now filtered by the authenticated user: + +**Boards:** + +```python +# Before (single-user) +GET /api/v1/boards/ # Returns all boards + +# After (multi-user) +GET /api/v1/boards/ # Returns only current user's boards +``` + +**Images:** + +```python +# Images are filtered by board ownership +GET /api/v1/images/ # Only shows images on user's boards +``` + +**Workflows:** + +```python +# Returns user's workflows + public workflows +GET /api/v1/workflows/ +``` + +**Queue:** + +```python +# Regular users see only their queue items +GET /api/v1/queue/ # User's queue items + +# Administrators see all queue items +GET /api/v1/queue/ # All users' queue items +``` + +### Administrator Endpoints + +Some endpoints require administrator privileges: + +**User Management:** + +```python +GET /api/v1/users # List users (admin only) +POST /api/v1/users # Create user (admin only) +GET /api/v1/users/{id} # Get user (admin only) +PATCH /api/v1/users/{id} # Update user (admin only) +DELETE /api/v1/users/{id} # Delete user (admin only) +``` + +**Model Management (Write Operations):** + +```python +POST /api/v1/models/install # Install model (admin only) +DELETE /api/v1/models/i/{key} # Delete model (admin only) +PATCH /api/v1/models/i/{key} # Update model (admin only) +PUT /api/v1/models/convert/{key} # Convert model (admin only) +``` + +**Model Management (Read Operations):** + +```python +GET /api/v1/models/ # List models (all users) +GET /api/v1/models/i/{key} # Get model details (all users) +``` + +### Error Responses + +**401 Unauthorized:** + +```json +{ + "detail": "Invalid authentication credentials" +} +``` + +Occurs when: + +- Token is missing +- Token is invalid +- Token is expired +- Token signature is invalid + +**403 Forbidden:** + +```json +{ + "detail": "Admin privileges required" +} +``` + +Occurs when: + +- User attempts admin-only operation +- Account is disabled +- Insufficient permissions + +**404 Not Found:** + +```json +{ + "detail": "Resource not found" +} +``` + +Occurs when: + +- Resource doesn't exist +- User doesn't have access to resource + +## New API Endpoints + +### Authentication Endpoints + +#### Setup Administrator + +**Endpoint:** `POST /api/v1/auth/setup` + +**Description:** Create initial administrator account (only works if no admin exists) + +**Request:** + +```json +{ + "email": "admin@example.com", + "display_name": "Administrator", + "password": "SecureAdminPass123" +} +``` + +**Response:** + +```json +{ + "success": true, + "user": { + "user_id": "abc123", + "email": "admin@example.com", + "display_name": "Administrator", + "is_admin": true, + "is_active": true + } +} +``` + +#### Get Current User + +**Endpoint:** `GET /api/v1/auth/me` + +**Description:** Get currently authenticated user's information + +**Request:** + +```http +GET /api/v1/auth/me +Authorization: Bearer +``` + +**Response:** + +```json +{ + "user_id": "abc123", + "email": "user@example.com", + "display_name": "John Doe", + "is_admin": false, + "is_active": true, + "created_at": "2024-01-15T10:00:00Z", + "updated_at": "2024-01-15T10:00:00Z", + "last_login_at": "2024-01-15T15:30:00Z" +} +``` + +#### Change Password + +**Endpoint:** `POST /api/v1/auth/change-password` + +**Description:** Change current user's password + +**Request:** + +```json +{ + "current_password": "OldPassword123", + "new_password": "NewPassword456" +} +``` + +**Response:** + +```json +{ + "success": true +} +``` + +### User Management Endpoints (Admin Only) + +#### List Users + +**Endpoint:** `GET /api/v1/users` + +**Request:** + +```http +GET /api/v1/users?page=1&per_page=20 +Authorization: Bearer +``` + +**Response:** + +```json +{ + "items": [ + { + "user_id": "abc123", + "email": "user@example.com", + "display_name": "John Doe", + "is_admin": false, + "is_active": true, + "created_at": "2024-01-15T10:00:00Z", + "last_login_at": "2024-01-15T15:30:00Z" + } + ], + "page": 1, + "pages": 1, + "per_page": 20, + "total": 5 +} +``` + +#### Create User + +**Endpoint:** `POST /api/v1/users` + +**Request:** + +```json +{ + "email": "newuser@example.com", + "display_name": "New User", + "password": "TempPassword123", + "is_admin": false +} +``` + +**Response:** + +```json +{ + "user_id": "xyz789", + "email": "newuser@example.com", + "display_name": "New User", + "is_admin": false, + "is_active": true, + "created_at": "2024-01-15T16:00:00Z" +} +``` + +#### Update User + +**Endpoint:** `PATCH /api/v1/users/{user_id}` + +**Request:** + +```json +{ + "display_name": "Updated Name", + "is_active": true, + "is_admin": false +} +``` + +**Response:** + +```json +{ + "user_id": "xyz789", + "email": "newuser@example.com", + "display_name": "Updated Name", + "is_admin": false, + "is_active": true +} +``` + +#### Delete User + +**Endpoint:** `DELETE /api/v1/users/{user_id}` + +**Response:** + +```json +{ + "success": true +} +``` + +#### Reset User Password + +**Endpoint:** `POST /api/v1/users/{user_id}/reset-password` + +**Request:** + +```json +{ + "new_password": "NewTempPass123" +} +``` + +**Response:** + +```json +{ + "success": true +} +``` + +### Board Sharing Endpoints + +#### Share Board + +**Endpoint:** `POST /api/v1/boards/{board_id}/share` + +**Request:** + +```json +{ + "user_id": "user123", + "permission": "write" +} +``` + +**Response:** + +```json +{ + "success": true, + "share": { + "board_id": "board456", + "user_id": "user123", + "permission": "write", + "shared_at": "2024-01-15T16:00:00Z" + } +} +``` + +#### List Board Shares + +**Endpoint:** `GET /api/v1/boards/{board_id}/shares` + +**Response:** + +```json +{ + "items": [ + { + "user_id": "user123", + "display_name": "John Doe", + "permission": "write", + "shared_at": "2024-01-15T16:00:00Z" + } + ] +} +``` + +#### Remove Board Share + +**Endpoint:** `DELETE /api/v1/boards/{board_id}/share/{user_id}` + +**Response:** + +```json +{ + "success": true +} +``` + +## Best Practices + +### Token Storage + +**Do:** + +- Store tokens securely (keychain, secure storage) +- Use HTTPS to transmit tokens +- Clear tokens on logout +- Handle token expiration gracefully + +**Don't:** + +- Store tokens in URL parameters +- Log tokens in plain text +- Share tokens between users +- Store tokens in version control + +### Error Handling + +Always handle authentication errors: + +```python +def make_request(client, func, *args, **kwargs): + max_retries = 3 + retry_count = 0 + + while retry_count < max_retries: + try: + return func(*args, **kwargs) + except AuthenticationError: + if retry_count >= max_retries - 1: + raise + # Re-authenticate + client.login(email, password) + retry_count += 1 + except Exception as e: + logger.error(f"Request failed: {e}") + raise +``` + +### Rate Limiting + +Be mindful of API rate limits: + +- Implement exponential backoff for retries +- Cache frequently accessed data +- Batch requests when possible +- Don't hammer the login endpoint + +### Connection Management + +```python +import requests +from requests.adapters import HTTPAdapter +from urllib3.util.retry import Retry + +def create_session(): + """Create session with retry logic.""" + session = requests.Session() + + retry = Retry( + total=3, + backoff_factor=0.3, + status_forcelist=[500, 502, 503, 504], + ) + + adapter = HTTPAdapter(max_retries=retry) + session.mount('http://', adapter) + session.mount('https://', adapter) + + return session +``` + +## Migration Guide + +### Updating Existing Code + +**Before (single-user mode):** + +```python +import requests + +def get_boards(): + response = requests.get("http://localhost:9090/api/v1/boards/") + return response.json() +``` + +**After (multi-user mode):** + +```python +import requests + +class APIClient: + def __init__(self): + self.token = None + + def login(self, email, password): + response = requests.post( + "http://localhost:9090/api/v1/auth/login", + json={"email": email, "password": password} + ) + self.token = response.json()["token"] + + def get_boards(self): + headers = {"Authorization": f"Bearer {self.token}"} + response = requests.get( + "http://localhost:9090/api/v1/boards/", + headers=headers + ) + return response.json() + +# Usage +client = APIClient() +client.login("user@example.com", "password") +boards = client.get_boards() +``` + +### Backward Compatibility + +InvokeAI supports both single-user and multi-user modes via the `multiuser` configuration option. + +**Configuration:** + +```yaml +# invokeai.yaml + +# Single-user mode (no authentication) +multiuser: false # or omit the option entirely + +# Multi-user mode (authentication required) +multiuser: true +``` + +**Checking Mode Programmatically:** + +```python +def is_multiuser_enabled(base_url): + """Check if multi-user mode is enabled (authentication required).""" + response = requests.get(f"{base_url}/api/v1/boards/") + return response.status_code == 401 # 401 = auth required + +# Example usage +base_url = "http://localhost:9090" +if is_multiuser_enabled(base_url): + print("Multi-user mode: authentication required") + # Use authenticated API calls +else: + print("Single-user mode: no authentication needed") + # Use direct API calls +``` + +**Adaptive Client:** + +```python +class AdaptiveInvokeAIClient: + def __init__(self, base_url="http://localhost:9090"): + self.base_url = base_url + self.token = None + self.multiuser_mode = self._check_multiuser_mode() + + def _check_multiuser_mode(self): + """Detect if multi-user mode is enabled.""" + try: + response = requests.get(f"{self.base_url}/api/v1/boards/") + return response.status_code == 401 + except: + return False + + def login(self, email, password): + """Login (only needed in multi-user mode).""" + if not self.multiuser_mode: + print("Single-user mode: login not required") + return + + response = requests.post( + f"{self.base_url}/api/v1/auth/login", + json={"email": email, "password": password} + ) + self.token = response.json()["token"] + + def _get_headers(self): + """Get headers (with auth token if in multi-user mode).""" + if self.multiuser_mode and self.token: + return {"Authorization": f"Bearer {self.token}"} + return {} + + def get_boards(self): + """Get boards (works in both modes).""" + response = requests.get( + f"{self.base_url}/api/v1/boards/", + headers=self._get_headers() + ) + return response.json() +``` + +## OpenAPI/Swagger Documentation + +InvokeAI provides OpenAPI documentation for all endpoints. + +**Access Swagger UI:** + +``` +http://localhost:9090/docs +``` + +**Download OpenAPI Schema:** + +```bash +curl http://localhost:9090/openapi.json > invokeai_openapi.json +``` + +**Generate Client Code:** + +Use tools like `openapi-generator` to generate client libraries: + +```bash +# Generate Python client +openapi-generator generate \ + -i http://localhost:9090/openapi.json \ + -g python \ + -o ./invokeai-client + +# Generate TypeScript client +openapi-generator generate \ + -i http://localhost:9090/openapi.json \ + -g typescript-fetch \ + -o ./invokeai-client-ts +``` + +## Security Considerations + +### HTTPS + +Always use HTTPS in production: + +```python +# Development +client = InvokeAIClient("http://localhost:9090") + +# Production +client = InvokeAIClient("https://invoke.example.com") +``` + +### Token Security + +Protect JWT tokens: + +```python +# Never log tokens +logger.info(f"User logged in") # Good +logger.info(f"Token: {token}") # Bad! + +# Use environment variables for credentials +import os +email = os.environ.get("INVOKEAI_EMAIL") +password = os.environ.get("INVOKEAI_PASSWORD") +``` + +### Input Validation + +Always validate user input: + +```python +import re + +def validate_email(email): + pattern = r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$' + return re.match(pattern, email) is not None + +def validate_password(password): + """Check password meets requirements.""" + if len(password) < 8: + return False, "Password must be at least 8 characters" + if not any(c.isupper() for c in password): + return False, "Password must contain uppercase letters" + if not any(c.islower() for c in password): + return False, "Password must contain lowercase letters" + if not any(c.isdigit() for c in password): + return False, "Password must contain numbers" + return True, "" +``` + +## Troubleshooting + +### Common Issues + +**Issue: "Invalid authentication credentials"** + +- Token expired - re-authenticate +- Token malformed - check token string +- Token signature invalid - check secret key hasn't changed + +**Issue: "Admin privileges required"** + +- User is not an administrator +- Use admin account for this operation + +**Issue: Token not being sent** + +- Check `Authorization` header is present +- Verify `Bearer` prefix is included +- Check token isn't truncated + +**Issue: CORS errors** + +Configure CORS in InvokeAI: + +```yaml +# invokeai.yaml +cors_origins: + - "http://localhost:3000" + - "https://myapp.example.com" +``` + +## Additional Resources + +- [User Guide](user_guide.md) - For end users +- [Administrator Guide](admin_guide.md) - For administrators +- [Multiuser Specification](specification.md) - Technical details +- [OpenAPI Documentation](http://localhost:9090/docs) - Interactive API docs +- [GitHub Repository](https://github.com/invoke-ai/InvokeAI) - Source code + +--- + +**Questions?** Visit the [InvokeAI Discord](https://discord.gg/ZmtBAhwWhy) or check the [FAQ](../faq.md). diff --git a/docs/multiuser/specification.md b/docs/multiuser/specification.md new file mode 100644 index 00000000000..e3a8528a2b2 --- /dev/null +++ b/docs/multiuser/specification.md @@ -0,0 +1,870 @@ +# InvokeAI Multi-User Support - Detailed Specification + +## 1. Executive Summary + +This document provides a comprehensive specification for adding multi-user support to InvokeAI. The feature will enable a single InvokeAI instance to support multiple isolated users, each with their own generation settings, image boards, and workflows, while maintaining administrative controls for model management and system configuration. + +## 2. Overview + +### 2.1 Goals +- Enable multiple users to share a single InvokeAI instance +- Provide user isolation for personal content (boards, images, workflows, settings) +- Maintain centralized model management by administrators +- Support shared boards for collaboration +- Provide secure authentication and authorization +- Minimize impact on existing single-user installations + +### 2.2 Non-Goals +- Real-time collaboration features (multiple users editing same workflow simultaneously) +- Advanced team management features (in initial release) +- Migration of existing multi-user enterprise edition data +- Support for external identity providers (in initial release, can be added later) + +## 3. User Roles and Permissions + +### 3.1 Administrator Role +**Capabilities:** + +- Full access to all InvokeAI features +- Model management (add, delete, configure models) +- User management (create, edit, delete users) +- View and manage all users' queue sessions +- Access system configuration +- Create and manage shared boards +- Grant/revoke administrative privileges to other users + +**Restrictions:** + +- Cannot delete their own account if they are the last administrator +- Cannot revoke their own admin privileges if they are the last administrator + +### 3.2 Regular User Role +**Capabilities:** + +- Create, edit, and delete their own image boards +- Upload and manage their own assets +- Use all image generation tools (linear, canvas, upscale, workflow tabs) +- Create, edit, save, and load workflows +- Access public/shared workflows +- View and manage their own queue sessions +- Adjust personal UI preferences (theme, hotkeys, etc.) +- Access shared boards (read/write based on permissions) +- **View model configurations** (read-only access to model manager) +- **View model details, default settings, and metadata** + +**Restrictions:** + +- Cannot add, delete, or edit models +- **Can view but cannot modify model manager settings** (read-only access) +- Cannot reidentify, convert, or update model paths +- Cannot upload or change model thumbnail images +- Cannot save changes to model default settings +- Cannot perform bulk delete operations on models +- Cannot view or modify other users' boards, images, or workflows +- Cannot cancel or modify other users' queue sessions +- Cannot access system configuration +- Cannot manage users or permissions + +### 3.3 Future Role Considerations +- **Viewer Role**: Read-only access (future enhancement) +- **Team/Group-based Permissions**: Organizational hierarchy (future enhancement) + +## 4. Authentication System + +### 4.1 Authentication Method +- **Primary Method**: Username and password authentication with secure password hashing +- **Password Hashing**: Use bcrypt or Argon2 for password storage +- **Session Management**: JWT tokens or secure session cookies +- **Token Expiration**: Configurable session timeout (default: 7 days for "remember me", 24 hours otherwise) + +### 4.2 Initial Administrator Setup +**First-time Launch Flow:** + +1. Application detects no administrator account exists +2. Displays mandatory setup dialog (cannot be skipped) +3. Prompts for: + - Administrator username (email format recommended) + - Administrator display name + - Strong password (minimum requirements enforced) + - Password confirmation +4. Stores hashed credentials in configuration +5. Creates administrator account in database +6. Proceeds to normal login screen + +**Reset Capability:** + +- Administrators can be reset by manually editing the config file +- Requires access to server filesystem (intentional security measure) +- Database maintains user records; config file contains root admin credentials + +### 4.3 Password Requirements +- Minimum 8 characters +- At least one uppercase letter +- At least one lowercase letter +- At least one number +- At least one special character (optional but recommended) +- Not in common password list + +### 4.4 Login Flow + +1. User navigates to InvokeAI URL +2. If not authenticated, redirect to login page +3. User enters username/email and password +4. Optional "Remember me" checkbox for extended session +5. Backend validates credentials +6. On success: Generate session token, redirect to application +7. On failure: Display error, allow retry with rate limiting (prevent brute force) + +### 4.5 Logout Flow +- User clicks logout button +- Frontend clears session token +- Backend invalidates session (if using server-side sessions) +- Redirect to login page + +### 4.6 Future Authentication Enhancements +- OAuth2/OpenID Connect support +- Two-factor authentication (2FA) +- SSO integration +- API key authentication for programmatic access + +## 5. User Management + +### 5.1 User Creation (Administrator) +**Flow:** + +1. Administrator navigates to user management interface +2. Clicks "Add User" button +3. Enters user information: + - Email address (required, used as username) + - Display name (optional, defaults to email) + - Role (User or Administrator) + - Initial password or "Send invitation email" +4. System validates email uniqueness +5. System creates user account +6. If invitation mode: + - Generate one-time secure token + - Send email with setup link + - Link expires after 7 days +7. If direct password mode: + - Administrator provides initial password + - User must change on first login + +**Invitation Email Flow:** + +1. User receives email with unique link +2. Link contains secure token +3. User clicks link, redirected to setup page +4. User enters desired password +5. Token validated and consumed (single-use) +6. Account activated +7. User redirected to login page + +### 5.2 User Profile Management +**User Self-Service:** + +- Update display name +- Change password (requires current password) +- Update email address (requires verification) +- Manage UI preferences +- View account creation date and last login + +**Administrator Actions:** + +- Edit user information (name, email) +- Reset user password (generates reset link) +- Toggle administrator privileges +- Assign to groups (future feature) +- Suspend/unsuspend account +- Delete account (with data retention options) + +### 5.3 Password Reset Flow +**User-Initiated (Future Enhancement):** + +1. User clicks "Forgot Password" on login page +2. Enters email address +3. System sends password reset link (if email exists) +4. User clicks link, enters new password +5. Password updated, user can login + +**Administrator-Initiated:** + +1. Administrator selects user +2. Clicks "Send Password Reset" +3. System generates reset token and link +4. Email sent to user +5. User follows same flow as user-initiated reset + +## 6. Data Model and Database Schema + +### 6.1 New Tables + +#### 6.1.1 users +```sql +CREATE TABLE users ( + user_id TEXT NOT NULL PRIMARY KEY, + email TEXT NOT NULL UNIQUE, + display_name TEXT, + password_hash TEXT NOT NULL, + is_admin BOOLEAN NOT NULL DEFAULT FALSE, + is_active BOOLEAN NOT NULL DEFAULT TRUE, + created_at DATETIME NOT NULL DEFAULT(STRFTIME('%Y-%m-%d %H:%M:%f', 'NOW')), + updated_at DATETIME NOT NULL DEFAULT(STRFTIME('%Y-%m-%d %H:%M:%f', 'NOW')), + last_login_at DATETIME +); +CREATE INDEX idx_users_email ON users(email); +CREATE INDEX idx_users_is_admin ON users(is_admin); +CREATE INDEX idx_users_is_active ON users(is_active); +``` + +#### 6.1.2 user_sessions +```sql +CREATE TABLE user_sessions ( + session_id TEXT NOT NULL PRIMARY KEY, + user_id TEXT NOT NULL, + token_hash TEXT NOT NULL, + expires_at DATETIME NOT NULL, + created_at DATETIME NOT NULL DEFAULT(STRFTIME('%Y-%m-%d %H:%M:%f', 'NOW')), + last_activity_at DATETIME NOT NULL DEFAULT(STRFTIME('%Y-%m-%d %H:%M:%f', 'NOW')), + user_agent TEXT, + ip_address TEXT, + FOREIGN KEY (user_id) REFERENCES users(user_id) ON DELETE CASCADE +); +CREATE INDEX idx_user_sessions_user_id ON user_sessions(user_id); +CREATE INDEX idx_user_sessions_expires_at ON user_sessions(expires_at); +CREATE INDEX idx_user_sessions_token_hash ON user_sessions(token_hash); +``` + +#### 6.1.3 user_invitations +```sql +CREATE TABLE user_invitations ( + invitation_id TEXT NOT NULL PRIMARY KEY, + email TEXT NOT NULL, + token_hash TEXT NOT NULL, + invited_by_user_id TEXT NOT NULL, + expires_at DATETIME NOT NULL, + used_at DATETIME, + created_at DATETIME NOT NULL DEFAULT(STRFTIME('%Y-%m-%d %H:%M:%f', 'NOW')), + FOREIGN KEY (invited_by_user_id) REFERENCES users(user_id) ON DELETE CASCADE +); +CREATE INDEX idx_user_invitations_email ON user_invitations(email); +CREATE INDEX idx_user_invitations_token_hash ON user_invitations(token_hash); +CREATE INDEX idx_user_invitations_expires_at ON user_invitations(expires_at); +``` + +#### 6.1.4 shared_boards +```sql +CREATE TABLE shared_boards ( + board_id TEXT NOT NULL, + user_id TEXT NOT NULL, + permission TEXT NOT NULL CHECK(permission IN ('read', 'write', 'admin')), + created_at DATETIME NOT NULL DEFAULT(STRFTIME('%Y-%m-%d %H:%M:%f', 'NOW')), + PRIMARY KEY (board_id, user_id), + FOREIGN KEY (board_id) REFERENCES boards(board_id) ON DELETE CASCADE, + FOREIGN KEY (user_id) REFERENCES users(user_id) ON DELETE CASCADE +); +CREATE INDEX idx_shared_boards_user_id ON shared_boards(user_id); +CREATE INDEX idx_shared_boards_board_id ON shared_boards(board_id); +``` + +### 6.2 Modified Tables + +#### 6.2.1 boards +```sql +-- Add columns: +ALTER TABLE boards ADD COLUMN user_id TEXT NOT NULL DEFAULT 'system'; +ALTER TABLE boards ADD COLUMN is_shared BOOLEAN NOT NULL DEFAULT FALSE; +ALTER TABLE boards ADD COLUMN created_by_user_id TEXT; + +-- Add foreign key (requires recreation in SQLite): +FOREIGN KEY (user_id) REFERENCES users(user_id) ON DELETE CASCADE +FOREIGN KEY (created_by_user_id) REFERENCES users(user_id) ON DELETE SET NULL + +-- Add indices: +CREATE INDEX idx_boards_user_id ON boards(user_id); +CREATE INDEX idx_boards_is_shared ON boards(is_shared); +``` + +#### 6.2.2 images +```sql +-- Add column: +ALTER TABLE images ADD COLUMN user_id TEXT NOT NULL DEFAULT 'system'; + +-- Add foreign key: +FOREIGN KEY (user_id) REFERENCES users(user_id) ON DELETE CASCADE + +-- Add index: +CREATE INDEX idx_images_user_id ON images(user_id); +``` + +#### 6.2.3 workflows +```sql +-- Add columns: +ALTER TABLE workflows ADD COLUMN user_id TEXT NOT NULL DEFAULT 'system'; +ALTER TABLE workflows ADD COLUMN is_public BOOLEAN NOT NULL DEFAULT FALSE; + +-- Add foreign key: +FOREIGN KEY (user_id) REFERENCES users(user_id) ON DELETE CASCADE + +-- Add indices: +CREATE INDEX idx_workflows_user_id ON workflows(user_id); +CREATE INDEX idx_workflows_is_public ON workflows(is_public); +``` + +#### 6.2.4 session_queue +```sql +-- Add column: +ALTER TABLE session_queue ADD COLUMN user_id TEXT NOT NULL DEFAULT 'system'; + +-- Add foreign key: +FOREIGN KEY (user_id) REFERENCES users(user_id) ON DELETE CASCADE + +-- Add index: +CREATE INDEX idx_session_queue_user_id ON session_queue(user_id); +``` + +#### 6.2.5 style_presets +```sql +-- Add columns: +ALTER TABLE style_presets ADD COLUMN user_id TEXT NOT NULL DEFAULT 'system'; +ALTER TABLE style_presets ADD COLUMN is_public BOOLEAN NOT NULL DEFAULT FALSE; + +-- Add foreign key: +FOREIGN KEY (user_id) REFERENCES users(user_id) ON DELETE CASCADE + +-- Add indices: +CREATE INDEX idx_style_presets_user_id ON style_presets(user_id); +CREATE INDEX idx_style_presets_is_public ON style_presets(is_public); +``` + +### 6.3 Migration Strategy + +1. Create new user tables (users, user_sessions, user_invitations, shared_boards) +2. Create default 'system' user for backward compatibility +3. Update existing data to reference 'system' user +4. Add foreign key constraints +5. Version as database migration (e.g., migration_25.py) + +### 6.4 Migration for Existing Installations +- Single-user installations: Prompt to create admin account on first launch after update +- Existing data migration: Administrator can specify an arbitrary user account to hold legacy data (can be the admin account or a separate user) +- System provides UI during migration to choose destination user for existing data + +## 7. API Endpoints + +### 7.1 Authentication Endpoints + +#### POST /api/v1/auth/setup +- Initialize first administrator account +- Only works if no admin exists +- Body: `{ email, display_name, password }` +- Response: `{ success, user }` + +#### POST /api/v1/auth/login +- Authenticate user +- Body: `{ email, password, remember_me? }` +- Response: `{ token, user, expires_at }` + +#### POST /api/v1/auth/logout +- Invalidate current session +- Headers: `Authorization: Bearer ` +- Response: `{ success }` + +#### GET /api/v1/auth/me +- Get current user information +- Headers: `Authorization: Bearer ` +- Response: `{ user }` + +#### POST /api/v1/auth/change-password +- Change current user's password +- Body: `{ current_password, new_password }` +- Headers: `Authorization: Bearer ` +- Response: `{ success }` + +### 7.2 User Management Endpoints (Admin Only) + +#### GET /api/v1/users +- List all users (paginated) +- Query params: `offset`, `limit`, `search`, `role_filter` +- Response: `{ users[], total, offset, limit }` + +#### POST /api/v1/users +- Create new user +- Body: `{ email, display_name, is_admin, send_invitation?, initial_password? }` +- Response: `{ user, invitation_link? }` + +#### GET /api/v1/users/{user_id} +- Get user details +- Response: `{ user }` + +#### PATCH /api/v1/users/{user_id} +- Update user +- Body: `{ display_name?, is_admin?, is_active? }` +- Response: `{ user }` + +#### DELETE /api/v1/users/{user_id} +- Delete user +- Query params: `delete_data` (true/false) +- Response: `{ success }` + +#### POST /api/v1/users/{user_id}/reset-password +- Send password reset email +- Response: `{ success, reset_link }` + +### 7.3 Shared Boards Endpoints + +#### POST /api/v1/boards/{board_id}/share +- Share board with users +- Body: `{ user_ids[], permission: 'read' | 'write' | 'admin' }` +- Response: `{ success, shared_with[] }` + +#### GET /api/v1/boards/{board_id}/shares +- Get board sharing information +- Response: `{ shares[] }` + +#### DELETE /api/v1/boards/{board_id}/share/{user_id} +- Remove board sharing +- Response: `{ success }` + +### 7.4 Modified Endpoints + +All existing endpoints will be modified to: + +1. Require authentication (except setup/login) +2. Filter data by current user (unless admin viewing all) +3. Enforce permissions (e.g., model management requires admin) +4. Include user context in operations + +Example modifications: +- `GET /api/v1/boards` → Returns only user's boards + shared boards +- `POST /api/v1/session/queue` → Associates queue item with current user +- `GET /api/v1/queue` → Returns all items for admin, only user's items for regular users + +## 8. Frontend Changes + +### 8.1 New Components + +#### LoginPage +- Email/password form +- "Remember me" checkbox +- Login button +- Forgot password link (future) +- Branding and welcome message + +#### AdministratorSetup +- Modal dialog (cannot be dismissed) +- Administrator account creation form +- Password strength indicator +- Terms/welcome message + +#### UserManagementPage (Admin only) +- User list table +- Add user button +- User actions (edit, delete, reset password) +- Search and filter +- Role toggle + +#### UserProfilePage +- Display user information +- Change password form +- UI preferences +- Account details + +#### BoardSharingDialog +- User picker/search +- Permission selector +- Share button +- Current shares list + +### 8.2 Modified Components + +#### App Root +- Add authentication check +- Redirect to login if not authenticated +- Handle session expiration +- Add global error boundary for auth errors + +#### Navigation/Header +- Add user menu with logout +- Display current user name +- Admin indicator badge + +#### ModelManagerTab +- Hide/disable for non-admin users +- Show "Admin only" message + +#### QueuePanel +- Filter by current user (for non-admin) +- Show all with user indicators (for admin) +- Disable actions on other users' items (for non-admin) + +#### BoardsPanel +- Show personal boards section +- Show shared boards section +- Add sharing controls to board actions + +### 8.3 State Management + +New Redux slices/zustand stores: +- `authSlice`: Current user, authentication status, token +- `usersSlice`: User list for admin interface +- `sharingSlice`: Board sharing state + +Updated slices: +- `boardsSlice`: Include shared boards, ownership info +- `queueSlice`: Include user filtering +- `workflowsSlice`: Include public/private status + +## 9. Configuration + +### 9.1 New Config Options + +Add to `InvokeAIAppConfig`: + +```python +# Authentication +auth_enabled: bool = True # Enable/disable multi-user auth +session_expiry_hours: int = 24 # Default session expiration +session_expiry_hours_remember: int = 168 # "Remember me" expiration (7 days) +password_min_length: int = 8 # Minimum password length +require_strong_passwords: bool = True # Enforce password complexity + +# Session tracking +enable_server_side_sessions: bool = False # Optional server-side session tracking + +# Audit logging +audit_log_auth_events: bool = True # Log authentication events +audit_log_admin_actions: bool = True # Log administrative actions + +# Email (optional - for invitations and password reset) +email_enabled: bool = False +smtp_host: str = "" +smtp_port: int = 587 +smtp_username: str = "" +smtp_password: str = "" +smtp_from_address: str = "" +smtp_from_name: str = "InvokeAI" + +# Initial admin (stored as hash) +admin_email: Optional[str] = None +admin_password_hash: Optional[str] = None +``` + +### 9.2 Backward Compatibility + +- If `auth_enabled = False`, system runs in legacy single-user mode +- All data belongs to implicit "system" user +- No authentication required +- Smooth upgrade path for existing installations + +## 10. Security Considerations + +### 10.1 Password Security +- Never store passwords in plain text +- Use bcrypt or Argon2id for password hashing +- Implement proper salt generation +- Enforce password complexity requirements +- Implement rate limiting on login attempts +- Consider password breach checking (Have I Been Pwned API) + +### 10.2 Session Security +- Use cryptographically secure random tokens +- Implement token rotation +- Set appropriate cookie flags (HttpOnly, Secure, SameSite) +- Implement session timeout and renewal +- Invalidate sessions on logout +- Clean up expired sessions periodically + +### 10.3 Authorization +- Always verify user identity from session token (never trust client) +- Check permissions on every API call +- Implement principle of least privilege +- Validate user ownership of resources before operations +- Implement proper error messages (avoid information leakage) + +### 10.4 Data Isolation +- Strict separation of user data in database queries +- Prevent SQL injection via parameterized queries +- Validate all user inputs +- Implement proper access control checks +- Audit trail for sensitive operations + +### 10.5 API Security +- Implement rate limiting on sensitive endpoints +- Use HTTPS in production (enforce via config) +- Implement CSRF protection +- Validate and sanitize all inputs +- Implement proper CORS configuration +- Add security headers (CSP, X-Frame-Options, etc.) + +### 10.6 Deployment Security +- Document secure deployment practices +- Recommend reverse proxy configuration (nginx, Apache) +- Provide example configurations for HTTPS +- Document firewall requirements +- Recommend network isolation strategies + +## 11. Email Integration (Optional) + +**Note**: Email/SMTP configuration is optional. Many administrators will not have ready access to an outgoing SMTP server. When email is not configured, the system provides fallback mechanisms by displaying setup links directly in the admin UI. + +### 11.1 Email Templates + +#### User Invitation +``` +Subject: You've been invited to InvokeAI + +Hello, + +You've been invited to join InvokeAI by [Administrator Name]. + +Click the link below to set up your account: +[Setup Link] + +This link expires in 7 days. + +--- +InvokeAI +``` + +#### Password Reset +``` +Subject: Reset your InvokeAI password + +Hello [User Name], + +A password reset was requested for your account. + +Click the link below to reset your password: +[Reset Link] + +This link expires in 24 hours. + +If you didn't request this, please ignore this email. + +--- +InvokeAI +``` + +### 11.2 Email Service +- Support SMTP configuration +- Use secure connection (TLS) +- Handle email failures gracefully +- Implement email queue for reliability +- Log email activities (without sensitive data) +- Provide fallback for no-email deployments (show links in admin UI) + +## 12. Testing Requirements + +### 12.1 Unit Tests +- Authentication service (password hashing, validation) +- Authorization checks +- Token generation and validation +- User management operations +- Shared board permissions +- Data isolation queries + +### 12.2 Integration Tests +- Complete authentication flows +- User creation and invitation +- Password reset flow +- Multi-user data isolation +- Shared board access +- Session management +- Admin operations + +### 12.3 Security Tests +- SQL injection prevention +- XSS prevention +- CSRF protection +- Session hijacking prevention +- Brute force protection +- Authorization bypass attempts + +### 12.4 Performance Tests +- Authentication overhead +- Query performance with user filters +- Concurrent user sessions +- Database scalability with many users + +## 13. Documentation Requirements + +### 13.1 User Documentation +- Getting started with multi-user InvokeAI +- Login and account management +- Using shared boards +- Understanding permissions +- Troubleshooting authentication issues + +### 13.2 Administrator Documentation +- Setting up multi-user InvokeAI +- User management guide +- Creating and managing shared boards +- Email configuration +- Security best practices +- Backup and restore with user data + +### 13.3 Developer Documentation +- Authentication architecture +- API authentication requirements +- Adding new multi-user features +- Database schema changes +- Testing multi-user features + +### 13.4 Migration Documentation +- Upgrading from single-user to multi-user +- Data migration strategies +- Rollback procedures +- Common issues and solutions + +## 14. Future Enhancements + +### 14.1 Phase 2 Features +- **OAuth2/OpenID Connect integration** (deferred from initial release to keep scope manageable) +- Two-factor authentication +- API keys for programmatic access +- Enhanced team/group management +- Advanced permission system (roles and capabilities) + +### 14.2 Phase 3 Features +- SSO integration (SAML, LDAP) +- User quotas and limits +- Resource usage tracking +- Advanced collaboration features +- Workflow template library with permissions +- Model access controls per user/group + +## 15. Success Metrics + +### 15.1 Functionality Metrics +- Successful user authentication rate +- Zero unauthorized data access incidents +- All tests passing (unit, integration, security) +- API response time within acceptable limits + +### 15.2 Usability Metrics +- User setup completion time < 2 minutes +- Login time < 2 seconds +- Clear error messages for all auth failures +- Positive user feedback on multi-user features + +### 15.3 Security Metrics +- No critical security vulnerabilities identified +- CodeQL scan passes +- Penetration testing completed +- Security best practices followed + +## 16. Risks and Mitigations + +### 16.1 Technical Risks +| Risk | Impact | Probability | Mitigation | +|------|--------|-------------|------------| +| Performance degradation with user filtering | Medium | Low | Index optimization, query caching | +| Database migration failures | High | Low | Thorough testing, rollback procedures | +| Session management complexity | Medium | Medium | Use proven libraries (PyJWT), extensive testing | +| Auth bypass vulnerabilities | High | Low | Security review, penetration testing | + +### 16.2 UX Risks +| Risk | Impact | Probability | Mitigation | +|------|--------|-------------|------------| +| Confusion in migration for existing users | Medium | High | Clear documentation, migration wizard | +| Friction from additional login step | Low | High | Remember me option, long session timeout | +| Complexity of admin interface | Medium | Medium | Intuitive UI design, user testing | + +### 16.3 Operational Risks +| Risk | Impact | Probability | Mitigation | +|------|--------|-------------|------------| +| Email delivery failures | Low | Medium | Show links in UI, document manual methods | +| Lost admin password | High | Low | Document recovery procedure, config reset | +| User data conflicts in migration | Medium | Low | Data validation, backup requirements | + +## 17. Implementation Phases + +### Phase 1: Foundation (Weeks 1-2) +- Database schema design and migration +- Basic authentication service +- Password hashing and validation +- Session management + +### Phase 2: Backend API (Weeks 3-4) +- Authentication endpoints +- User management endpoints +- Authorization middleware +- Update existing endpoints with auth + +### Phase 3: Frontend Auth (Weeks 5-6) +- Login page and flow +- Administrator setup +- Session management +- Auth state management + +### Phase 4: Multi-tenancy (Weeks 7-9) +- User isolation in all services +- Shared boards implementation +- Queue permission filtering +- Workflow public/private + +### Phase 5: Admin Interface (Weeks 10-11) +- User management UI +- Board sharing UI +- Admin-specific features +- User profile page + +### Phase 6: Testing & Polish (Weeks 12-13) +- Comprehensive testing +- Security audit +- Performance optimization +- Documentation +- Bug fixes + +### Phase 7: Beta & Release (Week 14+) +- Beta testing with selected users +- Feedback incorporation +- Final testing +- Release preparation +- Documentation finalization + +## 18. Acceptance Criteria + +- [ ] Administrator can set up initial account on first launch +- [ ] Users can log in with email and password +- [ ] Users can change their password +- [ ] Administrators can create, edit, and delete users +- [ ] User data is properly isolated (boards, images, workflows) +- [ ] Shared boards work correctly with permissions +- [ ] Non-admin users cannot access model management +- [ ] Queue filtering works correctly for users and admins +- [ ] Session management works correctly (expiry, renewal, logout) +- [ ] All security tests pass +- [ ] API documentation is updated +- [ ] User and admin documentation is complete +- [ ] Migration from single-user works smoothly +- [ ] Performance is acceptable with multiple concurrent users +- [ ] Backward compatibility mode works (auth disabled) + +## 19. Design Decisions + +The following design decisions have been approved for implementation: + +1. **OAuth2 Priority**: OAuth2/OpenID Connect integration will be a **future enhancement**. The initial release will focus on username/password authentication to keep scope manageable. + +2. **Email Requirement**: Email/SMTP configuration is **optional**. Many administrators will not have ready access to an outgoing SMTP server. The system will provide fallback mechanisms (showing setup links directly in the admin UI) when email is not configured. + +3. **Data Migration**: During migration from single-user to multi-user mode, the administrator will be given the **option to specify an arbitrary user account** to hold legacy data. The admin account can be used for this purpose if the administrator wishes. + +4. **API Compatibility**: Authentication will be **required on all APIs**, but authentication will not be required if multi-user support is disabled (backward compatibility mode with `auth_enabled: false`). + +5. **Session Storage**: The system will use **JWT tokens with optional server-side session tracking**. This provides scalability while allowing administrators to enable server-side tracking if needed. + +6. **Audit Logging**: The system will **log authentication events and admin actions**. This provides accountability and security monitoring for critical operations. + +## 20. Conclusion + +This specification provides a comprehensive blueprint for implementing multi-user support in InvokeAI. The design prioritizes: + +- **Security**: Proper authentication, authorization, and data isolation +- **Usability**: Intuitive UI, smooth migration, minimal friction +- **Scalability**: Efficient database design, performant queries +- **Maintainability**: Clean architecture, comprehensive testing +- **Flexibility**: Future enhancement paths, optional features + +The phased implementation approach allows for iterative development and testing, while the detailed specifications ensure all stakeholders have clear expectations of the final system. diff --git a/docs/multiuser/user_guide.md b/docs/multiuser/user_guide.md new file mode 100644 index 00000000000..dd0d791aa6c --- /dev/null +++ b/docs/multiuser/user_guide.md @@ -0,0 +1,489 @@ +# InvokeAI Multi-User Guide + +## Overview + +InvokeAI supports both single-user and multi-user modes. In +single-user mode, no login is required and you have access to all +features. In multi-user mode, multiple people can use the same +InvokeAI instance while keeping their work private and organized. + +### Single-User vs Multi-User Mode + +**Single-User Mode:** + +- No login required - direct access to InvokeAI +- All functionality enabled by default +- All boards and images visible in a unified view +- Ideal for personal use or trusted environments +- Enabled when `multiuser: false` in config or option is absent + +**Multi-User Mode:** + +- Secure login required for access +- User isolation for boards, images, and workflows +- Role-based permissions (Administrator vs Regular User) +- Ideal for shared servers or team environments +- Enabled when `multiuser: true` in config + +!!! note "Mode Switching" + + If you switch from multi-user mode to single-user mode, + all boards and images from different users will be combined + into a single unified view. When switching back to multi-user + mode, they will be separated again by user ownership. + +## Getting Started + +### Initial Setup (First Time in Multi-User Mode) + +If you're the first person to access a fresh InvokeAI installation in multi-user mode, you'll see the **Administrator Setup** dialog: + +1. Enter your email address (this will be your username) +2. Create a display name +3. Choose a strong password that meets the requirements: + - At least 8 characters long + - Contains uppercase letters + - Contains lowercase letters + - Contains numbers +4. Confirm your password +5. Click **Create Administrator Account** + +You'll now be taken to a login screen and can enter the credentials +you just created. + +### Accessing InvokeAI + +**In Single-User Mode:** + +1. Navigate to your InvokeAI URL (e.g., `http://localhost:9090`) +2. You'll go directly to the InvokeAI interface +3. No login required - start creating immediately! + +**In Multi-User Mode:** + +1. Navigate to your InvokeAI URL (e.g., `http://localhost:9090`) +2. You'll see the login screen +3. Enter your email address and password provided by your administrator +4. Click **Sign In** + +!!! tip "Remember Me" + In multi-user mode, check the "Remember me" box to stay logged in for 7 days. Otherwise, your session will expire after 24 hours. + +## Understanding User Roles (Multi-User Mode Only) + +In single-user mode, you have access to all features without restrictions. In multi-user mode, InvokeAI has two user roles: + +### Regular User + +As a regular user, you can: + +- ✅ Create and manage your own image boards +- ✅ Generate images using all AI tools (Linear, Canvas, Upscale, Workflows) +- ✅ Create, save, and load your own workflows +- ✅ Access workflows marked as public +- ✅ View your own generation queue +- ✅ Customize your UI preferences (theme, hotkeys, etc.) +- ✅ Access shared boards (based on permissions granted to you) (FUTURE FEATURE) +- ✅ **View available models** (read-only access to Model Manager) + +You cannot: + +- ❌ Add, delete, or modify models +- ❌ View or modify other users' boards, images, or workflows +- ❌ Manage user accounts +- ❌ Access system configuration +- ❌ View or cancel other users' generation tasks + +!!! tip "The generation queue" + + When two or more users are accessing InvokeAI at the same time, + their image generation jobs will be placed on the session queue on + a first-come, first-serve basis. This means that you will have to + wait for other users' image rendering jobs to complete before + yours will start. + + When another user's job is running, you will see the image + generation progress bar and a queue badge that reads `X/Y`, where + "X" is the number of jobs you have queued and "Y" is the total + number of jobs queued, including your own and others. + + You can also pull up the Queue tab in order to see where your job + is in relationship to other queued tasks. + +### Administrator + +Administrators have all regular user capabilities, plus: + +- ✅ Full model management (add, delete, configure models) +- ✅ Create and manage user accounts +- ✅ View and manage all users' generation queues +- ✅ Create and manage shared boards (FUTURE FEATURE) +- ✅ Access system configuration +- ✅ Grant or revoke admin privileges + +## Working with Your Content + +### Image Boards + +Image boards help organize your generated images. Each user has their own private boards. + +**Creating a Board:** + +1. Click the **+** button in the Boards panel +2. Enter a board name +3. Press Enter or click Create + +**Managing Boards:** + +- Click a board to select it +- Generated images will automatically be added to the selected board +- Right-click a board for options (rename, delete, archive) +- Drag images between boards to reorganize + +**Board Visibility:** + +- Your boards are private by default +- Only administrators can create shared boards (FUTURE FEATURE) +- You'll see shared boards you have access to in a separate section + +### Workflows + +Workflows are reusable generation templates that you create in the Workflow Editor. + +**Creating a Workflow:** + +1. Go to the **Workflows** tab +2. Build your workflow using nodes +3. Click **Save** and give it a name +4. Your workflow is saved to your personal library + +**Workflow Privacy:** + +- Your workflows are private by default +- Only you can see and edit your workflows +- Administrators can mark workflows as "public" for all users to access +- Public workflows appear in everyone's workflow library but remain read-only + +### Your Generation Queue + +The queue shows your pending and running generation tasks. + +**Queue Features:** + +- View your current and completed generations +- Cancel pending tasks +- Re-run previous generations +- Monitor progress in real-time + +**Queue Isolation:** + +- You will see your own queue items, as well as the items generated by + either users, but the generation parameters (e.g. prompts) for other + users' are hidden for privacy reasons. +- Administrators can view all queues for troubleshooting +- Your generations won't interfere with other users' tasks + +## Using Shared Boards (FUTURE FEATURE) + +Shared boards are a feature that will be added in a future +release. Administrators will able to designate certain boards as being +accessible to multiple users, allowing for collaboration among users +while maintaining security. + +### Accessing Shared Boards + +Shared boards appear in your Boards panel marked with a sharing icon. You can: + +- View images on shared boards (if you have read access) +- Add images to shared boards (if you have write access) +- Use shared boards like your personal boards + +### Permission Levels + +Shared boards have three permission levels: + +| Permission | View Images | Add Images | Edit/Delete | Manage Sharing | +|------------|-------------|------------|-------------|----------------| +| **Read** | ✅ | ❌ | ❌ | ❌ | +| **Write** | ✅ | ✅ | ✅ | ❌ | +| **Admin** | ✅ | ✅ | ✅ | ✅ | + +!!! note "Shared boards" + Only administrators will be able to create shared boards and + assign initial permissions. + +## Viewing Models (Read-Only) + +Regular users have read-only access to the Model Manager, allowing you to: + +**What You Can View:** + +- ✅ Browse all available models +- ✅ See model details and configurations +- ✅ View default settings for each model +- ✅ Check model metadata and descriptions +- ✅ See which models are installed + +**What You Cannot Do:** + +- ❌ Install new models +- ❌ Delete or modify existing models +- ❌ Change model configurations +- ❌ Upload or change model images +- ❌ Convert models between formats + +**Accessing the Model Manager:** + +1. Click on the **Models** tab in the navigation +2. Browse available models +3. Click on any model to view its details + +!!! tip "Need a New Model?" + If you need a model that isn't installed, ask your administrator to add it. + +## Customizing Your Experience + +### Personal Preferences + +Your UI preferences are saved to your account: + +- **Theme**: Choose between light and dark modes +- **Hotkeys**: Customize keyboard shortcuts +- **Canvas Settings**: Default zoom, grid visibility, etc. +- **Generation Defaults**: Default values for width, height, steps, etc. + +These settings are stored per-user and won't affect other users. + +### Profile Settings (Multi-User Mode) + +In multi-user mode, access your profile by clicking your name in the top-right corner: + +**Display Name:** Update how your name appears throughout the UI + +**Change Password:** + +!!! info "Password Changes" + A web-based interface for users to change their own passwords is coming in a future release. Until then, contact your administrator to reset your password if needed. + +## Security Best Practices + +### Password Security + +- Use a strong, unique password +- Don't share your password with others +- Change your password regularly +- Use a password manager to store complex passwords + +### Session Security + +- Log out when using a shared computer +- Be aware of your session timeout (24 hours or 7 days with "remember me") +- Your session will automatically expire for security +- You'll need to log in again after the session expires + +### Data Privacy + +- Your boards, images, and workflows are private by default +- Other users cannot access your content unless explicitly shared +- Only administrators can see all users' content for management purposes + +## Troubleshooting + +### Cannot Log In + +**Issue:** Login fails with "Incorrect email or password" + +**Solutions:** + +- Verify you're entering the correct email address +- Check that Caps Lock is off +- Try typing the password slowly to avoid mistakes +- Contact your administrator if you've forgotten your password + +**Issue:** Login fails with "Account is disabled" + +**Solution:** Contact your administrator to reactivate your account + +### Session Expired + +**Issue:** You're suddenly logged out and see "Session expired" + +**Explanation:** Sessions expire after 24 hours (or 7 days with "remember me") + +**Solution:** Simply log in again with your credentials + +### Cannot Access Features + +**Issue:** Features like Model Manager show "Admin privileges required" + +**Explanation:** Some features are restricted to administrators + +**Solution:** + +- For model viewing: You can view but not modify models +- For user management: Contact an administrator +- For system configuration: Contact an administrator + +### Missing Boards or Images + +**Issue:** Boards or images you created are not visible + +**Possible Causes:** + +1. **Filter Applied:** Check if a filter is hiding content +2. **Wrong User:** Ensure you're logged in with the correct account +3. **Archived Board:** Check the "Show Archived" option + +**Solution:** + +- Clear any active filters +- Verify you're logged in as the right user +- Check archived items + +### Slow Performance + +**Issue:** Generation or UI feels slower than expected + +**Possible Causes:** + +- Other users generating images simultaneously +- Server resource limits +- Network latency + +**Solutions:** + +- Check the queue to see if others are generating +- Wait for current generations to complete +- Contact administrator if persistent + +### Generation Stuck in Queue + +**Issue:** Your generation is queued but not starting + +**Possible Causes:** + +- Server is processing other users' generations +- Server resources are fully utilized +- Technical issue with the server + +**Solutions:** + +- Wait for your turn in the queue +- Check if your generation is paused +- Contact administrator if stuck for extended period + +## Common Tasks + +### Changing Your Password + +!!! note This is a FUTURE FEATURE. For now, the Administrator must change/reset a user's password using command-line tools. + +1. Click your display name (top-right corner) +2. Select **Change Password** +3. Enter current password +4. Enter new password (8+ characters, mixed case, numbers) +5. Confirm new password +6. Click **Update Password** + +### Creating a New Board + +1. Navigate to the Gallery or Canvas tab +2. Find the Boards panel (usually on the left) +3. Click the **+ New Board** button +4. Type a descriptive name +5. Press Enter + +### Saving a Workflow + +1. Create or edit a workflow in the Workflows tab +2. Click **Save** in the top bar +3. Enter a workflow name +4. Optionally add a description +5. Click **Save Workflow** + +### Finding a Public Workflow + +!!! note Sharing of workflows is a FUTURE FEATURE, not yet implemented + +1. Go to the **Workflows** tab +2. Open the workflow library +3. Public workflows are marked with a 🌐 icon +4. Click to load and use the workflow + +### Logging Out + +1. Click your display name (top-right corner) +2. Select **Logout** +3. You'll be redirected to the login screen + +## Frequently Asked Questions + +### Can other users see my images? + +No, unless you add them to a shared board (FUTURE FEATURE). All your personal boards and images are private. + +### Can I share my workflows with others? + +Not directly. Ask your administrator to mark workflows as public if you want to share them. + +### How long do sessions last? + +- 24 hours by default +- 7 days if you check "Remember me" during login + +### Can I use the API with multi-user mode? + +Yes, but you'll need to authenticate with a JWT token. See the [API Guide](api_guide.md) for details. + +### What happens if I forget my password? + +Contact your administrator. They can reset your password for you. + +### Can I have multiple sessions? + +Yes, you can log in from multiple devices or browsers simultaneously. All sessions will use the same account and see the same content. + +### Why can't I see the Model Manager "Add Models" tab? + +Regular users can see the Models tab but with read-only access. Check that you're logged in and try refreshing the page. + +### How do I know if I'm an administrator? + +Administrators see an "Admin" badge next to their name in the top-right corner and have access to additional features like User Management. + +### Can I request admin privileges? + +Yes, ask your current administrator to grant you admin +privileges. Admin privileges will give you the ability to see all +other user's boards and images, as well as to add models and change +various server-wide settings. + +## Getting Help + +### Support Channels + +- **Administrator:** Contact your system administrator for account issues +- **Documentation:** Check the [FAQ](../faq.md) for common issues +- **Community:** Join the [Discord](https://discord.gg/ZmtBAhwWhy) for help +- **Bug Reports:** File issues on [GitHub](https://github.com/invoke-ai/InvokeAI/issues) + +### Reporting Issues + +When reporting an issue, include: + +- Your role (regular user or administrator) +- What you were trying to do +- What happened instead +- Any error messages you saw +- Your browser and operating system + +## Additional Resources + +- [Administrator Guide](admin_guide.md) - For administrators managing users and the system +- [API Guide](api_guide.md) - For developers using the InvokeAI API +- [Multiuser Specification](specification.md) - Technical details about the feature +- [InvokeAI Documentation](../index.md) - Main documentation hub + +--- + +**Need more help?** Contact your administrator or visit the [InvokeAI Discord](https://discord.gg/ZmtBAhwWhy). diff --git a/invokeai/app/api/auth_dependencies.py b/invokeai/app/api/auth_dependencies.py new file mode 100644 index 00000000000..1df1ed6e250 --- /dev/null +++ b/invokeai/app/api/auth_dependencies.py @@ -0,0 +1,166 @@ +"""FastAPI dependencies for authentication.""" + +from typing import Annotated + +from fastapi import Depends, HTTPException, status +from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer + +from invokeai.app.api.dependencies import ApiDependencies +from invokeai.app.services.auth.token_service import TokenData, verify_token +from invokeai.backend.util.logging import logging + +logger = logging.getLogger(__name__) + +# HTTP Bearer token security scheme +security = HTTPBearer(auto_error=False) + + +async def get_current_user( + credentials: Annotated[HTTPAuthorizationCredentials | None, Depends(security)], +) -> TokenData: + """Get current authenticated user from Bearer token. + + Note: This function accesses ApiDependencies.invoker.services.users directly, + which is the established pattern in this codebase. The ApiDependencies.invoker + is initialized in the FastAPI lifespan context before any requests are handled. + + Args: + credentials: The HTTP authorization credentials containing the Bearer token + + Returns: + TokenData containing user information from the token + + Raises: + HTTPException: If token is missing, invalid, or expired (401 Unauthorized) + """ + if credentials is None: + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, + detail="Missing authentication credentials", + headers={"WWW-Authenticate": "Bearer"}, + ) + + token = credentials.credentials + token_data = verify_token(token) + + if token_data is None: + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, + detail="Invalid or expired authentication token", + headers={"WWW-Authenticate": "Bearer"}, + ) + + # Verify user still exists and is active + user_service = ApiDependencies.invoker.services.users + user = user_service.get(token_data.user_id) + + if user is None or not user.is_active: + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, + detail="User account is inactive or does not exist", + headers={"WWW-Authenticate": "Bearer"}, + ) + + return token_data + + +async def get_current_user_or_default( + credentials: Annotated[HTTPAuthorizationCredentials | None, Depends(security)], +) -> TokenData: + """Get current authenticated user from Bearer token, or return a default system user if not authenticated. + + This dependency is useful for endpoints that should work in both single-user and multiuser modes. + + When multiuser mode is disabled (default), this always returns a system user with admin privileges, + allowing unrestricted access to all operations. + + When multiuser mode is enabled, authentication is required and this function validates the token, + returning authenticated user data or raising 401 Unauthorized if no valid credentials are provided. + + Args: + credentials: The HTTP authorization credentials containing the Bearer token + + Returns: + TokenData containing user information from the token, or system user in single-user mode + + Raises: + HTTPException: 401 Unauthorized if in multiuser mode and credentials are missing, invalid, or user is inactive + """ + # Get configuration to check if multiuser is enabled + config = ApiDependencies.invoker.services.configuration + + # In single-user mode (multiuser=False), always return system user with admin privileges + if not config.multiuser: + return TokenData(user_id="system", email="system@system.invokeai", is_admin=True) + + # Multiuser mode is enabled - validate credentials + if credentials is None: + # In multiuser mode, authentication is required + raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Authentication required") + + token = credentials.credentials + token_data = verify_token(token) + + if token_data is None: + # Invalid token in multiuser mode - reject + raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid or expired token") + + # Verify user still exists and is active + user_service = ApiDependencies.invoker.services.users + user = user_service.get(token_data.user_id) + + if user is None or not user.is_active: + # User doesn't exist or is inactive in multiuser mode - reject + raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="User not found or inactive") + + return token_data + + +async def require_admin( + current_user: Annotated[TokenData, Depends(get_current_user)], +) -> TokenData: + """Require admin role for the current user. + + Args: + current_user: The current authenticated user's token data + + Returns: + The token data if user is an admin + + Raises: + HTTPException: If user does not have admin privileges (403 Forbidden) + """ + if not current_user.is_admin: + raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Admin privileges required") + return current_user + + +async def require_admin_or_default( + current_user: Annotated[TokenData, Depends(get_current_user_or_default)], +) -> TokenData: + """Require admin role for the current user, or return default system admin in single-user mode. + + This dependency is useful for admin-only endpoints that should work in both single-user and multiuser modes. + + When multiuser mode is disabled (default), this always returns a system user with admin privileges. + When multiuser mode is enabled, this validates that the authenticated user has admin privileges. + + Args: + current_user: The current authenticated user's token data (or default system user) + + Returns: + The token data if user is an admin (or system user in single-user mode) + + Raises: + HTTPException: If user does not have admin privileges (403 Forbidden) in multiuser mode + """ + if not current_user.is_admin: + raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Admin privileges required") + return current_user + + +# Type aliases for convenient use in route dependencies +CurrentUser = Annotated[TokenData, Depends(get_current_user)] +CurrentUserOrDefault = Annotated[TokenData, Depends(get_current_user_or_default)] +AdminUser = Annotated[TokenData, Depends(require_admin)] +AdminUserOrDefault = Annotated[TokenData, Depends(require_admin_or_default)] diff --git a/invokeai/app/api/dependencies.py b/invokeai/app/api/dependencies.py index 466a57f804c..339a0ceadb4 100644 --- a/invokeai/app/api/dependencies.py +++ b/invokeai/app/api/dependencies.py @@ -5,6 +5,8 @@ import torch +from invokeai.app.services.app_settings import AppSettingsService +from invokeai.app.services.auth.token_service import set_jwt_secret from invokeai.app.services.board_image_records.board_image_records_sqlite import SqliteBoardImageRecordStorage from invokeai.app.services.board_images.board_images_default import BoardImagesService from invokeai.app.services.board_records.board_records_sqlite import SqliteBoardRecordStorage @@ -40,6 +42,7 @@ from invokeai.app.services.style_preset_images.style_preset_images_disk import StylePresetImageFileStorageDisk from invokeai.app.services.style_preset_records.style_preset_records_sqlite import SqliteStylePresetRecordsStorage from invokeai.app.services.urls.urls_default import LocalUrlService +from invokeai.app.services.users.users_default import UserService from invokeai.app.services.workflow_records.workflow_records_sqlite import SqliteWorkflowRecordsStorage from invokeai.app.services.workflow_thumbnails.workflow_thumbnails_disk import WorkflowThumbnailFileStorageDisk from invokeai.backend.stable_diffusion.diffusion.conditioning_data import ( @@ -101,6 +104,12 @@ def initialize( db = init_db(config=config, logger=logger, image_files=image_files) + # Initialize JWT secret from database + app_settings = AppSettingsService(db=db) + jwt_secret = app_settings.get_jwt_secret() + set_jwt_secret(jwt_secret) + logger.info("JWT secret loaded from database") + configuration = config logger = logger @@ -155,6 +164,7 @@ def initialize( style_preset_image_files = StylePresetImageFileStorageDisk(style_presets_folder / "images") workflow_thumbnails = WorkflowThumbnailFileStorageDisk(workflow_thumbnails_folder) client_state_persistence = ClientStatePersistenceSqlite(db=db) + users = UserService(db=db) services = InvocationServices( board_image_records=board_image_records, @@ -186,6 +196,7 @@ def initialize( style_preset_image_files=style_preset_image_files, workflow_thumbnails=workflow_thumbnails, client_state_persistence=client_state_persistence, + users=users, ) ApiDependencies.invoker = Invoker(services) diff --git a/invokeai/app/api/routers/auth.py b/invokeai/app/api/routers/auth.py new file mode 100644 index 00000000000..11f2bacdc5c --- /dev/null +++ b/invokeai/app/api/routers/auth.py @@ -0,0 +1,248 @@ +"""Authentication endpoints.""" + +from datetime import timedelta +from typing import Annotated + +from fastapi import APIRouter, Body, HTTPException, status +from pydantic import BaseModel, Field, field_validator + +from invokeai.app.api.auth_dependencies import CurrentUser +from invokeai.app.api.dependencies import ApiDependencies +from invokeai.app.services.auth.token_service import TokenData, create_access_token +from invokeai.app.services.users.users_common import UserCreateRequest, UserDTO, validate_email_with_special_domains + +auth_router = APIRouter(prefix="/v1/auth", tags=["authentication"]) + +# Token expiration constants (in days) +TOKEN_EXPIRATION_NORMAL = 1 # 1 day for normal login +TOKEN_EXPIRATION_REMEMBER_ME = 7 # 7 days for "remember me" login + + +class LoginRequest(BaseModel): + """Request body for user login.""" + + email: str = Field(description="User email address") + password: str = Field(description="User password") + remember_me: bool = Field(default=False, description="Whether to extend session duration") + + @field_validator("email") + @classmethod + def validate_email(cls, v: str) -> str: + """Validate email address, allowing special-use domains.""" + return validate_email_with_special_domains(v) + + +class LoginResponse(BaseModel): + """Response from successful login.""" + + token: str = Field(description="JWT access token") + user: UserDTO = Field(description="User information") + expires_in: int = Field(description="Token expiration time in seconds") + + +class SetupRequest(BaseModel): + """Request body for initial admin setup.""" + + email: str = Field(description="Admin email address") + display_name: str | None = Field(default=None, description="Admin display name") + password: str = Field(description="Admin password") + + @field_validator("email") + @classmethod + def validate_email(cls, v: str) -> str: + """Validate email address, allowing special-use domains.""" + return validate_email_with_special_domains(v) + + +class SetupResponse(BaseModel): + """Response from successful admin setup.""" + + success: bool = Field(description="Whether setup was successful") + user: UserDTO = Field(description="Created admin user information") + + +class LogoutResponse(BaseModel): + """Response from logout.""" + + success: bool = Field(description="Whether logout was successful") + + +class SetupStatusResponse(BaseModel): + """Response for setup status check.""" + + setup_required: bool = Field(description="Whether initial setup is required") + multiuser_enabled: bool = Field(description="Whether multiuser mode is enabled") + + +@auth_router.get("/status", response_model=SetupStatusResponse) +async def get_setup_status() -> SetupStatusResponse: + """Check if initial administrator setup is required. + + Returns: + SetupStatusResponse indicating whether setup is needed and multiuser mode status + """ + config = ApiDependencies.invoker.services.configuration + + # If multiuser is disabled, setup is never required + if not config.multiuser: + return SetupStatusResponse(setup_required=False, multiuser_enabled=False) + + # In multiuser mode, check if an admin exists + user_service = ApiDependencies.invoker.services.users + setup_required = not user_service.has_admin() + + return SetupStatusResponse(setup_required=setup_required, multiuser_enabled=True) + + +@auth_router.post("/login", response_model=LoginResponse) +async def login( + request: Annotated[LoginRequest, Body(description="Login credentials")], +) -> LoginResponse: + """Authenticate user and return access token. + + Args: + request: Login credentials (email and password) + + Returns: + LoginResponse containing JWT token and user information + + Raises: + HTTPException: 401 if credentials are invalid or user is inactive + HTTPException: 403 if multiuser mode is disabled + """ + config = ApiDependencies.invoker.services.configuration + + # Check if multiuser is enabled + if not config.multiuser: + raise HTTPException( + status_code=status.HTTP_403_FORBIDDEN, + detail="Multiuser mode is disabled. Authentication is not required in single-user mode.", + ) + + user_service = ApiDependencies.invoker.services.users + user = user_service.authenticate(request.email, request.password) + + if user is None: + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, + detail="Incorrect email or password", + headers={"WWW-Authenticate": "Bearer"}, + ) + + if not user.is_active: + raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="User account is disabled") + + # Create token with appropriate expiration + expires_delta = timedelta(days=TOKEN_EXPIRATION_REMEMBER_ME if request.remember_me else TOKEN_EXPIRATION_NORMAL) + token_data = TokenData( + user_id=user.user_id, + email=user.email, + is_admin=user.is_admin, + ) + token = create_access_token(token_data, expires_delta) + + return LoginResponse( + token=token, + user=user, + expires_in=int(expires_delta.total_seconds()), + ) + + +@auth_router.post("/logout", response_model=LogoutResponse) +async def logout( + current_user: CurrentUser, +) -> LogoutResponse: + """Logout current user. + + Currently a no-op since we use stateless JWT tokens. For token invalidation in + future implementations, consider: + - Token blacklist: Store invalidated tokens in Redis/database with expiration + - Token versioning: Add version field to user record, increment on logout + - Short-lived tokens: Use refresh token pattern with token rotation + - Session storage: Track active sessions server-side for revocation + + Args: + current_user: The authenticated user (validates token) + + Returns: + LogoutResponse indicating success + """ + # TODO: Implement token invalidation when server-side session management is added + # For now, this is a no-op since we use stateless JWT tokens + return LogoutResponse(success=True) + + +@auth_router.get("/me", response_model=UserDTO) +async def get_current_user_info( + current_user: CurrentUser, +) -> UserDTO: + """Get current authenticated user's information. + + Args: + current_user: The authenticated user's token data + + Returns: + UserDTO containing user information + + Raises: + HTTPException: 404 if user is not found (should not happen normally) + """ + user_service = ApiDependencies.invoker.services.users + user = user_service.get(current_user.user_id) + + if user is None: + raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found") + + return user + + +@auth_router.post("/setup", response_model=SetupResponse) +async def setup_admin( + request: Annotated[SetupRequest, Body(description="Admin account details")], +) -> SetupResponse: + """Set up initial administrator account. + + This endpoint can only be called once, when no admin user exists. It creates + the first admin user for the system. + + Args: + request: Admin account details (email, display_name, password) + + Returns: + SetupResponse containing the created admin user + + Raises: + HTTPException: 400 if admin already exists or password is weak + HTTPException: 403 if multiuser mode is disabled + """ + config = ApiDependencies.invoker.services.configuration + + # Check if multiuser is enabled + if not config.multiuser: + raise HTTPException( + status_code=status.HTTP_403_FORBIDDEN, + detail="Multiuser mode is disabled. Admin setup is not required in single-user mode.", + ) + + user_service = ApiDependencies.invoker.services.users + + # Check if any admin exists + if user_service.has_admin(): + raise HTTPException( + status_code=status.HTTP_400_BAD_REQUEST, + detail="Administrator account already configured", + ) + + # Create admin user - this will validate password strength + try: + user_data = UserCreateRequest( + email=request.email, + display_name=request.display_name, + password=request.password, + is_admin=True, + ) + user = user_service.create_admin(user_data) + except ValueError as e: + raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail=str(e)) from e + + return SetupResponse(success=True, user=user) diff --git a/invokeai/app/api/routers/boards.py b/invokeai/app/api/routers/boards.py index cf668d5a1a4..778849927bd 100644 --- a/invokeai/app/api/routers/boards.py +++ b/invokeai/app/api/routers/boards.py @@ -4,6 +4,7 @@ from fastapi.routing import APIRouter from pydantic import BaseModel, Field +from invokeai.app.api.auth_dependencies import CurrentUserOrDefault from invokeai.app.api.dependencies import ApiDependencies from invokeai.app.services.board_records.board_records_common import BoardChanges, BoardRecordOrderBy from invokeai.app.services.boards.boards_common import BoardDTO @@ -32,11 +33,12 @@ class DeleteBoardResult(BaseModel): response_model=BoardDTO, ) async def create_board( + current_user: CurrentUserOrDefault, board_name: str = Query(description="The name of the board to create", max_length=300), ) -> BoardDTO: - """Creates a board""" + """Creates a board for the current user""" try: - result = ApiDependencies.invoker.services.boards.create(board_name=board_name) + result = ApiDependencies.invoker.services.boards.create(board_name=board_name, user_id=current_user.user_id) return result except Exception: raise HTTPException(status_code=500, detail="Failed to create board") @@ -44,9 +46,10 @@ async def create_board( @boards_router.get("/{board_id}", operation_id="get_board", response_model=BoardDTO) async def get_board( + current_user: CurrentUserOrDefault, board_id: str = Path(description="The id of board to get"), ) -> BoardDTO: - """Gets a board""" + """Gets a board (user must have access to it)""" try: result = ApiDependencies.invoker.services.boards.get_dto(board_id=board_id) @@ -67,10 +70,11 @@ async def get_board( response_model=BoardDTO, ) async def update_board( + current_user: CurrentUserOrDefault, board_id: str = Path(description="The id of board to update"), changes: BoardChanges = Body(description="The changes to apply to the board"), ) -> BoardDTO: - """Updates a board""" + """Updates a board (user must have access to it)""" try: result = ApiDependencies.invoker.services.boards.update(board_id=board_id, changes=changes) return result @@ -80,10 +84,11 @@ async def update_board( @boards_router.delete("/{board_id}", operation_id="delete_board", response_model=DeleteBoardResult) async def delete_board( + current_user: CurrentUserOrDefault, board_id: str = Path(description="The id of board to delete"), include_images: Optional[bool] = Query(description="Permanently delete all images on the board", default=False), ) -> DeleteBoardResult: - """Deletes a board""" + """Deletes a board (user must have access to it)""" try: if include_images is True: deleted_images = ApiDependencies.invoker.services.board_images.get_all_board_image_names_for_board( @@ -120,6 +125,7 @@ async def delete_board( response_model=Union[OffsetPaginatedResults[BoardDTO], list[BoardDTO]], ) async def list_boards( + current_user: CurrentUserOrDefault, order_by: BoardRecordOrderBy = Query(default=BoardRecordOrderBy.CreatedAt, description="The attribute to order by"), direction: SQLiteDirection = Query(default=SQLiteDirection.Descending, description="The direction to order by"), all: Optional[bool] = Query(default=None, description="Whether to list all boards"), @@ -127,11 +133,15 @@ async def list_boards( limit: Optional[int] = Query(default=None, description="The number of boards per page"), include_archived: bool = Query(default=False, description="Whether or not to include archived boards in list"), ) -> Union[OffsetPaginatedResults[BoardDTO], list[BoardDTO]]: - """Gets a list of boards""" + """Gets a list of boards for the current user, including shared boards. Admin users see all boards.""" if all: - return ApiDependencies.invoker.services.boards.get_all(order_by, direction, include_archived) + return ApiDependencies.invoker.services.boards.get_all( + current_user.user_id, current_user.is_admin, order_by, direction, include_archived + ) elif offset is not None and limit is not None: - return ApiDependencies.invoker.services.boards.get_many(order_by, direction, offset, limit, include_archived) + return ApiDependencies.invoker.services.boards.get_many( + current_user.user_id, current_user.is_admin, order_by, direction, offset, limit, include_archived + ) else: raise HTTPException( status_code=400, diff --git a/invokeai/app/api/routers/client_state.py b/invokeai/app/api/routers/client_state.py index 188225760c7..2e34ea9fe6b 100644 --- a/invokeai/app/api/routers/client_state.py +++ b/invokeai/app/api/routers/client_state.py @@ -1,6 +1,7 @@ from fastapi import Body, HTTPException, Path, Query from fastapi.routing import APIRouter +from invokeai.app.api.auth_dependencies import CurrentUserOrDefault from invokeai.app.api.dependencies import ApiDependencies from invokeai.backend.util.logging import logging @@ -13,15 +14,16 @@ response_model=str | None, ) async def get_client_state_by_key( - queue_id: str = Path(description="The queue id to perform this operation on"), + current_user: CurrentUserOrDefault, + queue_id: str = Path(description="The queue id (ignored, kept for backwards compatibility)"), key: str = Query(..., description="Key to get"), ) -> str | None: - """Gets the client state""" + """Gets the client state for the current user (or system user if not authenticated)""" try: - return ApiDependencies.invoker.services.client_state_persistence.get_by_key(queue_id, key) + return ApiDependencies.invoker.services.client_state_persistence.get_by_key(current_user.user_id, key) except Exception as e: logging.error(f"Error getting client state: {e}") - raise HTTPException(status_code=500, detail="Error setting client state") + raise HTTPException(status_code=500, detail="Error getting client state") @client_state_router.post( @@ -30,13 +32,14 @@ async def get_client_state_by_key( response_model=str, ) async def set_client_state( - queue_id: str = Path(description="The queue id to perform this operation on"), + current_user: CurrentUserOrDefault, + queue_id: str = Path(description="The queue id (ignored, kept for backwards compatibility)"), key: str = Query(..., description="Key to set"), value: str = Body(..., description="Stringified value to set"), ) -> str: - """Sets the client state""" + """Sets the client state for the current user (or system user if not authenticated)""" try: - return ApiDependencies.invoker.services.client_state_persistence.set_by_key(queue_id, key, value) + return ApiDependencies.invoker.services.client_state_persistence.set_by_key(current_user.user_id, key, value) except Exception as e: logging.error(f"Error setting client state: {e}") raise HTTPException(status_code=500, detail="Error setting client state") @@ -48,11 +51,12 @@ async def set_client_state( responses={204: {"description": "Client state deleted"}}, ) async def delete_client_state( - queue_id: str = Path(description="The queue id to perform this operation on"), + current_user: CurrentUserOrDefault, + queue_id: str = Path(description="The queue id (ignored, kept for backwards compatibility)"), ) -> None: - """Deletes the client state""" + """Deletes the client state for the current user (or system user if not authenticated)""" try: - ApiDependencies.invoker.services.client_state_persistence.delete(queue_id) + ApiDependencies.invoker.services.client_state_persistence.delete(current_user.user_id) except Exception as e: logging.error(f"Error deleting client state: {e}") raise HTTPException(status_code=500, detail="Error deleting client state") diff --git a/invokeai/app/api/routers/images.py b/invokeai/app/api/routers/images.py index e9cfa3c28cd..6b11762c9ec 100644 --- a/invokeai/app/api/routers/images.py +++ b/invokeai/app/api/routers/images.py @@ -9,6 +9,7 @@ from PIL import Image from pydantic import BaseModel, Field, model_validator +from invokeai.app.api.auth_dependencies import CurrentUserOrDefault from invokeai.app.api.dependencies import ApiDependencies from invokeai.app.api.extract_metadata_from_image import extract_metadata_from_image from invokeai.app.invocations.fields import MetadataField @@ -61,6 +62,7 @@ def validate_total_output_size(self): response_model=ImageDTO, ) async def upload_image( + current_user: CurrentUserOrDefault, file: UploadFile, request: Request, response: Response, @@ -80,7 +82,7 @@ async def upload_image( embed=True, ), ) -> ImageDTO: - """Uploads an image""" + """Uploads an image for the current user""" if not file.content_type or not file.content_type.startswith("image"): raise HTTPException(status_code=415, detail="Not an image") @@ -133,6 +135,7 @@ async def upload_image( workflow=extracted_metadata.invokeai_workflow, graph=extracted_metadata.invokeai_graph, is_intermediate=is_intermediate, + user_id=current_user.user_id, ) response.status_code = 201 @@ -373,6 +376,7 @@ async def get_image_urls( response_model=OffsetPaginatedResults[ImageDTO], ) async def list_image_dtos( + current_user: CurrentUserOrDefault, image_origin: Optional[ResourceOrigin] = Query(default=None, description="The origin of images to list."), categories: Optional[list[ImageCategory]] = Query(default=None, description="The categories of image to include."), is_intermediate: Optional[bool] = Query(default=None, description="Whether to list intermediate images."), @@ -386,10 +390,19 @@ async def list_image_dtos( starred_first: bool = Query(default=True, description="Whether to sort by starred images first"), search_term: Optional[str] = Query(default=None, description="The term to search for"), ) -> OffsetPaginatedResults[ImageDTO]: - """Gets a list of image DTOs""" + """Gets a list of image DTOs for the current user""" image_dtos = ApiDependencies.invoker.services.images.get_many( - offset, limit, starred_first, order_dir, image_origin, categories, is_intermediate, board_id, search_term + offset, + limit, + starred_first, + order_dir, + image_origin, + categories, + is_intermediate, + board_id, + search_term, + current_user.user_id, ) return image_dtos @@ -567,6 +580,7 @@ async def get_bulk_download_item( @images_router.get("/names", operation_id="get_image_names") async def get_image_names( + current_user: CurrentUserOrDefault, image_origin: Optional[ResourceOrigin] = Query(default=None, description="The origin of images to list."), categories: Optional[list[ImageCategory]] = Query(default=None, description="The categories of image to include."), is_intermediate: Optional[bool] = Query(default=None, description="Whether to list intermediate images."), @@ -589,6 +603,8 @@ async def get_image_names( is_intermediate=is_intermediate, board_id=board_id, search_term=search_term, + user_id=current_user.user_id, + is_admin=current_user.is_admin, ) return result except Exception: diff --git a/invokeai/app/api/routers/model_manager.py b/invokeai/app/api/routers/model_manager.py index ddc26d9bece..1acf95313c4 100644 --- a/invokeai/app/api/routers/model_manager.py +++ b/invokeai/app/api/routers/model_manager.py @@ -19,6 +19,7 @@ from starlette.exceptions import HTTPException from typing_extensions import Annotated +from invokeai.app.api.auth_dependencies import AdminUserOrDefault from invokeai.app.api.dependencies import ApiDependencies from invokeai.app.services.model_images.model_images_common import ModelImageFileNotFoundException from invokeai.app.services.model_install.model_install_common import ModelInstallJob @@ -228,6 +229,7 @@ async def get_model_record( ) async def reidentify_model( key: Annotated[str, Path(description="Key of the model to reidentify.")], + current_admin: AdminUserOrDefault, ) -> AnyModelConfig: """Attempt to reidentify a model by re-probing its weights file.""" try: @@ -363,6 +365,7 @@ async def get_hugging_face_models( async def update_model_record( key: Annotated[str, Path(description="Unique key of model")], changes: Annotated[ModelRecordChanges, Body(description="Model config", examples=[example_model_input])], + current_admin: AdminUserOrDefault, ) -> AnyModelConfig: """Update a model's config.""" logger = ApiDependencies.invoker.services.logger @@ -425,6 +428,7 @@ async def get_model_image( async def update_model_image( key: Annotated[str, Path(description="Unique key of model")], image: UploadFile, + current_admin: AdminUserOrDefault, ) -> None: if not image.content_type or not image.content_type.startswith("image"): raise HTTPException(status_code=415, detail="Not an image") @@ -458,6 +462,7 @@ async def update_model_image( status_code=204, ) async def delete_model( + current_admin: AdminUserOrDefault, key: str = Path(description="Unique key of model to remove from model registry."), ) -> Response: """ @@ -500,6 +505,7 @@ class BulkDeleteModelsResponse(BaseModel): status_code=200, ) async def bulk_delete_models( + current_admin: AdminUserOrDefault, request: BulkDeleteModelsRequest = Body(description="List of model keys to delete"), ) -> BulkDeleteModelsResponse: """ @@ -541,6 +547,7 @@ async def bulk_delete_models( status_code=204, ) async def delete_model_image( + current_admin: AdminUserOrDefault, key: str = Path(description="Unique key of model image to remove from model_images directory."), ) -> None: logger = ApiDependencies.invoker.services.logger @@ -566,6 +573,7 @@ async def delete_model_image( status_code=201, ) async def install_model( + current_admin: AdminUserOrDefault, source: str = Query(description="Model source to install, can be a local path, repo_id, or remote URL"), inplace: Optional[bool] = Query(description="Whether or not to install a local model in place", default=False), access_token: Optional[str] = Query(description="access token for the remote resource", default=None), @@ -636,6 +644,7 @@ async def install_model( response_class=HTMLResponse, ) async def install_hugging_face_model( + current_admin: AdminUserOrDefault, source: str = Query(description="HuggingFace repo_id to install"), ) -> HTMLResponse: """Install a Hugging Face model using a string identifier.""" @@ -807,7 +816,10 @@ async def get_model_install_job(id: int = Path(description="Model install id")) }, status_code=201, ) -async def cancel_model_install_job(id: int = Path(description="Model install job ID")) -> None: +async def cancel_model_install_job( + current_admin: AdminUserOrDefault, + id: int = Path(description="Model install job ID"), +) -> None: """Cancel the model install job(s) corresponding to the given job ID.""" installer = ApiDependencies.invoker.services.model_manager.install try: @@ -825,7 +837,7 @@ async def cancel_model_install_job(id: int = Path(description="Model install job 400: {"description": "Bad request"}, }, ) -async def prune_model_install_jobs() -> Response: +async def prune_model_install_jobs(current_admin: AdminUserOrDefault) -> Response: """Prune all completed and errored jobs from the install job list.""" ApiDependencies.invoker.services.model_manager.install.prune_jobs() return Response(status_code=204) @@ -845,6 +857,7 @@ async def prune_model_install_jobs() -> Response: }, ) async def convert_model( + current_admin: AdminUserOrDefault, key: str = Path(description="Unique key of the safetensors main model to convert to diffusers format."), ) -> AnyModelConfig: """ @@ -1026,7 +1039,7 @@ async def get_stats() -> Optional[CacheStats]: operation_id="empty_model_cache", status_code=200, ) -async def empty_model_cache() -> None: +async def empty_model_cache(current_admin: AdminUserOrDefault) -> None: """Drop all models from the model cache to free RAM/VRAM. 'Locked' models that are in active use will not be dropped.""" # Request 1000GB of room in order to force the cache to drop all models. ApiDependencies.invoker.services.logger.info("Emptying model cache.") @@ -1076,6 +1089,7 @@ async def get_hf_login_status() -> HFTokenStatus: @model_manager_router.post("/hf_login", operation_id="do_hf_login", response_model=HFTokenStatus) async def do_hf_login( + current_admin: AdminUserOrDefault, token: str = Body(description="Hugging Face token to use for login", embed=True), ) -> HFTokenStatus: HFTokenHelper.set_token(token) @@ -1088,5 +1102,5 @@ async def do_hf_login( @model_manager_router.delete("/hf_login", operation_id="reset_hf_token", response_model=HFTokenStatus) -async def reset_hf_token() -> HFTokenStatus: +async def reset_hf_token(current_admin: AdminUserOrDefault) -> HFTokenStatus: return HFTokenHelper.reset_token() diff --git a/invokeai/app/api/routers/session_queue.py b/invokeai/app/api/routers/session_queue.py index 7b4242e013c..2d273db3783 100644 --- a/invokeai/app/api/routers/session_queue.py +++ b/invokeai/app/api/routers/session_queue.py @@ -4,6 +4,7 @@ from fastapi.routing import APIRouter from pydantic import BaseModel +from invokeai.app.api.auth_dependencies import AdminUser, CurrentUserOrDefault from invokeai.app.api.dependencies import ApiDependencies from invokeai.app.services.session_processor.session_processor_common import SessionProcessorStatus from invokeai.app.services.session_queue.session_queue_common import ( @@ -24,6 +25,7 @@ SessionQueueItemNotFoundError, SessionQueueStatus, ) +from invokeai.app.services.shared.graph import Graph, GraphExecutionState from invokeai.app.services.shared.sqlite.sqlite_common import SQLiteDirection session_queue_router = APIRouter(prefix="/v1/queue", tags=["queue"]) @@ -36,6 +38,40 @@ class SessionQueueAndProcessorStatus(BaseModel): processor: SessionProcessorStatus +def sanitize_queue_item_for_user( + queue_item: SessionQueueItem, current_user_id: str, is_admin: bool +) -> SessionQueueItem: + """Sanitize queue item for non-admin users viewing other users' items. + + For non-admin users viewing queue items belonging to other users, + the field_values, session graph, and workflow should be hidden/cleared to protect privacy. + + Args: + queue_item: The queue item to sanitize + current_user_id: The ID of the current user viewing the item + is_admin: Whether the current user is an admin + + Returns: + The sanitized queue item (sensitive fields cleared if necessary) + """ + # Admins and item owners can see everything + if is_admin or queue_item.user_id == current_user_id: + return queue_item + + # For non-admins viewing other users' items, clear sensitive fields + # Create a shallow copy to avoid mutating the original + sanitized_item = queue_item.model_copy(deep=False) + sanitized_item.field_values = None + sanitized_item.workflow = None + # Clear the session graph by replacing it with an empty graph execution state + # This prevents information leakage through the generation graph + sanitized_item.session = GraphExecutionState( + id=queue_item.session.id, + graph=Graph(), + ) + return sanitized_item + + @session_queue_router.post( "/{queue_id}/enqueue_batch", operation_id="enqueue_batch", @@ -44,14 +80,15 @@ class SessionQueueAndProcessorStatus(BaseModel): }, ) async def enqueue_batch( + current_user: CurrentUserOrDefault, queue_id: str = Path(description="The queue id to perform this operation on"), batch: Batch = Body(description="Batch to process"), prepend: bool = Body(default=False, description="Whether or not to prepend this batch in the queue"), ) -> EnqueueBatchResult: - """Processes a batch and enqueues the output graphs for execution.""" + """Processes a batch and enqueues the output graphs for execution for the current user.""" try: return await ApiDependencies.invoker.services.session_queue.enqueue_batch( - queue_id=queue_id, batch=batch, prepend=prepend + queue_id=queue_id, batch=batch, prepend=prepend, user_id=current_user.user_id ) except Exception as e: raise HTTPException(status_code=500, detail=f"Unexpected error while enqueuing batch: {e}") @@ -65,15 +102,18 @@ async def enqueue_batch( }, ) async def list_all_queue_items( + current_user: CurrentUserOrDefault, queue_id: str = Path(description="The queue id to perform this operation on"), destination: Optional[str] = Query(default=None, description="The destination of queue items to fetch"), ) -> list[SessionQueueItem]: """Gets all queue items""" try: - return ApiDependencies.invoker.services.session_queue.list_all_queue_items( + items = ApiDependencies.invoker.services.session_queue.list_all_queue_items( queue_id=queue_id, destination=destination, ) + # Sanitize items for non-admin users + return [sanitize_queue_item_for_user(item, current_user.user_id, current_user.is_admin) for item in items] except Exception as e: raise HTTPException(status_code=500, detail=f"Unexpected error while listing all queue items: {e}") @@ -102,6 +142,7 @@ async def get_queue_item_ids( responses={200: {"model": list[SessionQueueItem]}}, ) async def get_queue_items_by_item_ids( + current_user: CurrentUserOrDefault, queue_id: str = Path(description="The queue id to perform this operation on"), item_ids: list[int] = Body( embed=True, description="Object containing list of queue item ids to fetch queue items for" @@ -118,7 +159,9 @@ async def get_queue_items_by_item_ids( queue_item = session_queue_service.get_queue_item(item_id=item_id) if queue_item.queue_id != queue_id: # Auth protection for items from other queues continue - queue_items.append(queue_item) + # Sanitize item for non-admin users + sanitized_item = sanitize_queue_item_for_user(queue_item, current_user.user_id, current_user.is_admin) + queue_items.append(sanitized_item) except Exception: # Skip missing queue items - they may have been deleted between item id fetch and queue item fetch continue @@ -134,9 +177,10 @@ async def get_queue_items_by_item_ids( responses={200: {"model": SessionProcessorStatus}}, ) async def resume( + current_user: AdminUser, queue_id: str = Path(description="The queue id to perform this operation on"), ) -> SessionProcessorStatus: - """Resumes session processor""" + """Resumes session processor. Admin only.""" try: return ApiDependencies.invoker.services.session_processor.resume() except Exception as e: @@ -149,9 +193,10 @@ async def resume( responses={200: {"model": SessionProcessorStatus}}, ) async def Pause( + current_user: AdminUser, queue_id: str = Path(description="The queue id to perform this operation on"), ) -> SessionProcessorStatus: - """Pauses session processor""" + """Pauses session processor. Admin only.""" try: return ApiDependencies.invoker.services.session_processor.pause() except Exception as e: @@ -164,11 +209,16 @@ async def Pause( responses={200: {"model": CancelAllExceptCurrentResult}}, ) async def cancel_all_except_current( + current_user: CurrentUserOrDefault, queue_id: str = Path(description="The queue id to perform this operation on"), ) -> CancelAllExceptCurrentResult: - """Immediately cancels all queue items except in-processing items""" + """Immediately cancels all queue items except in-processing items. Non-admin users can only cancel their own items.""" try: - return ApiDependencies.invoker.services.session_queue.cancel_all_except_current(queue_id=queue_id) + # Admin users can cancel all items, non-admin users can only cancel their own + user_id = None if current_user.is_admin else current_user.user_id + return ApiDependencies.invoker.services.session_queue.cancel_all_except_current( + queue_id=queue_id, user_id=user_id + ) except Exception as e: raise HTTPException(status_code=500, detail=f"Unexpected error while canceling all except current: {e}") @@ -179,11 +229,16 @@ async def cancel_all_except_current( responses={200: {"model": DeleteAllExceptCurrentResult}}, ) async def delete_all_except_current( + current_user: CurrentUserOrDefault, queue_id: str = Path(description="The queue id to perform this operation on"), ) -> DeleteAllExceptCurrentResult: - """Immediately deletes all queue items except in-processing items""" + """Immediately deletes all queue items except in-processing items. Non-admin users can only delete their own items.""" try: - return ApiDependencies.invoker.services.session_queue.delete_all_except_current(queue_id=queue_id) + # Admin users can delete all items, non-admin users can only delete their own + user_id = None if current_user.is_admin else current_user.user_id + return ApiDependencies.invoker.services.session_queue.delete_all_except_current( + queue_id=queue_id, user_id=user_id + ) except Exception as e: raise HTTPException(status_code=500, detail=f"Unexpected error while deleting all except current: {e}") @@ -194,13 +249,16 @@ async def delete_all_except_current( responses={200: {"model": CancelByBatchIDsResult}}, ) async def cancel_by_batch_ids( + current_user: CurrentUserOrDefault, queue_id: str = Path(description="The queue id to perform this operation on"), batch_ids: list[str] = Body(description="The list of batch_ids to cancel all queue items for", embed=True), ) -> CancelByBatchIDsResult: - """Immediately cancels all queue items from the given batch ids""" + """Immediately cancels all queue items from the given batch ids. Non-admin users can only cancel their own items.""" try: + # Admin users can cancel all items, non-admin users can only cancel their own + user_id = None if current_user.is_admin else current_user.user_id return ApiDependencies.invoker.services.session_queue.cancel_by_batch_ids( - queue_id=queue_id, batch_ids=batch_ids + queue_id=queue_id, batch_ids=batch_ids, user_id=user_id ) except Exception as e: raise HTTPException(status_code=500, detail=f"Unexpected error while canceling by batch id: {e}") @@ -212,13 +270,16 @@ async def cancel_by_batch_ids( responses={200: {"model": CancelByDestinationResult}}, ) async def cancel_by_destination( + current_user: CurrentUserOrDefault, queue_id: str = Path(description="The queue id to perform this operation on"), destination: str = Query(description="The destination to cancel all queue items for"), ) -> CancelByDestinationResult: - """Immediately cancels all queue items with the given origin""" + """Immediately cancels all queue items with the given destination. Non-admin users can only cancel their own items.""" try: + # Admin users can cancel all items, non-admin users can only cancel their own + user_id = None if current_user.is_admin else current_user.user_id return ApiDependencies.invoker.services.session_queue.cancel_by_destination( - queue_id=queue_id, destination=destination + queue_id=queue_id, destination=destination, user_id=user_id ) except Exception as e: raise HTTPException(status_code=500, detail=f"Unexpected error while canceling by destination: {e}") @@ -230,12 +291,28 @@ async def cancel_by_destination( responses={200: {"model": RetryItemsResult}}, ) async def retry_items_by_id( + current_user: CurrentUserOrDefault, queue_id: str = Path(description="The queue id to perform this operation on"), item_ids: list[int] = Body(description="The queue item ids to retry"), ) -> RetryItemsResult: - """Immediately cancels all queue items with the given origin""" + """Retries the given queue items. Users can only retry their own items unless they are an admin.""" try: + # Check authorization: user must own all items or be an admin + if not current_user.is_admin: + for item_id in item_ids: + try: + queue_item = ApiDependencies.invoker.services.session_queue.get_queue_item(item_id) + if queue_item.user_id != current_user.user_id: + raise HTTPException( + status_code=403, detail=f"You do not have permission to retry queue item {item_id}" + ) + except SessionQueueItemNotFoundError: + # Skip items that don't exist - they will be handled by retry_items_by_id + continue + return ApiDependencies.invoker.services.session_queue.retry_items_by_id(queue_id=queue_id, item_ids=item_ids) + except HTTPException: + raise except Exception as e: raise HTTPException(status_code=500, detail=f"Unexpected error while retrying queue items: {e}") @@ -248,15 +325,23 @@ async def retry_items_by_id( }, ) async def clear( + current_user: CurrentUserOrDefault, queue_id: str = Path(description="The queue id to perform this operation on"), ) -> ClearResult: - """Clears the queue entirely, immediately canceling the currently-executing session""" + """Clears the queue entirely. If there's a currently-executing item, users can only cancel it if they own it or are an admin.""" try: queue_item = ApiDependencies.invoker.services.session_queue.get_current(queue_id) if queue_item is not None: + # Check authorization for canceling the current item + if queue_item.user_id != current_user.user_id and not current_user.is_admin: + raise HTTPException( + status_code=403, detail="You do not have permission to cancel the currently executing queue item" + ) ApiDependencies.invoker.services.session_queue.cancel_queue_item(queue_item.item_id) clear_result = ApiDependencies.invoker.services.session_queue.clear(queue_id) return clear_result + except HTTPException: + raise except Exception as e: raise HTTPException(status_code=500, detail=f"Unexpected error while clearing queue: {e}") @@ -269,11 +354,14 @@ async def clear( }, ) async def prune( + current_user: CurrentUserOrDefault, queue_id: str = Path(description="The queue id to perform this operation on"), ) -> PruneResult: - """Prunes all completed or errored queue items""" + """Prunes all completed or errored queue items. Non-admin users can only prune their own items.""" try: - return ApiDependencies.invoker.services.session_queue.prune(queue_id) + # Admin users can prune all items, non-admin users can only prune their own + user_id = None if current_user.is_admin else current_user.user_id + return ApiDependencies.invoker.services.session_queue.prune(queue_id, user_id=user_id) except Exception as e: raise HTTPException(status_code=500, detail=f"Unexpected error while pruning queue: {e}") @@ -320,11 +408,12 @@ async def get_next_queue_item( }, ) async def get_queue_status( + current_user: CurrentUserOrDefault, queue_id: str = Path(description="The queue id to perform this operation on"), ) -> SessionQueueAndProcessorStatus: """Gets the status of the session queue""" try: - queue = ApiDependencies.invoker.services.session_queue.get_queue_status(queue_id) + queue = ApiDependencies.invoker.services.session_queue.get_queue_status(queue_id, user_id=current_user.user_id) processor = ApiDependencies.invoker.services.session_processor.get_status() return SessionQueueAndProcessorStatus(queue=queue, processor=processor) except Exception as e: @@ -358,6 +447,7 @@ async def get_batch_status( response_model_exclude_none=True, ) async def get_queue_item( + current_user: CurrentUserOrDefault, queue_id: str = Path(description="The queue id to perform this operation on"), item_id: int = Path(description="The queue item to get"), ) -> SessionQueueItem: @@ -366,7 +456,8 @@ async def get_queue_item( queue_item = ApiDependencies.invoker.services.session_queue.get_queue_item(item_id=item_id) if queue_item.queue_id != queue_id: raise HTTPException(status_code=404, detail=f"Queue item with id {item_id} not found in queue {queue_id}") - return queue_item + # Sanitize item for non-admin users + return sanitize_queue_item_for_user(queue_item, current_user.user_id, current_user.is_admin) except SessionQueueItemNotFoundError: raise HTTPException(status_code=404, detail=f"Queue item with id {item_id} not found in queue {queue_id}") except Exception as e: @@ -378,12 +469,24 @@ async def get_queue_item( operation_id="delete_queue_item", ) async def delete_queue_item( + current_user: CurrentUserOrDefault, queue_id: str = Path(description="The queue id to perform this operation on"), item_id: int = Path(description="The queue item to delete"), ) -> None: - """Deletes a queue item""" + """Deletes a queue item. Users can only delete their own items unless they are an admin.""" try: + # Get the queue item to check ownership + queue_item = ApiDependencies.invoker.services.session_queue.get_queue_item(item_id) + + # Check authorization: user must own the item or be an admin + if queue_item.user_id != current_user.user_id and not current_user.is_admin: + raise HTTPException(status_code=403, detail="You do not have permission to delete this queue item") + ApiDependencies.invoker.services.session_queue.delete_queue_item(item_id) + except SessionQueueItemNotFoundError: + raise HTTPException(status_code=404, detail=f"Queue item with id {item_id} not found in queue {queue_id}") + except HTTPException: + raise except Exception as e: raise HTTPException(status_code=500, detail=f"Unexpected error while deleting queue item: {e}") @@ -396,14 +499,24 @@ async def delete_queue_item( }, ) async def cancel_queue_item( + current_user: CurrentUserOrDefault, queue_id: str = Path(description="The queue id to perform this operation on"), item_id: int = Path(description="The queue item to cancel"), ) -> SessionQueueItem: - """Deletes a queue item""" + """Cancels a queue item. Users can only cancel their own items unless they are an admin.""" try: + # Get the queue item to check ownership + queue_item = ApiDependencies.invoker.services.session_queue.get_queue_item(item_id) + + # Check authorization: user must own the item or be an admin + if queue_item.user_id != current_user.user_id and not current_user.is_admin: + raise HTTPException(status_code=403, detail="You do not have permission to cancel this queue item") + return ApiDependencies.invoker.services.session_queue.cancel_queue_item(item_id) except SessionQueueItemNotFoundError: raise HTTPException(status_code=404, detail=f"Queue item with id {item_id} not found in queue {queue_id}") + except HTTPException: + raise except Exception as e: raise HTTPException(status_code=500, detail=f"Unexpected error while canceling queue item: {e}") @@ -432,13 +545,16 @@ async def counts_by_destination( responses={200: {"model": DeleteByDestinationResult}}, ) async def delete_by_destination( + current_user: CurrentUserOrDefault, queue_id: str = Path(description="The queue id to query"), destination: str = Path(description="The destination to query"), ) -> DeleteByDestinationResult: - """Deletes all items with the given destination""" + """Deletes all items with the given destination. Non-admin users can only delete their own items.""" try: + # Admin users can delete all items, non-admin users can only delete their own + user_id = None if current_user.is_admin else current_user.user_id return ApiDependencies.invoker.services.session_queue.delete_by_destination( - queue_id=queue_id, destination=destination + queue_id=queue_id, destination=destination, user_id=user_id ) except Exception as e: raise HTTPException(status_code=500, detail=f"Unexpected error while deleting by destination: {e}") diff --git a/invokeai/app/api/sockets.py b/invokeai/app/api/sockets.py index 188f958c887..e3ba32f455e 100644 --- a/invokeai/app/api/sockets.py +++ b/invokeai/app/api/sockets.py @@ -6,6 +6,7 @@ from pydantic import BaseModel from socketio import ASGIApp, AsyncServer +from invokeai.app.services.auth.token_service import verify_token from invokeai.app.services.events.events_common import ( BatchEnqueuedEvent, BulkDownloadCompleteEvent, @@ -37,6 +38,9 @@ QueueItemStatusChangedEvent, register_events, ) +from invokeai.backend.util.logging import InvokeAILogger + +logger = InvokeAILogger.get_logger() class QueueSubscriptionEvent(BaseModel): @@ -94,6 +98,13 @@ def __init__(self, app: FastAPI): self._app = ASGIApp(socketio_server=self._sio, socketio_path="/ws/socket.io") app.mount("/ws", self._app) + # Track user information for each socket connection + self._socket_users: dict[str, dict[str, Any]] = {} + + # Set up authentication middleware + self._sio.on("connect", handler=self._handle_connect) + self._sio.on("disconnect", handler=self._handle_disconnect) + self._sio.on(self._sub_queue, handler=self._handle_sub_queue) self._sio.on(self._unsub_queue, handler=self._handle_unsub_queue) self._sio.on(self._sub_bulk_download, handler=self._handle_sub_bulk_download) @@ -103,8 +114,83 @@ def __init__(self, app: FastAPI): register_events(MODEL_EVENTS, self._handle_model_event) register_events(BULK_DOWNLOAD_EVENTS, self._handle_bulk_image_download_event) + async def _handle_connect(self, sid: str, environ: dict, auth: dict | None) -> bool: + """Handle socket connection and authenticate the user. + + Returns True to accept the connection, False to reject it. + Stores user_id in the internal socket users dict for later use. + """ + # Extract token from auth data or headers + token = None + if auth and isinstance(auth, dict): + token = auth.get("token") + + if not token and environ: + # Try to get token from headers + headers = environ.get("HTTP_AUTHORIZATION", "") + if headers.startswith("Bearer "): + token = headers[7:] + + # Verify the token + if token: + token_data = verify_token(token) + if token_data: + # Store user_id and is_admin in socket users dict + self._socket_users[sid] = { + "user_id": token_data.user_id, + "is_admin": token_data.is_admin, + } + logger.info( + f"Socket {sid} connected with user_id: {token_data.user_id}, is_admin: {token_data.is_admin}" + ) + return True + + # If no valid token, store system user for backward compatibility + self._socket_users[sid] = { + "user_id": "system", + "is_admin": False, + } + logger.debug(f"Socket {sid} connected as system user (no valid token)") + return True + + async def _handle_disconnect(self, sid: str) -> None: + """Handle socket disconnection and cleanup user info.""" + if sid in self._socket_users: + del self._socket_users[sid] + logger.debug(f"Socket {sid} disconnected and cleaned up") + async def _handle_sub_queue(self, sid: str, data: Any) -> None: - await self._sio.enter_room(sid, QueueSubscriptionEvent(**data).queue_id) + """Handle queue subscription and add socket to both queue and user-specific rooms.""" + queue_id = QueueSubscriptionEvent(**data).queue_id + + # Check if we have user info for this socket + if sid not in self._socket_users: + logger.warning( + f"Socket {sid} subscribing to queue {queue_id} but has no user info - need to authenticate via connect event" + ) + # Store as system user temporarily - real auth should happen in connect + self._socket_users[sid] = { + "user_id": "system", + "is_admin": False, + } + + user_id = self._socket_users[sid]["user_id"] + is_admin = self._socket_users[sid]["is_admin"] + + # Add socket to the queue room + await self._sio.enter_room(sid, queue_id) + + # Also add socket to a user-specific room for event filtering + user_room = f"user:{user_id}" + await self._sio.enter_room(sid, user_room) + + # If admin, also add to admin room to receive all events + if is_admin: + await self._sio.enter_room(sid, "admin") + + logger.debug( + f"Socket {sid} (user_id: {user_id}, is_admin: {is_admin}) subscribed to queue {queue_id} and user room {user_room}" + ) async def _handle_unsub_queue(self, sid: str, data: Any) -> None: await self._sio.leave_room(sid, QueueSubscriptionEvent(**data).queue_id) @@ -116,7 +202,57 @@ async def _handle_unsub_bulk_download(self, sid: str, data: Any) -> None: await self._sio.leave_room(sid, BulkDownloadSubscriptionEvent(**data).bulk_download_id) async def _handle_queue_event(self, event: FastAPIEvent[QueueEventBase]): - await self._sio.emit(event=event[0], data=event[1].model_dump(mode="json"), room=event[1].queue_id) + """Handle queue events with user isolation. + + Invocation events (progress, started, complete) are private - only emit to owner and admins. + Queue item status events are public - emit to all users (field values hidden via API). + Other queue events emit to all subscribers. + + IMPORTANT: Check InvocationEventBase BEFORE QueueItemEventBase since InvocationEventBase + inherits from QueueItemEventBase. The order of isinstance checks matters! + """ + try: + event_name, event_data = event + + # Import here to avoid circular dependency + from invokeai.app.services.events.events_common import InvocationEventBase, QueueItemEventBase + + # Check InvocationEventBase FIRST (before QueueItemEventBase) since it's a subclass + # Invocation events (progress, started, complete, error) are private to owner + admins + if isinstance(event_data, InvocationEventBase) and hasattr(event_data, "user_id"): + user_room = f"user:{event_data.user_id}" + + # Emit to the user's room + await self._sio.emit(event=event_name, data=event_data.model_dump(mode="json"), room=user_room) + + # Also emit to admin room so admins can see all events + await self._sio.emit(event=event_name, data=event_data.model_dump(mode="json"), room="admin") + + logger.debug(f"Emitted private invocation event {event_name} to user room {user_room} and admin room") + + # Queue item status events are visible to all users (field values masked via API) + # This catches QueueItemStatusChangedEvent but NOT InvocationEvents (already handled above) + elif isinstance(event_data, QueueItemEventBase) and hasattr(event_data, "user_id"): + # Emit to all subscribers in the queue + await self._sio.emit( + event=event_name, data=event_data.model_dump(mode="json"), room=event_data.queue_id + ) + + logger.info( + f"Emitted public queue item event {event_name} to all subscribers in queue {event_data.queue_id}" + ) + + else: + # For other queue events (like QueueClearedEvent, BatchEnqueuedEvent), emit to all subscribers + await self._sio.emit( + event=event_name, data=event_data.model_dump(mode="json"), room=event_data.queue_id + ) + logger.info( + f"Emitted general queue event {event_name} to all subscribers in queue {event_data.queue_id}" + ) + except Exception as e: + # Log any unhandled exceptions in event handling to prevent silent failures + logger.error(f"Error handling queue event {event[0]}: {e}", exc_info=True) async def _handle_model_event(self, event: FastAPIEvent[ModelEventBase | DownloadEventBase]) -> None: await self._sio.emit(event=event[0], data=event[1].model_dump(mode="json")) diff --git a/invokeai/app/api_app.py b/invokeai/app/api_app.py index 335327f532b..bcde15c52eb 100644 --- a/invokeai/app/api_app.py +++ b/invokeai/app/api_app.py @@ -17,6 +17,7 @@ from invokeai.app.api.no_cache_staticfiles import NoCacheStaticFiles from invokeai.app.api.routers import ( app_info, + auth, board_images, boards, client_state, @@ -121,6 +122,8 @@ async def dispatch(self, request: Request, call_next: RequestResponseEndpoint): # Include all routers +# Authentication router should be first so it's registered before protected routes +app.include_router(auth.auth_router, prefix="/api") app.include_router(utilities.utilities_router, prefix="/api") app.include_router(model_manager.model_manager_router, prefix="/api") app.include_router(download_queue.download_queue_router, prefix="/api") diff --git a/invokeai/app/services/app_settings/__init__.py b/invokeai/app/services/app_settings/__init__.py new file mode 100644 index 00000000000..0345874c11f --- /dev/null +++ b/invokeai/app/services/app_settings/__init__.py @@ -0,0 +1,5 @@ +"""App settings service exports.""" + +from invokeai.app.services.app_settings.app_settings_service import AppSettingsService + +__all__ = ["AppSettingsService"] diff --git a/invokeai/app/services/app_settings/app_settings_service.py b/invokeai/app/services/app_settings/app_settings_service.py new file mode 100644 index 00000000000..5580709ef65 --- /dev/null +++ b/invokeai/app/services/app_settings/app_settings_service.py @@ -0,0 +1,74 @@ +"""Service for managing application-level settings stored in the database.""" + +from typing import Optional + +from invokeai.app.services.shared.sqlite.sqlite_database import SqliteDatabase + + +class AppSettingsService: + """Service for accessing application-level settings from the database. + + This service provides a simple key-value store for application-level configuration + that needs to be persisted across restarts, such as JWT secrets. + """ + + def __init__(self, db: SqliteDatabase) -> None: + """Initialize the app settings service. + + Args: + db: The SQLite database instance + """ + self._db = db + + def get(self, key: str) -> Optional[str]: + """Get a setting value by key. + + Args: + key: The setting key + + Returns: + The setting value if found, None otherwise + """ + try: + with self._db.transaction() as cursor: + cursor.execute("SELECT value FROM app_settings WHERE key = ?;", (key,)) + row = cursor.fetchone() + return row[0] if row else None + except Exception: + return None + + def set(self, key: str, value: str) -> None: + """Set a setting value. + + Args: + key: The setting key + value: The setting value + """ + with self._db.transaction() as cursor: + cursor.execute( + """ + INSERT INTO app_settings (key, value) + VALUES (?, ?) + ON CONFLICT(key) DO UPDATE SET + value = excluded.value, + updated_at = STRFTIME('%Y-%m-%d %H:%M:%f', 'NOW'); + """, + (key, value), + ) + + def get_jwt_secret(self) -> str: + """Get the JWT secret key from the database. + + Returns: + The JWT secret key + + Raises: + RuntimeError: If the JWT secret is not found in the database + """ + secret = self.get("jwt_secret") + if secret is None: + raise RuntimeError( + "JWT secret not found in database. This should have been created during database migration. " + "Please ensure database migrations have been run successfully." + ) + return secret diff --git a/invokeai/app/services/auth/__init__.py b/invokeai/app/services/auth/__init__.py new file mode 100644 index 00000000000..099a5e7da1b --- /dev/null +++ b/invokeai/app/services/auth/__init__.py @@ -0,0 +1 @@ +"""Authentication service module.""" diff --git a/invokeai/app/services/auth/password_utils.py b/invokeai/app/services/auth/password_utils.py new file mode 100644 index 00000000000..5e641516347 --- /dev/null +++ b/invokeai/app/services/auth/password_utils.py @@ -0,0 +1,86 @@ +"""Password hashing and validation utilities.""" + +from typing import cast + +from passlib.context import CryptContext + +# Configure bcrypt context - set truncate_error=False to allow passwords >72 bytes +# without raising an error. They will be automatically truncated by bcrypt to 72 bytes. +pwd_context = CryptContext( + schemes=["bcrypt"], + deprecated="auto", + bcrypt__truncate_error=False, +) + + +def hash_password(password: str) -> str: + """Hash a password using bcrypt. + + bcrypt has a maximum password length of 72 bytes. Longer passwords + are automatically truncated to comply with this limit. + + Args: + password: The plain text password to hash + + Returns: + The hashed password + """ + # bcrypt has a 72 byte limit - encode and truncate if necessary + password_bytes = password.encode("utf-8") + if len(password_bytes) > 72: + # Truncate to 72 bytes and decode back, dropping incomplete UTF-8 sequences + password = password_bytes[:72].decode("utf-8", errors="ignore") + return cast(str, pwd_context.hash(password)) + + +def verify_password(plain_password: str, hashed_password: str) -> bool: + """Verify a password against a hash. + + bcrypt has a maximum password length of 72 bytes. Longer passwords + are automatically truncated to match hash_password behavior. + + Args: + plain_password: The plain text password to verify + hashed_password: The hashed password to verify against + + Returns: + True if the password matches the hash, False otherwise + """ + try: + # bcrypt has a 72 byte limit - encode and truncate if necessary to match hash_password + password_bytes = plain_password.encode("utf-8") + if len(password_bytes) > 72: + # Truncate to 72 bytes and decode back, dropping incomplete UTF-8 sequences + plain_password = password_bytes[:72].decode("utf-8", errors="ignore") + return cast(bool, pwd_context.verify(plain_password, hashed_password)) + except Exception: + # Invalid hash format or other error - return False + return False + + +def validate_password_strength(password: str) -> tuple[bool, str]: + """Validate password meets minimum security requirements. + + Password requirements: + - At least 8 characters long + - Contains at least one uppercase letter + - Contains at least one lowercase letter + - Contains at least one digit + + Args: + password: The password to validate + + Returns: + A tuple of (is_valid, error_message). If valid, error_message is empty. + """ + if len(password) < 8: + return False, "Password must be at least 8 characters long" + + has_upper = any(c.isupper() for c in password) + has_lower = any(c.islower() for c in password) + has_digit = any(c.isdigit() for c in password) + + if not (has_upper and has_lower and has_digit): + return False, "Password must contain uppercase, lowercase, and numbers" + + return True, "" diff --git a/invokeai/app/services/auth/token_service.py b/invokeai/app/services/auth/token_service.py new file mode 100644 index 00000000000..9c35261c380 --- /dev/null +++ b/invokeai/app/services/auth/token_service.py @@ -0,0 +1,105 @@ +"""JWT token generation and validation.""" + +from datetime import datetime, timedelta, timezone +from typing import cast + +from jose import JWTError, jwt +from pydantic import BaseModel + +ALGORITHM = "HS256" +DEFAULT_EXPIRATION_HOURS = 24 + +# Module-level variable to store the JWT secret. This is set during application initialization +# by calling set_jwt_secret(). The secret is loaded from the database where it is stored +# securely after being generated during database migration. +_jwt_secret: str | None = None + + +class TokenData(BaseModel): + """Data stored in JWT token.""" + + user_id: str + email: str + is_admin: bool + + +def set_jwt_secret(secret: str) -> None: + """Set the JWT secret key for token signing and verification. + + This should be called once during application initialization with the secret + loaded from the database. + + Args: + secret: The JWT secret key + """ + global _jwt_secret + _jwt_secret = secret + + +def get_jwt_secret() -> str: + """Get the JWT secret key. + + Returns: + The JWT secret key + + Raises: + RuntimeError: If the secret has not been initialized + """ + if _jwt_secret is None: + raise RuntimeError("JWT secret has not been initialized. Call set_jwt_secret() during application startup.") + return _jwt_secret + + +def create_access_token(data: TokenData, expires_delta: timedelta | None = None) -> str: + """Create a JWT access token. + + Args: + data: The token data to encode + expires_delta: Optional expiration time delta. Defaults to 24 hours. + + Returns: + The encoded JWT token + """ + to_encode = data.model_dump() + expire = datetime.now(timezone.utc) + (expires_delta or timedelta(hours=DEFAULT_EXPIRATION_HOURS)) + to_encode.update({"exp": expire}) + return cast(str, jwt.encode(to_encode, get_jwt_secret(), algorithm=ALGORITHM)) + + +def verify_token(token: str) -> TokenData | None: + """Verify and decode a JWT token. + + Args: + token: The JWT token to verify + + Returns: + TokenData if valid, None if invalid or expired + """ + try: + # python-jose 3.5.0 has a bug where exp verification doesn't work properly + # We need to manually check expiration, but MUST verify signature first + # to prevent accepting tokens with valid payloads but invalid signatures + + # First, verify the signature - this will raise JWTError if signature is invalid + # Note: python-jose won't reject expired tokens here due to the bug + payload = jwt.decode( + token, + get_jwt_secret(), + algorithms=[ALGORITHM], + ) + + # Now manually check expiration (because python-jose 3.5.0 doesn't do this properly) + if "exp" in payload: + exp_timestamp = payload["exp"] + current_timestamp = datetime.now(timezone.utc).timestamp() + if current_timestamp >= exp_timestamp: + # Token is expired + return None + + return TokenData(**payload) + except JWTError: + # Token is invalid (bad signature, malformed, etc.) + return None + except Exception: + # Catch any other exceptions (e.g., Pydantic validation errors) + return None diff --git a/invokeai/app/services/board_records/board_records_base.py b/invokeai/app/services/board_records/board_records_base.py index 4cfb565bd31..20981f2c7d7 100644 --- a/invokeai/app/services/board_records/board_records_base.py +++ b/invokeai/app/services/board_records/board_records_base.py @@ -17,8 +17,9 @@ def delete(self, board_id: str) -> None: def save( self, board_name: str, + user_id: str, ) -> BoardRecord: - """Saves a board record.""" + """Saves a board record for a specific user.""" pass @abstractmethod @@ -41,18 +42,25 @@ def update( @abstractmethod def get_many( self, + user_id: str, + is_admin: bool, order_by: BoardRecordOrderBy, direction: SQLiteDirection, offset: int = 0, limit: int = 10, include_archived: bool = False, ) -> OffsetPaginatedResults[BoardRecord]: - """Gets many board records.""" + """Gets many board records for a specific user, including shared boards. Admin users see all boards.""" pass @abstractmethod def get_all( - self, order_by: BoardRecordOrderBy, direction: SQLiteDirection, include_archived: bool = False + self, + user_id: str, + is_admin: bool, + order_by: BoardRecordOrderBy, + direction: SQLiteDirection, + include_archived: bool = False, ) -> list[BoardRecord]: - """Gets all board records.""" + """Gets all board records for a specific user, including shared boards. Admin users see all boards.""" pass diff --git a/invokeai/app/services/board_records/board_records_common.py b/invokeai/app/services/board_records/board_records_common.py index 5067d42999b..ab6355a3930 100644 --- a/invokeai/app/services/board_records/board_records_common.py +++ b/invokeai/app/services/board_records/board_records_common.py @@ -16,6 +16,8 @@ class BoardRecord(BaseModelExcludeNull): """The unique ID of the board.""" board_name: str = Field(description="The name of the board.") """The name of the board.""" + user_id: str = Field(description="The user ID of the board owner.") + """The user ID of the board owner.""" created_at: Union[datetime, str] = Field(description="The created timestamp of the board.") """The created timestamp of the image.""" updated_at: Union[datetime, str] = Field(description="The updated timestamp of the board.") @@ -35,6 +37,8 @@ def deserialize_board_record(board_dict: dict) -> BoardRecord: board_id = board_dict.get("board_id", "unknown") board_name = board_dict.get("board_name", "unknown") + # Default to 'system' for backwards compatibility with boards created before multiuser support + user_id = board_dict.get("user_id", "system") cover_image_name = board_dict.get("cover_image_name", "unknown") created_at = board_dict.get("created_at", get_iso_timestamp()) updated_at = board_dict.get("updated_at", get_iso_timestamp()) @@ -44,6 +48,7 @@ def deserialize_board_record(board_dict: dict) -> BoardRecord: return BoardRecord( board_id=board_id, board_name=board_name, + user_id=user_id, cover_image_name=cover_image_name, created_at=created_at, updated_at=updated_at, diff --git a/invokeai/app/services/board_records/board_records_sqlite.py b/invokeai/app/services/board_records/board_records_sqlite.py index 45fe33c5403..a54f65686fd 100644 --- a/invokeai/app/services/board_records/board_records_sqlite.py +++ b/invokeai/app/services/board_records/board_records_sqlite.py @@ -38,16 +38,17 @@ def delete(self, board_id: str) -> None: def save( self, board_name: str, + user_id: str, ) -> BoardRecord: with self._db.transaction() as cursor: try: board_id = uuid_string() cursor.execute( """--sql - INSERT OR IGNORE INTO boards (board_id, board_name) - VALUES (?, ?); + INSERT OR IGNORE INTO boards (board_id, board_name, user_id) + VALUES (?, ?, ?); """, - (board_id, board_name), + (board_id, board_name, user_id), ) except sqlite3.Error as e: raise BoardRecordSaveException from e @@ -121,6 +122,8 @@ def update( def get_many( self, + user_id: str, + is_admin: bool, order_by: BoardRecordOrderBy, direction: SQLiteDirection, offset: int = 0, @@ -128,74 +131,147 @@ def get_many( include_archived: bool = False, ) -> OffsetPaginatedResults[BoardRecord]: with self._db.transaction() as cursor: - # Build base query - base_query = """ - SELECT * + # Build base query - admins see all boards, regular users see owned, shared, or public boards + if is_admin: + base_query = """ + SELECT DISTINCT boards.* + FROM boards + {archived_filter} + ORDER BY {order_by} {direction} + LIMIT ? OFFSET ?; + """ + + # Determine archived filter condition + archived_filter = "WHERE 1=1" if include_archived else "WHERE boards.archived = 0" + + final_query = base_query.format( + archived_filter=archived_filter, order_by=order_by.value, direction=direction.value + ) + + # Execute query to fetch boards + cursor.execute(final_query, (limit, offset)) + else: + base_query = """ + SELECT DISTINCT boards.* FROM boards + LEFT JOIN shared_boards ON boards.board_id = shared_boards.board_id + WHERE (boards.user_id = ? OR shared_boards.user_id = ? OR boards.is_public = 1) {archived_filter} ORDER BY {order_by} {direction} LIMIT ? OFFSET ?; """ - # Determine archived filter condition - archived_filter = "" if include_archived else "WHERE archived = 0" + # Determine archived filter condition + archived_filter = "" if include_archived else "AND boards.archived = 0" - final_query = base_query.format( - archived_filter=archived_filter, order_by=order_by.value, direction=direction.value - ) + final_query = base_query.format( + archived_filter=archived_filter, order_by=order_by.value, direction=direction.value + ) - # Execute query to fetch boards - cursor.execute(final_query, (limit, offset)) + # Execute query to fetch boards + cursor.execute(final_query, (user_id, user_id, limit, offset)) result = cast(list[sqlite3.Row], cursor.fetchall()) boards = [deserialize_board_record(dict(r)) for r in result] - # Determine count query - if include_archived: - count_query = """ - SELECT COUNT(*) + # Determine count query - admins count all boards, regular users count accessible boards + if is_admin: + if include_archived: + count_query = """ + SELECT COUNT(DISTINCT boards.board_id) FROM boards; """ + else: + count_query = """ + SELECT COUNT(DISTINCT boards.board_id) + FROM boards + WHERE boards.archived = 0; + """ + cursor.execute(count_query) else: - count_query = """ - SELECT COUNT(*) + if include_archived: + count_query = """ + SELECT COUNT(DISTINCT boards.board_id) + FROM boards + LEFT JOIN shared_boards ON boards.board_id = shared_boards.board_id + WHERE (boards.user_id = ? OR shared_boards.user_id = ? OR boards.is_public = 1); + """ + else: + count_query = """ + SELECT COUNT(DISTINCT boards.board_id) FROM boards - WHERE archived = 0; + LEFT JOIN shared_boards ON boards.board_id = shared_boards.board_id + WHERE (boards.user_id = ? OR shared_boards.user_id = ? OR boards.is_public = 1) + AND boards.archived = 0; """ - # Execute count query - cursor.execute(count_query) + # Execute count query + cursor.execute(count_query, (user_id, user_id)) count = cast(int, cursor.fetchone()[0]) return OffsetPaginatedResults[BoardRecord](items=boards, offset=offset, limit=limit, total=count) def get_all( - self, order_by: BoardRecordOrderBy, direction: SQLiteDirection, include_archived: bool = False + self, + user_id: str, + is_admin: bool, + order_by: BoardRecordOrderBy, + direction: SQLiteDirection, + include_archived: bool = False, ) -> list[BoardRecord]: with self._db.transaction() as cursor: - if order_by == BoardRecordOrderBy.Name: - base_query = """ - SELECT * + # Build query - admins see all boards, regular users see owned, shared, or public boards + if is_admin: + if order_by == BoardRecordOrderBy.Name: + base_query = """ + SELECT DISTINCT boards.* FROM boards {archived_filter} - ORDER BY LOWER(board_name) {direction} + ORDER BY LOWER(boards.board_name) {direction} + """ + else: + base_query = """ + SELECT DISTINCT boards.* + FROM boards + {archived_filter} + ORDER BY {order_by} {direction} """ + + archived_filter = "WHERE 1=1" if include_archived else "WHERE boards.archived = 0" + + final_query = base_query.format( + archived_filter=archived_filter, order_by=order_by.value, direction=direction.value + ) + + cursor.execute(final_query) else: - base_query = """ - SELECT * + if order_by == BoardRecordOrderBy.Name: + base_query = """ + SELECT DISTINCT boards.* FROM boards + LEFT JOIN shared_boards ON boards.board_id = shared_boards.board_id + WHERE (boards.user_id = ? OR shared_boards.user_id = ? OR boards.is_public = 1) + {archived_filter} + ORDER BY LOWER(boards.board_name) {direction} + """ + else: + base_query = """ + SELECT DISTINCT boards.* + FROM boards + LEFT JOIN shared_boards ON boards.board_id = shared_boards.board_id + WHERE (boards.user_id = ? OR shared_boards.user_id = ? OR boards.is_public = 1) {archived_filter} ORDER BY {order_by} {direction} """ - archived_filter = "" if include_archived else "WHERE archived = 0" + archived_filter = "" if include_archived else "AND boards.archived = 0" - final_query = base_query.format( - archived_filter=archived_filter, order_by=order_by.value, direction=direction.value - ) + final_query = base_query.format( + archived_filter=archived_filter, order_by=order_by.value, direction=direction.value + ) - cursor.execute(final_query) + cursor.execute(final_query, (user_id, user_id)) result = cast(list[sqlite3.Row], cursor.fetchall()) boards = [deserialize_board_record(dict(r)) for r in result] diff --git a/invokeai/app/services/boards/boards_base.py b/invokeai/app/services/boards/boards_base.py index ed9292a7469..914dfa3d0d7 100644 --- a/invokeai/app/services/boards/boards_base.py +++ b/invokeai/app/services/boards/boards_base.py @@ -13,8 +13,9 @@ class BoardServiceABC(ABC): def create( self, board_name: str, + user_id: str, ) -> BoardDTO: - """Creates a board.""" + """Creates a board for a specific user.""" pass @abstractmethod @@ -45,18 +46,25 @@ def delete( @abstractmethod def get_many( self, + user_id: str, + is_admin: bool, order_by: BoardRecordOrderBy, direction: SQLiteDirection, offset: int = 0, limit: int = 10, include_archived: bool = False, ) -> OffsetPaginatedResults[BoardDTO]: - """Gets many boards.""" + """Gets many boards for a specific user, including shared boards. Admin users see all boards.""" pass @abstractmethod def get_all( - self, order_by: BoardRecordOrderBy, direction: SQLiteDirection, include_archived: bool = False + self, + user_id: str, + is_admin: bool, + order_by: BoardRecordOrderBy, + direction: SQLiteDirection, + include_archived: bool = False, ) -> list[BoardDTO]: - """Gets all boards.""" + """Gets all boards for a specific user, including shared boards. Admin users see all boards.""" pass diff --git a/invokeai/app/services/boards/boards_common.py b/invokeai/app/services/boards/boards_common.py index 68cd3603287..99952fec134 100644 --- a/invokeai/app/services/boards/boards_common.py +++ b/invokeai/app/services/boards/boards_common.py @@ -14,10 +14,16 @@ class BoardDTO(BoardRecord): """The number of images in the board.""" asset_count: int = Field(description="The number of assets in the board.") """The number of assets in the board.""" + owner_username: Optional[str] = Field(default=None, description="The username of the board owner (for admin view).") + """The username of the board owner (for admin view).""" def board_record_to_dto( - board_record: BoardRecord, cover_image_name: Optional[str], image_count: int, asset_count: int + board_record: BoardRecord, + cover_image_name: Optional[str], + image_count: int, + asset_count: int, + owner_username: Optional[str] = None, ) -> BoardDTO: """Converts a board record to a board DTO.""" return BoardDTO( @@ -25,4 +31,5 @@ def board_record_to_dto( cover_image_name=cover_image_name, image_count=image_count, asset_count=asset_count, + owner_username=owner_username, ) diff --git a/invokeai/app/services/boards/boards_default.py b/invokeai/app/services/boards/boards_default.py index 6efeaa1fea8..71465815ef9 100644 --- a/invokeai/app/services/boards/boards_default.py +++ b/invokeai/app/services/boards/boards_default.py @@ -15,9 +15,10 @@ def start(self, invoker: Invoker) -> None: def create( self, board_name: str, + user_id: str, ) -> BoardDTO: - board_record = self.__invoker.services.board_records.save(board_name) - return board_record_to_dto(board_record, None, 0, 0, 0) + board_record = self.__invoker.services.board_records.save(board_name, user_id) + return board_record_to_dto(board_record, None, 0, 0) def get_dto(self, board_id: str) -> BoardDTO: board_record = self.__invoker.services.board_records.get(board_id) @@ -51,6 +52,8 @@ def delete(self, board_id: str) -> None: def get_many( self, + user_id: str, + is_admin: bool, order_by: BoardRecordOrderBy, direction: SQLiteDirection, offset: int = 0, @@ -58,7 +61,7 @@ def get_many( include_archived: bool = False, ) -> OffsetPaginatedResults[BoardDTO]: board_records = self.__invoker.services.board_records.get_many( - order_by, direction, offset, limit, include_archived + user_id, is_admin, order_by, direction, offset, limit, include_archived ) board_dtos = [] for r in board_records.items: @@ -70,14 +73,29 @@ def get_many( image_count = self.__invoker.services.board_image_records.get_image_count_for_board(r.board_id) asset_count = self.__invoker.services.board_image_records.get_asset_count_for_board(r.board_id) - board_dtos.append(board_record_to_dto(r, cover_image_name, image_count, asset_count)) + + # For admin users, include owner username + owner_username = None + if is_admin: + owner = self.__invoker.services.users.get(r.user_id) + if owner: + owner_username = owner.display_name or owner.email + + board_dtos.append(board_record_to_dto(r, cover_image_name, image_count, asset_count, owner_username)) return OffsetPaginatedResults[BoardDTO](items=board_dtos, offset=offset, limit=limit, total=len(board_dtos)) def get_all( - self, order_by: BoardRecordOrderBy, direction: SQLiteDirection, include_archived: bool = False + self, + user_id: str, + is_admin: bool, + order_by: BoardRecordOrderBy, + direction: SQLiteDirection, + include_archived: bool = False, ) -> list[BoardDTO]: - board_records = self.__invoker.services.board_records.get_all(order_by, direction, include_archived) + board_records = self.__invoker.services.board_records.get_all( + user_id, is_admin, order_by, direction, include_archived + ) board_dtos = [] for r in board_records: cover_image = self.__invoker.services.image_records.get_most_recent_image_for_board(r.board_id) @@ -88,6 +106,14 @@ def get_all( image_count = self.__invoker.services.board_image_records.get_image_count_for_board(r.board_id) asset_count = self.__invoker.services.board_image_records.get_asset_count_for_board(r.board_id) - board_dtos.append(board_record_to_dto(r, cover_image_name, image_count, asset_count)) + + # For admin users, include owner username + owner_username = None + if is_admin: + owner = self.__invoker.services.users.get(r.user_id) + if owner: + owner_username = owner.display_name or owner.email + + board_dtos.append(board_record_to_dto(r, cover_image_name, image_count, asset_count, owner_username)) return board_dtos diff --git a/invokeai/app/services/client_state_persistence/client_state_persistence_base.py b/invokeai/app/services/client_state_persistence/client_state_persistence_base.py index 193561ef898..99ad71bc8b7 100644 --- a/invokeai/app/services/client_state_persistence/client_state_persistence_base.py +++ b/invokeai/app/services/client_state_persistence/client_state_persistence_base.py @@ -4,15 +4,16 @@ class ClientStatePersistenceABC(ABC): """ Base class for client persistence implementations. - This class defines the interface for persisting client data. + This class defines the interface for persisting client data per user. """ @abstractmethod - def set_by_key(self, queue_id: str, key: str, value: str) -> str: + def set_by_key(self, user_id: str, key: str, value: str) -> str: """ Set a key-value pair for the client. Args: + user_id (str): The user ID to set state for. key (str): The key to set. value (str): The value to set for the key. @@ -22,11 +23,12 @@ def set_by_key(self, queue_id: str, key: str, value: str) -> str: pass @abstractmethod - def get_by_key(self, queue_id: str, key: str) -> str | None: + def get_by_key(self, user_id: str, key: str) -> str | None: """ Get the value for a specific key of the client. Args: + user_id (str): The user ID to get state for. key (str): The key to retrieve the value for. Returns: @@ -35,8 +37,11 @@ def get_by_key(self, queue_id: str, key: str) -> str | None: pass @abstractmethod - def delete(self, queue_id: str) -> None: + def delete(self, user_id: str) -> None: """ - Delete all client state. + Delete all client state for a user. + + Args: + user_id (str): The user ID to delete state for. """ pass diff --git a/invokeai/app/services/client_state_persistence/client_state_persistence_sqlite.py b/invokeai/app/services/client_state_persistence/client_state_persistence_sqlite.py index 36f22d96760..643db306857 100644 --- a/invokeai/app/services/client_state_persistence/client_state_persistence_sqlite.py +++ b/invokeai/app/services/client_state_persistence/client_state_persistence_sqlite.py @@ -1,5 +1,3 @@ -import json - from invokeai.app.services.client_state_persistence.client_state_persistence_base import ClientStatePersistenceABC from invokeai.app.services.invoker import Invoker from invokeai.app.services.shared.sqlite.sqlite_database import SqliteDatabase @@ -7,59 +5,51 @@ class ClientStatePersistenceSqlite(ClientStatePersistenceABC): """ - Base class for client persistence implementations. - This class defines the interface for persisting client data. + SQLite implementation for client state persistence. + This class stores client state data per user to prevent data leakage between users. """ def __init__(self, db: SqliteDatabase) -> None: super().__init__() self._db = db - self._default_row_id = 1 def start(self, invoker: Invoker) -> None: self._invoker = invoker - def _get(self) -> dict[str, str] | None: + def set_by_key(self, user_id: str, key: str, value: str) -> str: with self._db.transaction() as cursor: cursor.execute( - f""" - SELECT data FROM client_state - WHERE id = {self._default_row_id} """ + INSERT INTO client_state (user_id, key, value) + VALUES (?, ?, ?) + ON CONFLICT(user_id, key) DO UPDATE + SET value = excluded.value; + """, + (user_id, key, value), ) - row = cursor.fetchone() - if row is None: - return None - return json.loads(row[0]) - def set_by_key(self, queue_id: str, key: str, value: str) -> str: - state = self._get() or {} - state.update({key: value}) + return value + def get_by_key(self, user_id: str, key: str) -> str | None: with self._db.transaction() as cursor: cursor.execute( - f""" - INSERT INTO client_state (id, data) - VALUES ({self._default_row_id}, ?) - ON CONFLICT(id) DO UPDATE - SET data = excluded.data; + """ + SELECT value FROM client_state + WHERE user_id = ? AND key = ? """, - (json.dumps(state),), + (user_id, key), ) + row = cursor.fetchone() + if row is None: + return None + return row[0] - return value - - def get_by_key(self, queue_id: str, key: str) -> str | None: - state = self._get() - if state is None: - return None - return state.get(key, None) - - def delete(self, queue_id: str) -> None: + def delete(self, user_id: str) -> None: with self._db.transaction() as cursor: cursor.execute( - f""" - DELETE FROM client_state - WHERE id = {self._default_row_id} """ + DELETE FROM client_state + WHERE user_id = ? + """, + (user_id,), ) diff --git a/invokeai/app/services/config/config_default.py b/invokeai/app/services/config/config_default.py index 93b2d01e1ec..2cc2aaf273c 100644 --- a/invokeai/app/services/config/config_default.py +++ b/invokeai/app/services/config/config_default.py @@ -110,6 +110,7 @@ class InvokeAIAppConfig(BaseSettings): scan_models_on_startup: Scan the models directory on startup, registering orphaned models. This is typically only used in conjunction with `use_memory_db` for testing purposes. unsafe_disable_picklescan: UNSAFE. Disable the picklescan security check during model installation. Recommended only for development and testing purposes. This will allow arbitrary code execution during model installation, so should never be used in production. allow_unknown_models: Allow installation of models that we are unable to identify. If enabled, models will be marked as `unknown` in the database, and will not have any metadata associated with them. If disabled, unknown models will be rejected during installation. + multiuser: Enable multiuser support. When disabled, the application runs in single-user mode using a default system account with administrator privileges. When enabled, requires user authentication and authorization. """ _root: Optional[Path] = PrivateAttr(default=None) @@ -203,6 +204,9 @@ class InvokeAIAppConfig(BaseSettings): unsafe_disable_picklescan: bool = Field(default=False, description="UNSAFE. Disable the picklescan security check during model installation. Recommended only for development and testing purposes. This will allow arbitrary code execution during model installation, so should never be used in production.") allow_unknown_models: bool = Field(default=True, description="Allow installation of models that we are unable to identify. If enabled, models will be marked as `unknown` in the database, and will not have any metadata associated with them. If disabled, unknown models will be rejected during installation.") + # MULTIUSER + multiuser: bool = Field(default=False, description="Enable multiuser support. When disabled, the application runs in single-user mode using a default system account with administrator privileges. When enabled, requires user authentication and authorization.") + # fmt: on model_config = SettingsConfigDict(env_prefix="INVOKEAI_", env_ignore_empty=True) diff --git a/invokeai/app/services/events/events_common.py b/invokeai/app/services/events/events_common.py index a924f2eed9f..3e3350e08e9 100644 --- a/invokeai/app/services/events/events_common.py +++ b/invokeai/app/services/events/events_common.py @@ -91,6 +91,7 @@ class QueueItemEventBase(QueueEventBase): batch_id: str = Field(description="The ID of the queue batch") origin: str | None = Field(default=None, description="The origin of the queue item") destination: str | None = Field(default=None, description="The destination of the queue item") + user_id: str = Field(default="system", description="The ID of the user who created the queue item") class InvocationEventBase(QueueItemEventBase): @@ -117,6 +118,7 @@ def build(cls, queue_item: SessionQueueItem, invocation: AnyInvocation) -> "Invo batch_id=queue_item.batch_id, origin=queue_item.origin, destination=queue_item.destination, + user_id=queue_item.user_id, session_id=queue_item.session_id, invocation=invocation, invocation_source_id=queue_item.session.prepared_source_mapping[invocation.id], @@ -152,6 +154,7 @@ def build( batch_id=queue_item.batch_id, origin=queue_item.origin, destination=queue_item.destination, + user_id=queue_item.user_id, session_id=queue_item.session_id, invocation=invocation, invocation_source_id=queue_item.session.prepared_source_mapping[invocation.id], @@ -179,6 +182,7 @@ def build( batch_id=queue_item.batch_id, origin=queue_item.origin, destination=queue_item.destination, + user_id=queue_item.user_id, session_id=queue_item.session_id, invocation=invocation, invocation_source_id=queue_item.session.prepared_source_mapping[invocation.id], @@ -211,6 +215,7 @@ def build( batch_id=queue_item.batch_id, origin=queue_item.origin, destination=queue_item.destination, + user_id=queue_item.user_id, session_id=queue_item.session_id, invocation=invocation, invocation_source_id=queue_item.session.prepared_source_mapping[invocation.id], @@ -248,6 +253,7 @@ def build( batch_id=queue_item.batch_id, origin=queue_item.origin, destination=queue_item.destination, + user_id=queue_item.user_id, session_id=queue_item.session_id, status=queue_item.status, error_type=queue_item.error_type, diff --git a/invokeai/app/services/image_records/image_records_base.py b/invokeai/app/services/image_records/image_records_base.py index ff271e2394e..16405c52708 100644 --- a/invokeai/app/services/image_records/image_records_base.py +++ b/invokeai/app/services/image_records/image_records_base.py @@ -50,8 +50,10 @@ def get_many( is_intermediate: Optional[bool] = None, board_id: Optional[str] = None, search_term: Optional[str] = None, + user_id: Optional[str] = None, + is_admin: bool = False, ) -> OffsetPaginatedResults[ImageRecord]: - """Gets a page of image records.""" + """Gets a page of image records. When board_id is 'none', filters by user_id for per-user uncategorized images unless is_admin is True.""" pass # TODO: The database has a nullable `deleted_at` column, currently unused. @@ -90,6 +92,7 @@ def save( session_id: Optional[str] = None, node_id: Optional[str] = None, metadata: Optional[str] = None, + user_id: Optional[str] = None, ) -> datetime: """Saves an image record.""" pass @@ -109,6 +112,8 @@ def get_image_names( is_intermediate: Optional[bool] = None, board_id: Optional[str] = None, search_term: Optional[str] = None, + user_id: Optional[str] = None, + is_admin: bool = False, ) -> ImageNamesResult: """Gets ordered list of image names with metadata for optimistic updates.""" pass diff --git a/invokeai/app/services/image_records/image_records_sqlite.py b/invokeai/app/services/image_records/image_records_sqlite.py index cb968e76bb8..c6c237fc1e7 100644 --- a/invokeai/app/services/image_records/image_records_sqlite.py +++ b/invokeai/app/services/image_records/image_records_sqlite.py @@ -134,6 +134,8 @@ def get_many( is_intermediate: Optional[bool] = None, board_id: Optional[str] = None, search_term: Optional[str] = None, + user_id: Optional[str] = None, + is_admin: bool = False, ) -> OffsetPaginatedResults[ImageRecord]: with self._db.transaction() as cursor: # Manually build two queries - one for the count, one for the records @@ -186,6 +188,13 @@ def get_many( query_conditions += """--sql AND board_images.board_id IS NULL """ + # For uncategorized images, filter by user_id to ensure per-user isolation + # Admin users can see all uncategorized images from all users + if user_id is not None and not is_admin: + query_conditions += """--sql + AND images.user_id = ? + """ + query_params.append(user_id) elif board_id is not None: query_conditions += """--sql AND board_images.board_id = ? @@ -305,6 +314,7 @@ def save( session_id: Optional[str] = None, node_id: Optional[str] = None, metadata: Optional[str] = None, + user_id: Optional[str] = None, ) -> datetime: with self._db.transaction() as cursor: try: @@ -321,9 +331,10 @@ def save( metadata, is_intermediate, starred, - has_workflow + has_workflow, + user_id ) - VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?); + VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?); """, ( image_name, @@ -337,6 +348,7 @@ def save( is_intermediate, starred, has_workflow, + user_id or "system", ), ) @@ -386,6 +398,8 @@ def get_image_names( is_intermediate: Optional[bool] = None, board_id: Optional[str] = None, search_term: Optional[str] = None, + user_id: Optional[str] = None, + is_admin: bool = False, ) -> ImageNamesResult: with self._db.transaction() as cursor: # Build query conditions (reused for both starred count and image names queries) @@ -417,6 +431,13 @@ def get_image_names( query_conditions += """--sql AND board_images.board_id IS NULL """ + # For uncategorized images, filter by user_id to ensure per-user isolation + # Admin users can see all uncategorized images from all users + if user_id is not None and not is_admin: + query_conditions += """--sql + AND images.user_id = ? + """ + query_params.append(user_id) elif board_id is not None: query_conditions += """--sql AND board_images.board_id = ? diff --git a/invokeai/app/services/images/images_base.py b/invokeai/app/services/images/images_base.py index e1fe02c1ec5..d11d75b3c1d 100644 --- a/invokeai/app/services/images/images_base.py +++ b/invokeai/app/services/images/images_base.py @@ -55,6 +55,7 @@ def create( metadata: Optional[str] = None, workflow: Optional[str] = None, graph: Optional[str] = None, + user_id: Optional[str] = None, ) -> ImageDTO: """Creates an image, storing the file and its metadata.""" pass @@ -125,6 +126,8 @@ def get_many( is_intermediate: Optional[bool] = None, board_id: Optional[str] = None, search_term: Optional[str] = None, + user_id: Optional[str] = None, + is_admin: bool = False, ) -> OffsetPaginatedResults[ImageDTO]: """Gets a paginated list of image DTOs with starred images first when starred_first=True.""" pass @@ -159,6 +162,8 @@ def get_image_names( is_intermediate: Optional[bool] = None, board_id: Optional[str] = None, search_term: Optional[str] = None, + user_id: Optional[str] = None, + is_admin: bool = False, ) -> ImageNamesResult: """Gets ordered list of image names with metadata for optimistic updates.""" pass diff --git a/invokeai/app/services/images/images_default.py b/invokeai/app/services/images/images_default.py index 64ef0751b24..e82bd7f4de1 100644 --- a/invokeai/app/services/images/images_default.py +++ b/invokeai/app/services/images/images_default.py @@ -45,6 +45,7 @@ def create( metadata: Optional[str] = None, workflow: Optional[str] = None, graph: Optional[str] = None, + user_id: Optional[str] = None, ) -> ImageDTO: if image_origin not in ResourceOrigin: raise InvalidOriginException @@ -72,6 +73,7 @@ def create( node_id=node_id, metadata=metadata, session_id=session_id, + user_id=user_id, ) if board_id is not None: try: @@ -215,6 +217,8 @@ def get_many( is_intermediate: Optional[bool] = None, board_id: Optional[str] = None, search_term: Optional[str] = None, + user_id: Optional[str] = None, + is_admin: bool = False, ) -> OffsetPaginatedResults[ImageDTO]: try: results = self.__invoker.services.image_records.get_many( @@ -227,6 +231,8 @@ def get_many( is_intermediate, board_id, search_term, + user_id, + is_admin, ) image_dtos = [ @@ -320,6 +326,8 @@ def get_image_names( is_intermediate: Optional[bool] = None, board_id: Optional[str] = None, search_term: Optional[str] = None, + user_id: Optional[str] = None, + is_admin: bool = False, ) -> ImageNamesResult: try: return self.__invoker.services.image_records.get_image_names( @@ -330,6 +338,8 @@ def get_image_names( is_intermediate=is_intermediate, board_id=board_id, search_term=search_term, + user_id=user_id, + is_admin=is_admin, ) except Exception as e: self.__invoker.services.logger.error("Problem getting image names") diff --git a/invokeai/app/services/invocation_services.py b/invokeai/app/services/invocation_services.py index 52fb064596d..7a33f49940c 100644 --- a/invokeai/app/services/invocation_services.py +++ b/invokeai/app/services/invocation_services.py @@ -36,6 +36,7 @@ from invokeai.app.services.session_processor.session_processor_base import SessionProcessorBase from invokeai.app.services.session_queue.session_queue_base import SessionQueueBase from invokeai.app.services.urls.urls_base import UrlServiceBase + from invokeai.app.services.users.users_base import UserServiceBase from invokeai.app.services.workflow_records.workflow_records_base import WorkflowRecordsStorageBase from invokeai.app.services.workflow_thumbnails.workflow_thumbnails_base import WorkflowThumbnailServiceBase from invokeai.backend.stable_diffusion.diffusion.conditioning_data import ConditioningFieldData @@ -75,6 +76,7 @@ def __init__( style_preset_image_files: "StylePresetImageFileStorageBase", workflow_thumbnails: "WorkflowThumbnailServiceBase", client_state_persistence: "ClientStatePersistenceABC", + users: "UserServiceBase", ): self.board_images = board_images self.board_image_records = board_image_records @@ -105,3 +107,4 @@ def __init__( self.style_preset_image_files = style_preset_image_files self.workflow_thumbnails = workflow_thumbnails self.client_state_persistence = client_state_persistence + self.users = users diff --git a/invokeai/app/services/session_queue/session_queue_base.py b/invokeai/app/services/session_queue/session_queue_base.py index 2b8f05b8e7b..42ececa2950 100644 --- a/invokeai/app/services/session_queue/session_queue_base.py +++ b/invokeai/app/services/session_queue/session_queue_base.py @@ -36,8 +36,10 @@ def dequeue(self) -> Optional[SessionQueueItem]: pass @abstractmethod - def enqueue_batch(self, queue_id: str, batch: Batch, prepend: bool) -> Coroutine[Any, Any, EnqueueBatchResult]: - """Enqueues all permutations of a batch for execution.""" + def enqueue_batch( + self, queue_id: str, batch: Batch, prepend: bool, user_id: str = "system" + ) -> Coroutine[Any, Any, EnqueueBatchResult]: + """Enqueues all permutations of a batch for execution for a specific user.""" pass @abstractmethod @@ -56,8 +58,8 @@ def clear(self, queue_id: str) -> ClearResult: pass @abstractmethod - def prune(self, queue_id: str) -> PruneResult: - """Deletes all completed and errored session queue items""" + def prune(self, queue_id: str, user_id: Optional[str] = None) -> PruneResult: + """Deletes all completed and errored session queue items. If user_id is provided, only prunes items owned by that user.""" pass @abstractmethod @@ -71,8 +73,8 @@ def is_full(self, queue_id: str) -> IsFullResult: pass @abstractmethod - def get_queue_status(self, queue_id: str) -> SessionQueueStatus: - """Gets the status of the queue""" + def get_queue_status(self, queue_id: str, user_id: Optional[str] = None) -> SessionQueueStatus: + """Gets the status of the queue. If user_id is provided, also includes user-specific counts.""" pass @abstractmethod @@ -108,18 +110,24 @@ def fail_queue_item( pass @abstractmethod - def cancel_by_batch_ids(self, queue_id: str, batch_ids: list[str]) -> CancelByBatchIDsResult: - """Cancels all queue items with matching batch IDs""" + def cancel_by_batch_ids( + self, queue_id: str, batch_ids: list[str], user_id: Optional[str] = None + ) -> CancelByBatchIDsResult: + """Cancels all queue items with matching batch IDs. If user_id is provided, only cancels items owned by that user.""" pass @abstractmethod - def cancel_by_destination(self, queue_id: str, destination: str) -> CancelByDestinationResult: - """Cancels all queue items with the given batch destination""" + def cancel_by_destination( + self, queue_id: str, destination: str, user_id: Optional[str] = None + ) -> CancelByDestinationResult: + """Cancels all queue items with the given batch destination. If user_id is provided, only cancels items owned by that user.""" pass @abstractmethod - def delete_by_destination(self, queue_id: str, destination: str) -> DeleteByDestinationResult: - """Deletes all queue items with the given batch destination""" + def delete_by_destination( + self, queue_id: str, destination: str, user_id: Optional[str] = None + ) -> DeleteByDestinationResult: + """Deletes all queue items with the given batch destination. If user_id is provided, only deletes items owned by that user.""" pass @abstractmethod @@ -128,13 +136,13 @@ def cancel_by_queue_id(self, queue_id: str) -> CancelByQueueIDResult: pass @abstractmethod - def cancel_all_except_current(self, queue_id: str) -> CancelAllExceptCurrentResult: - """Cancels all queue items except in-progress items""" + def cancel_all_except_current(self, queue_id: str, user_id: Optional[str] = None) -> CancelAllExceptCurrentResult: + """Cancels all queue items except in-progress items. If user_id is provided, only cancels items owned by that user.""" pass @abstractmethod - def delete_all_except_current(self, queue_id: str) -> DeleteAllExceptCurrentResult: - """Deletes all queue items except in-progress items""" + def delete_all_except_current(self, queue_id: str, user_id: Optional[str] = None) -> DeleteAllExceptCurrentResult: + """Deletes all queue items except in-progress items. If user_id is provided, only deletes items owned by that user.""" pass @abstractmethod diff --git a/invokeai/app/services/session_queue/session_queue_common.py b/invokeai/app/services/session_queue/session_queue_common.py index 57b512a8558..58544422119 100644 --- a/invokeai/app/services/session_queue/session_queue_common.py +++ b/invokeai/app/services/session_queue/session_queue_common.py @@ -170,6 +170,7 @@ def validate_graph(cls, v: Graph): # region Queue Items DEFAULT_QUEUE_ID = "default" +SYSTEM_USER_ID = "system" # Default user_id for system-generated queue items QUEUE_ITEM_STATUS = Literal["pending", "in_progress", "completed", "failed", "canceled"] @@ -243,6 +244,13 @@ class SessionQueueItem(BaseModel): started_at: Optional[Union[datetime.datetime, str]] = Field(description="When this queue item was started") completed_at: Optional[Union[datetime.datetime, str]] = Field(description="When this queue item was completed") queue_id: str = Field(description="The id of the queue with which this item is associated") + user_id: str = Field(default="system", description="The id of the user who created this queue item") + user_display_name: Optional[str] = Field( + default=None, description="The display name of the user who created this queue item, if available" + ) + user_email: Optional[str] = Field( + default=None, description="The email of the user who created this queue item, if available" + ) field_values: Optional[list[NodeFieldValue]] = Field( default=None, description="The field values that were used for this queue item" ) @@ -296,6 +304,12 @@ class SessionQueueStatus(BaseModel): failed: int = Field(..., description="Number of queue items with status 'error'") canceled: int = Field(..., description="Number of queue items with status 'canceled'") total: int = Field(..., description="Total number of queue items") + user_pending: Optional[int] = Field( + default=None, description="Number of queue items with status 'pending' for the current user" + ) + user_in_progress: Optional[int] = Field( + default=None, description="Number of queue items with status 'in_progress' for the current user" + ) class SessionQueueCountsByDestination(BaseModel): @@ -565,6 +579,7 @@ def calc_session_count(batch: Batch) -> int: str | None, # origin (optional) str | None, # destination (optional) int | None, # retried_from_item_id (optional, this is always None for new items) + str, # user_id ] """A type alias for the tuple of values to insert into the session queue table. @@ -573,7 +588,7 @@ def calc_session_count(batch: Batch) -> int: def prepare_values_to_insert( - queue_id: str, batch: Batch, priority: int, max_new_queue_items: int + queue_id: str, batch: Batch, priority: int, max_new_queue_items: int, user_id: str = "system" ) -> list[ValueToInsertTuple]: """ Given a batch, prepare the values to insert into the session queue table. The list of tuples can be used with an @@ -584,6 +599,7 @@ def prepare_values_to_insert( batch: The batch to prepare the values for priority: The priority of the queue items max_new_queue_items: The maximum number of queue items to insert + user_id: The user ID who is creating these queue items Returns: A list of tuples to insert into the session queue table. Each tuple contains the following values: @@ -597,6 +613,7 @@ def prepare_values_to_insert( - origin (optional) - destination (optional) - retried_from_item_id (optional, this is always None for new items) + - user_id """ # A tuple is a fast and memory-efficient way to store the values to insert. Previously, we used a NamedTuple, but @@ -626,6 +643,7 @@ def prepare_values_to_insert( batch.origin, batch.destination, None, + user_id, ) ) return values_to_insert diff --git a/invokeai/app/services/session_queue/session_queue_sqlite.py b/invokeai/app/services/session_queue/session_queue_sqlite.py index 10a2c14e7a4..9e92ea6d3b5 100644 --- a/invokeai/app/services/session_queue/session_queue_sqlite.py +++ b/invokeai/app/services/session_queue/session_queue_sqlite.py @@ -100,7 +100,9 @@ def _get_highest_priority(self, queue_id: str) -> int: priority = cast(Union[int, None], cursor.fetchone()[0]) or 0 return priority - async def enqueue_batch(self, queue_id: str, batch: Batch, prepend: bool) -> EnqueueBatchResult: + async def enqueue_batch( + self, queue_id: str, batch: Batch, prepend: bool, user_id: str = "system" + ) -> EnqueueBatchResult: current_queue_size = self._get_current_queue_size(queue_id) max_queue_size = self.__invoker.services.configuration.max_queue_size max_new_queue_items = max_queue_size - current_queue_size @@ -119,14 +121,15 @@ async def enqueue_batch(self, queue_id: str, batch: Batch, prepend: bool) -> Enq batch=batch, priority=priority, max_new_queue_items=max_new_queue_items, + user_id=user_id, ) enqueued_count = len(values_to_insert) with self._db.transaction() as cursor: cursor.executemany( """--sql - INSERT INTO session_queue (queue_id, session, session_id, batch_id, field_values, priority, workflow, origin, destination, retried_from_item_id) - VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?) + INSERT INTO session_queue (queue_id, session, session_id, batch_id, field_values, priority, workflow, origin, destination, retried_from_item_id, user_id) + VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) """, values_to_insert, ) @@ -155,12 +158,16 @@ def dequeue(self) -> Optional[SessionQueueItem]: with self._db.transaction() as cursor: cursor.execute( """--sql - SELECT * - FROM session_queue - WHERE status = 'pending' + SELECT + sq.*, + u.display_name as user_display_name, + u.email as user_email + FROM session_queue sq + LEFT JOIN users u ON sq.user_id = u.user_id + WHERE sq.status = 'pending' ORDER BY - priority DESC, - item_id ASC + sq.priority DESC, + sq.item_id ASC LIMIT 1 """ ) @@ -175,14 +182,18 @@ def get_next(self, queue_id: str) -> Optional[SessionQueueItem]: with self._db.transaction() as cursor: cursor.execute( """--sql - SELECT * - FROM session_queue + SELECT + sq.*, + u.display_name as user_display_name, + u.email as user_email + FROM session_queue sq + LEFT JOIN users u ON sq.user_id = u.user_id WHERE - queue_id = ? - AND status = 'pending' + sq.queue_id = ? + AND sq.status = 'pending' ORDER BY - priority DESC, - created_at ASC + sq.priority DESC, + sq.created_at ASC LIMIT 1 """, (queue_id,), @@ -196,11 +207,15 @@ def get_current(self, queue_id: str) -> Optional[SessionQueueItem]: with self._db.transaction() as cursor: cursor.execute( """--sql - SELECT * - FROM session_queue + SELECT + sq.*, + u.display_name as user_display_name, + u.email as user_email + FROM session_queue sq + LEFT JOIN users u ON sq.user_id = u.user_id WHERE - queue_id = ? - AND status = 'in_progress' + sq.queue_id = ? + AND sq.status = 'in_progress' LIMIT 1 """, (queue_id,), @@ -299,9 +314,11 @@ def clear(self, queue_id: str) -> ClearResult: self.__invoker.services.events.emit_queue_cleared(queue_id) return ClearResult(deleted=count) - def prune(self, queue_id: str) -> PruneResult: + def prune(self, queue_id: str, user_id: Optional[str] = None) -> PruneResult: with self._db.transaction() as cursor: - where = """--sql + # Build WHERE clause with optional user_id filter + user_filter = "AND user_id = ?" if user_id is not None else "" + where = f"""--sql WHERE queue_id = ? AND ( @@ -309,14 +326,19 @@ def prune(self, queue_id: str) -> PruneResult: OR status = 'failed' OR status = 'canceled' ) + {user_filter} """ + params = [queue_id] + if user_id is not None: + params.append(user_id) + cursor.execute( f"""--sql SELECT COUNT(*) FROM session_queue {where}; """, - (queue_id,), + tuple(params), ) count = cursor.fetchone()[0] cursor.execute( @@ -325,7 +347,7 @@ def prune(self, queue_id: str) -> PruneResult: FROM session_queue {where}; """, - (queue_id,), + tuple(params), ) return PruneResult(deleted=count) @@ -369,10 +391,15 @@ def fail_queue_item( ) return queue_item - def cancel_by_batch_ids(self, queue_id: str, batch_ids: list[str]) -> CancelByBatchIDsResult: + def cancel_by_batch_ids( + self, queue_id: str, batch_ids: list[str], user_id: Optional[str] = None + ) -> CancelByBatchIDsResult: with self._db.transaction() as cursor: current_queue_item = self.get_current(queue_id) placeholders = ", ".join(["?" for _ in batch_ids]) + + # Build WHERE clause with optional user_id filter + user_filter = "AND user_id = ?" if user_id is not None else "" where = f"""--sql WHERE queue_id == ? @@ -382,8 +409,12 @@ def cancel_by_batch_ids(self, queue_id: str, batch_ids: list[str]) -> CancelByBa AND status != 'failed' -- We will cancel the current item separately below - skip it here AND status != 'in_progress' + {user_filter} """ params = [queue_id] + batch_ids + if user_id is not None: + params.append(user_id) + cursor.execute( f"""--sql SELECT COUNT(*) @@ -402,15 +433,22 @@ def cancel_by_batch_ids(self, queue_id: str, batch_ids: list[str]) -> CancelByBa tuple(params), ) + # Handle current item separately - check ownership if user_id is provided if current_queue_item is not None and current_queue_item.batch_id in batch_ids: - self._set_queue_item_status(current_queue_item.item_id, "canceled") + if user_id is None or current_queue_item.user_id == user_id: + self._set_queue_item_status(current_queue_item.item_id, "canceled") return CancelByBatchIDsResult(canceled=count) - def cancel_by_destination(self, queue_id: str, destination: str) -> CancelByDestinationResult: + def cancel_by_destination( + self, queue_id: str, destination: str, user_id: Optional[str] = None + ) -> CancelByDestinationResult: with self._db.transaction() as cursor: current_queue_item = self.get_current(queue_id) - where = """--sql + + # Build WHERE clause with optional user_id filter + user_filter = "AND user_id = ?" if user_id is not None else "" + where = f"""--sql WHERE queue_id == ? AND destination == ? @@ -419,15 +457,19 @@ def cancel_by_destination(self, queue_id: str, destination: str) -> CancelByDest AND status != 'failed' -- We will cancel the current item separately below - skip it here AND status != 'in_progress' + {user_filter} """ - params = (queue_id, destination) + params = [queue_id, destination] + if user_id is not None: + params.append(user_id) + cursor.execute( f"""--sql SELECT COUNT(*) FROM session_queue {where}; """, - params, + tuple(params), ) count = cursor.fetchone()[0] cursor.execute( @@ -436,55 +478,78 @@ def cancel_by_destination(self, queue_id: str, destination: str) -> CancelByDest SET status = 'canceled' {where}; """, - params, + tuple(params), ) + + # Handle current item separately - check ownership if user_id is provided if current_queue_item is not None and current_queue_item.destination == destination: - self._set_queue_item_status(current_queue_item.item_id, "canceled") + if user_id is None or current_queue_item.user_id == user_id: + self._set_queue_item_status(current_queue_item.item_id, "canceled") + return CancelByDestinationResult(canceled=count) - def delete_by_destination(self, queue_id: str, destination: str) -> DeleteByDestinationResult: + def delete_by_destination( + self, queue_id: str, destination: str, user_id: Optional[str] = None + ) -> DeleteByDestinationResult: with self._db.transaction() as cursor: current_queue_item = self.get_current(queue_id) + + # Handle current item separately - check ownership if user_id is provided if current_queue_item is not None and current_queue_item.destination == destination: - self.cancel_queue_item(current_queue_item.item_id) - params = (queue_id, destination) + if user_id is None or current_queue_item.user_id == user_id: + self.cancel_queue_item(current_queue_item.item_id) + + # Build WHERE clause with optional user_id filter + user_filter = "AND user_id = ?" if user_id is not None else "" + params = [queue_id, destination] + if user_id is not None: + params.append(user_id) + cursor.execute( - """--sql + f"""--sql SELECT COUNT(*) FROM session_queue WHERE - queue_id = ? - AND destination = ?; + queue_id == ? + AND destination == ? + {user_filter} """, - params, + tuple(params), ) count = cursor.fetchone()[0] cursor.execute( - """--sql - DELETE - FROM session_queue + f"""--sql + DELETE FROM session_queue WHERE - queue_id = ? - AND destination = ?; + queue_id == ? + AND destination == ? + {user_filter} """, - params, + tuple(params), ) return DeleteByDestinationResult(deleted=count) - def delete_all_except_current(self, queue_id: str) -> DeleteAllExceptCurrentResult: + def delete_all_except_current(self, queue_id: str, user_id: Optional[str] = None) -> DeleteAllExceptCurrentResult: with self._db.transaction() as cursor: - where = """--sql + # Build WHERE clause with optional user_id filter + user_filter = "AND user_id = ?" if user_id is not None else "" + where = f"""--sql WHERE queue_id == ? AND status == 'pending' + {user_filter} """ + params = [queue_id] + if user_id is not None: + params.append(user_id) + cursor.execute( f"""--sql SELECT COUNT(*) FROM session_queue {where}; """, - (queue_id,), + tuple(params), ) count = cursor.fetchone()[0] cursor.execute( @@ -493,7 +558,7 @@ def delete_all_except_current(self, queue_id: str) -> DeleteAllExceptCurrentResu FROM session_queue {where}; """, - (queue_id,), + tuple(params), ) return DeleteAllExceptCurrentResult(deleted=count) @@ -532,20 +597,27 @@ def cancel_by_queue_id(self, queue_id: str) -> CancelByQueueIDResult: self._set_queue_item_status(current_queue_item.item_id, "canceled") return CancelByQueueIDResult(canceled=count) - def cancel_all_except_current(self, queue_id: str) -> CancelAllExceptCurrentResult: + def cancel_all_except_current(self, queue_id: str, user_id: Optional[str] = None) -> CancelAllExceptCurrentResult: with self._db.transaction() as cursor: - where = """--sql + # Build WHERE clause with optional user_id filter + user_filter = "AND user_id = ?" if user_id is not None else "" + where = f"""--sql WHERE queue_id == ? AND status == 'pending' + {user_filter} """ + params = [queue_id] + if user_id is not None: + params.append(user_id) + cursor.execute( f"""--sql SELECT COUNT(*) FROM session_queue {where}; """, - (queue_id,), + tuple(params), ) count = cursor.fetchone()[0] cursor.execute( @@ -554,7 +626,7 @@ def cancel_all_except_current(self, queue_id: str) -> CancelAllExceptCurrentResu SET status = 'canceled' {where}; """, - (queue_id,), + tuple(params), ) return CancelAllExceptCurrentResult(canceled=count) @@ -562,9 +634,13 @@ def get_queue_item(self, item_id: int) -> SessionQueueItem: with self._db.transaction() as cursor: cursor.execute( """--sql - SELECT * FROM session_queue - WHERE - item_id = ? + SELECT + sq.*, + u.display_name as user_display_name, + u.email as user_email + FROM session_queue sq + LEFT JOIN users u ON sq.user_id = u.user_id + WHERE sq.item_id = ? """, (item_id,), ) @@ -650,22 +726,26 @@ def list_all_queue_items( """Gets all queue items that match the given parameters""" with self._db.transaction() as cursor: query = """--sql - SELECT * - FROM session_queue - WHERE queue_id = ? + SELECT + sq.*, + u.display_name as user_display_name, + u.email as user_email + FROM session_queue sq + LEFT JOIN users u ON sq.user_id = u.user_id + WHERE sq.queue_id = ? """ params: list[Union[str, int]] = [queue_id] if destination is not None: query += """---sql - AND destination = ? + AND sq.destination = ? """ params.append(destination) query += """--sql ORDER BY - priority DESC, - item_id ASC + sq.priority DESC, + sq.item_id ASC ; """ cursor.execute(query, params) @@ -693,8 +773,9 @@ def get_queue_item_ids( return ItemIdsResult(item_ids=item_ids, total_count=len(item_ids)) - def get_queue_status(self, queue_id: str) -> SessionQueueStatus: + def get_queue_status(self, queue_id: str, user_id: Optional[str] = None) -> SessionQueueStatus: with self._db.transaction() as cursor: + # Get total counts cursor.execute( """--sql SELECT status, count(*) @@ -706,9 +787,32 @@ def get_queue_status(self, queue_id: str) -> SessionQueueStatus: ) counts_result = cast(list[sqlite3.Row], cursor.fetchall()) + # Get user-specific counts if user_id is provided (using a single query with CASE) + user_counts_result = [] + if user_id is not None: + cursor.execute( + """--sql + SELECT status, count(*) + FROM session_queue + WHERE queue_id = ? AND user_id = ? + GROUP BY status + """, + (queue_id, user_id), + ) + user_counts_result = cast(list[sqlite3.Row], cursor.fetchall()) + current_item = self.get_current(queue_id=queue_id) total = sum(row[1] or 0 for row in counts_result) counts: dict[str, int] = {row[0]: row[1] for row in counts_result} + + # Process user-specific counts if available + user_pending = None + user_in_progress = None + if user_id is not None: + user_counts: dict[str, int] = {row[0]: row[1] for row in user_counts_result} + user_pending = user_counts.get("pending", 0) + user_in_progress = user_counts.get("in_progress", 0) + return SessionQueueStatus( queue_id=queue_id, item_id=current_item.item_id if current_item else None, @@ -720,6 +824,8 @@ def get_queue_status(self, queue_id: str) -> SessionQueueStatus: failed=counts.get("failed", 0), canceled=counts.get("canceled", 0), total=total, + user_pending=user_pending, + user_in_progress=user_in_progress, ) def get_batch_status(self, queue_id: str, batch_id: str) -> BatchStatus: @@ -822,6 +928,7 @@ def retry_items_by_id(self, queue_id: str, item_ids: list[int]) -> RetryItemsRes queue_item.origin, queue_item.destination, retried_from_item_id, + queue_item.user_id, ) values_to_insert.append(value_to_insert) @@ -829,8 +936,8 @@ def retry_items_by_id(self, queue_id: str, item_ids: list[int]) -> RetryItemsRes cursor.executemany( """--sql - INSERT INTO session_queue (queue_id, session, session_id, batch_id, field_values, priority, workflow, origin, destination, retried_from_item_id) - VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?) + INSERT INTO session_queue (queue_id, session, session_id, batch_id, field_values, priority, workflow, origin, destination, retried_from_item_id, user_id) + VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) """, values_to_insert, ) diff --git a/invokeai/app/services/shared/invocation_context.py b/invokeai/app/services/shared/invocation_context.py index 4ee43b29b7e..67e3c99f1ad 100644 --- a/invokeai/app/services/shared/invocation_context.py +++ b/invokeai/app/services/shared/invocation_context.py @@ -72,7 +72,7 @@ def __init__(self, services: InvocationServices, data: InvocationContextData) -> class BoardsInterface(InvocationContextInterface): def create(self, board_name: str) -> BoardDTO: - """Creates a board. + """Creates a board for the current user. Args: board_name: The name of the board to create. @@ -80,7 +80,8 @@ def create(self, board_name: str) -> BoardDTO: Returns: The created board DTO. """ - return self._services.boards.create(board_name) + user_id = self._data.queue_item.user_id + return self._services.boards.create(board_name, user_id) def get_dto(self, board_id: str) -> BoardDTO: """Gets a board DTO. @@ -94,13 +95,14 @@ def get_dto(self, board_id: str) -> BoardDTO: return self._services.boards.get_dto(board_id) def get_all(self) -> list[BoardDTO]: - """Gets all boards. + """Gets all boards accessible to the current user. Returns: - A list of all boards. + A list of all boards accessible to the current user. """ + user_id = self._data.queue_item.user_id return self._services.boards.get_all( - order_by=BoardRecordOrderBy.CreatedAt, direction=SQLiteDirection.Descending + user_id, order_by=BoardRecordOrderBy.CreatedAt, direction=SQLiteDirection.Descending ) def add_image_to_board(self, board_id: str, image_name: str) -> None: @@ -228,6 +230,7 @@ def save( graph=graph_, session_id=self._data.queue_item.session_id, node_id=self._data.invocation.id, + user_id=self._data.queue_item.user_id, ) def get_pil(self, image_name: str, mode: IMAGE_MODES | None = None) -> Image: diff --git a/invokeai/app/services/shared/sqlite/sqlite_util.py b/invokeai/app/services/shared/sqlite/sqlite_util.py index f6cb70b9df0..ac6212af6d6 100644 --- a/invokeai/app/services/shared/sqlite/sqlite_util.py +++ b/invokeai/app/services/shared/sqlite/sqlite_util.py @@ -28,6 +28,9 @@ from invokeai.app.services.shared.sqlite_migrator.migrations.migration_23 import build_migration_23 from invokeai.app.services.shared.sqlite_migrator.migrations.migration_24 import build_migration_24 from invokeai.app.services.shared.sqlite_migrator.migrations.migration_25 import build_migration_25 +from invokeai.app.services.shared.sqlite_migrator.migrations.migration_26 import build_migration_26 +from invokeai.app.services.shared.sqlite_migrator.migrations.migration_27 import build_migration_27 +from invokeai.app.services.shared.sqlite_migrator.migrations.migration_28 import build_migration_28 from invokeai.app.services.shared.sqlite_migrator.sqlite_migrator_impl import SqliteMigrator @@ -73,6 +76,9 @@ def init_db(config: InvokeAIAppConfig, logger: Logger, image_files: ImageFileSto migrator.register_migration(build_migration_23(app_config=config, logger=logger)) migrator.register_migration(build_migration_24(app_config=config, logger=logger)) migrator.register_migration(build_migration_25(app_config=config, logger=logger)) + migrator.register_migration(build_migration_26()) + migrator.register_migration(build_migration_27()) + migrator.register_migration(build_migration_28()) migrator.run_migrations() return db diff --git a/invokeai/app/services/shared/sqlite_migrator/migrations/migration_26.py b/invokeai/app/services/shared/sqlite_migrator/migrations/migration_26.py new file mode 100644 index 00000000000..837245367c7 --- /dev/null +++ b/invokeai/app/services/shared/sqlite_migrator/migrations/migration_26.py @@ -0,0 +1,222 @@ +"""Migration 26: Add multi-user support. + +This migration adds the database schema for multi-user support, including: +- users table for user accounts +- user_sessions table for session management +- user_invitations table for invitation system +- shared_boards table for board sharing +- Adding user_id columns to existing tables for data ownership +""" + +import sqlite3 + +from invokeai.app.services.shared.sqlite_migrator.sqlite_migrator_common import Migration + + +class Migration26Callback: + """Migration to add multi-user support.""" + + def __call__(self, cursor: sqlite3.Cursor) -> None: + self._create_users_table(cursor) + self._create_user_sessions_table(cursor) + self._create_user_invitations_table(cursor) + self._create_shared_boards_table(cursor) + self._update_boards_table(cursor) + self._update_images_table(cursor) + self._update_workflows_table(cursor) + self._update_session_queue_table(cursor) + self._update_style_presets_table(cursor) + self._create_system_user(cursor) + + def _create_users_table(self, cursor: sqlite3.Cursor) -> None: + """Create users table.""" + cursor.execute(""" + CREATE TABLE IF NOT EXISTS users ( + user_id TEXT NOT NULL PRIMARY KEY, + email TEXT NOT NULL UNIQUE, + display_name TEXT, + password_hash TEXT NOT NULL, + is_admin BOOLEAN NOT NULL DEFAULT FALSE, + is_active BOOLEAN NOT NULL DEFAULT TRUE, + created_at DATETIME NOT NULL DEFAULT(STRFTIME('%Y-%m-%d %H:%M:%f', 'NOW')), + updated_at DATETIME NOT NULL DEFAULT(STRFTIME('%Y-%m-%d %H:%M:%f', 'NOW')), + last_login_at DATETIME + ); + """) + + cursor.execute("CREATE INDEX IF NOT EXISTS idx_users_email ON users(email);") + cursor.execute("CREATE INDEX IF NOT EXISTS idx_users_is_admin ON users(is_admin);") + cursor.execute("CREATE INDEX IF NOT EXISTS idx_users_is_active ON users(is_active);") + + cursor.execute(""" + CREATE TRIGGER IF NOT EXISTS tg_users_updated_at + AFTER UPDATE ON users FOR EACH ROW + BEGIN + UPDATE users SET updated_at = STRFTIME('%Y-%m-%d %H:%M:%f', 'NOW') + WHERE user_id = old.user_id; + END; + """) + + def _create_user_sessions_table(self, cursor: sqlite3.Cursor) -> None: + """Create user_sessions table for session management.""" + cursor.execute(""" + CREATE TABLE IF NOT EXISTS user_sessions ( + session_id TEXT NOT NULL PRIMARY KEY, + user_id TEXT NOT NULL, + token_hash TEXT NOT NULL, + expires_at DATETIME NOT NULL, + created_at DATETIME NOT NULL DEFAULT(STRFTIME('%Y-%m-%d %H:%M:%f', 'NOW')), + last_activity_at DATETIME NOT NULL DEFAULT(STRFTIME('%Y-%m-%d %H:%M:%f', 'NOW')), + FOREIGN KEY (user_id) REFERENCES users(user_id) ON DELETE CASCADE + ); + """) + + cursor.execute("CREATE INDEX IF NOT EXISTS idx_user_sessions_user_id ON user_sessions(user_id);") + cursor.execute("CREATE INDEX IF NOT EXISTS idx_user_sessions_token_hash ON user_sessions(token_hash);") + cursor.execute("CREATE INDEX IF NOT EXISTS idx_user_sessions_expires_at ON user_sessions(expires_at);") + + def _create_user_invitations_table(self, cursor: sqlite3.Cursor) -> None: + """Create user_invitations table for invitation system.""" + cursor.execute(""" + CREATE TABLE IF NOT EXISTS user_invitations ( + invitation_id TEXT NOT NULL PRIMARY KEY, + email TEXT NOT NULL, + invited_by TEXT NOT NULL, + invitation_code TEXT NOT NULL UNIQUE, + is_admin BOOLEAN NOT NULL DEFAULT FALSE, + expires_at DATETIME NOT NULL, + used_at DATETIME, + created_at DATETIME NOT NULL DEFAULT(STRFTIME('%Y-%m-%d %H:%M:%f', 'NOW')), + FOREIGN KEY (invited_by) REFERENCES users(user_id) ON DELETE CASCADE + ); + """) + + cursor.execute("CREATE INDEX IF NOT EXISTS idx_user_invitations_email ON user_invitations(email);") + cursor.execute( + "CREATE INDEX IF NOT EXISTS idx_user_invitations_invitation_code ON user_invitations(invitation_code);" + ) + cursor.execute("CREATE INDEX IF NOT EXISTS idx_user_invitations_expires_at ON user_invitations(expires_at);") + + def _create_shared_boards_table(self, cursor: sqlite3.Cursor) -> None: + """Create shared_boards table for board sharing.""" + cursor.execute(""" + CREATE TABLE IF NOT EXISTS shared_boards ( + board_id TEXT NOT NULL, + user_id TEXT NOT NULL, + can_edit BOOLEAN NOT NULL DEFAULT FALSE, + shared_at DATETIME NOT NULL DEFAULT(STRFTIME('%Y-%m-%d %H:%M:%f', 'NOW')), + PRIMARY KEY (board_id, user_id), + FOREIGN KEY (board_id) REFERENCES boards(board_id) ON DELETE CASCADE, + FOREIGN KEY (user_id) REFERENCES users(user_id) ON DELETE CASCADE + ); + """) + + cursor.execute("CREATE INDEX IF NOT EXISTS idx_shared_boards_user_id ON shared_boards(user_id);") + cursor.execute("CREATE INDEX IF NOT EXISTS idx_shared_boards_board_id ON shared_boards(board_id);") + + def _update_boards_table(self, cursor: sqlite3.Cursor) -> None: + """Add user_id and is_public columns to boards table.""" + # Check if boards table exists + cursor.execute("SELECT name FROM sqlite_master WHERE type='table' AND name='boards';") + if cursor.fetchone() is None: + return + + # Check if user_id column exists + cursor.execute("PRAGMA table_info(boards);") + columns = [row[1] for row in cursor.fetchall()] + + if "user_id" not in columns: + cursor.execute("ALTER TABLE boards ADD COLUMN user_id TEXT DEFAULT 'system';") + cursor.execute("CREATE INDEX IF NOT EXISTS idx_boards_user_id ON boards(user_id);") + + if "is_public" not in columns: + cursor.execute("ALTER TABLE boards ADD COLUMN is_public BOOLEAN NOT NULL DEFAULT FALSE;") + cursor.execute("CREATE INDEX IF NOT EXISTS idx_boards_is_public ON boards(is_public);") + + def _update_images_table(self, cursor: sqlite3.Cursor) -> None: + """Add user_id column to images table.""" + # Check if images table exists + cursor.execute("SELECT name FROM sqlite_master WHERE type='table' AND name='images';") + if cursor.fetchone() is None: + return + + cursor.execute("PRAGMA table_info(images);") + columns = [row[1] for row in cursor.fetchall()] + + if "user_id" not in columns: + cursor.execute("ALTER TABLE images ADD COLUMN user_id TEXT DEFAULT 'system';") + cursor.execute("CREATE INDEX IF NOT EXISTS idx_images_user_id ON images(user_id);") + + def _update_workflows_table(self, cursor: sqlite3.Cursor) -> None: + """Add user_id and is_public columns to workflows table.""" + # Check if workflows table exists + cursor.execute("SELECT name FROM sqlite_master WHERE type='table' AND name='workflows';") + if cursor.fetchone() is None: + return + + cursor.execute("PRAGMA table_info(workflows);") + columns = [row[1] for row in cursor.fetchall()] + + if "user_id" not in columns: + cursor.execute("ALTER TABLE workflows ADD COLUMN user_id TEXT DEFAULT 'system';") + cursor.execute("CREATE INDEX IF NOT EXISTS idx_workflows_user_id ON workflows(user_id);") + + if "is_public" not in columns: + cursor.execute("ALTER TABLE workflows ADD COLUMN is_public BOOLEAN NOT NULL DEFAULT FALSE;") + cursor.execute("CREATE INDEX IF NOT EXISTS idx_workflows_is_public ON workflows(is_public);") + + def _update_session_queue_table(self, cursor: sqlite3.Cursor) -> None: + """Add user_id column to session_queue table.""" + # Check if session_queue table exists + cursor.execute("SELECT name FROM sqlite_master WHERE type='table' AND name='session_queue';") + if cursor.fetchone() is None: + return + + cursor.execute("PRAGMA table_info(session_queue);") + columns = [row[1] for row in cursor.fetchall()] + + if "user_id" not in columns: + cursor.execute("ALTER TABLE session_queue ADD COLUMN user_id TEXT DEFAULT 'system';") + cursor.execute("CREATE INDEX IF NOT EXISTS idx_session_queue_user_id ON session_queue(user_id);") + + def _update_style_presets_table(self, cursor: sqlite3.Cursor) -> None: + """Add user_id and is_public columns to style_presets table.""" + # Check if style_presets table exists + cursor.execute("SELECT name FROM sqlite_master WHERE type='table' AND name='style_presets';") + if cursor.fetchone() is None: + return + + cursor.execute("PRAGMA table_info(style_presets);") + columns = [row[1] for row in cursor.fetchall()] + + if "user_id" not in columns: + cursor.execute("ALTER TABLE style_presets ADD COLUMN user_id TEXT DEFAULT 'system';") + cursor.execute("CREATE INDEX IF NOT EXISTS idx_style_presets_user_id ON style_presets(user_id);") + + if "is_public" not in columns: + cursor.execute("ALTER TABLE style_presets ADD COLUMN is_public BOOLEAN NOT NULL DEFAULT FALSE;") + cursor.execute("CREATE INDEX IF NOT EXISTS idx_style_presets_is_public ON style_presets(is_public);") + + def _create_system_user(self, cursor: sqlite3.Cursor) -> None: + """Create system user for backward compatibility. + + The system user is NOT an admin - it's just used to own existing data + from before multi-user support was added. Real admin users should be + created through the /auth/setup endpoint. + """ + cursor.execute(""" + INSERT OR IGNORE INTO users (user_id, email, display_name, password_hash, is_admin, is_active) + VALUES ('system', 'system@system.invokeai', 'System', '', FALSE, TRUE); + """) + + +def build_migration_26() -> Migration: + """Builds the migration object for migrating from version 25 to version 26. + + This migration adds multi-user support to the database schema. + """ + return Migration( + from_version=25, + to_version=26, + callback=Migration26Callback(), + ) diff --git a/invokeai/app/services/shared/sqlite_migrator/migrations/migration_27.py b/invokeai/app/services/shared/sqlite_migrator/migrations/migration_27.py new file mode 100644 index 00000000000..f4612c8e3a7 --- /dev/null +++ b/invokeai/app/services/shared/sqlite_migrator/migrations/migration_27.py @@ -0,0 +1,120 @@ +"""Migration 27: Add user_id to client_state table for multi-user support. + +This migration updates the client_state table to support per-user state isolation: +- Drops the single-row constraint (CHECK(id = 1)) +- Adds user_id column +- Creates unique constraint on (user_id, key) pairs +- Migrates existing data to 'system' user +""" + +import json +import sqlite3 + +from invokeai.app.services.shared.sqlite_migrator.sqlite_migrator_common import Migration + + +class Migration27Callback: + """Migration to add per-user client state support.""" + + def __call__(self, cursor: sqlite3.Cursor) -> None: + self._update_client_state_table(cursor) + + def _update_client_state_table(self, cursor: sqlite3.Cursor) -> None: + """Restructure client_state table to support per-user storage.""" + # Check if client_state table exists + cursor.execute("SELECT name FROM sqlite_master WHERE type='table' AND name='client_state';") + if cursor.fetchone() is None: + # Table doesn't exist, create it with the new schema + cursor.execute( + """ + CREATE TABLE client_state ( + user_id TEXT NOT NULL, + key TEXT NOT NULL, + value TEXT NOT NULL, + updated_at DATETIME NOT NULL DEFAULT (CURRENT_TIMESTAMP), + PRIMARY KEY (user_id, key), + FOREIGN KEY (user_id) REFERENCES users(user_id) ON DELETE CASCADE + ); + """ + ) + cursor.execute("CREATE INDEX IF NOT EXISTS idx_client_state_user_id ON client_state(user_id);") + cursor.execute( + """ + CREATE TRIGGER tg_client_state_updated_at + AFTER UPDATE ON client_state + FOR EACH ROW + BEGIN + UPDATE client_state + SET updated_at = CURRENT_TIMESTAMP + WHERE user_id = OLD.user_id AND key = OLD.key; + END; + """ + ) + return + + # Table exists with old schema - migrate it + # Get existing data + cursor.execute("SELECT data FROM client_state WHERE id = 1;") + row = cursor.fetchone() + existing_data = {} + if row is not None: + try: + existing_data = json.loads(row[0]) + except (json.JSONDecodeError, TypeError): + # If data is corrupt, just start fresh + pass + + # Drop the old table + cursor.execute("DROP TABLE IF EXISTS client_state;") + + # Create new table with per-user schema + cursor.execute( + """ + CREATE TABLE client_state ( + user_id TEXT NOT NULL, + key TEXT NOT NULL, + value TEXT NOT NULL, + updated_at DATETIME NOT NULL DEFAULT (CURRENT_TIMESTAMP), + PRIMARY KEY (user_id, key), + FOREIGN KEY (user_id) REFERENCES users(user_id) ON DELETE CASCADE + ); + """ + ) + + cursor.execute("CREATE INDEX IF NOT EXISTS idx_client_state_user_id ON client_state(user_id);") + + cursor.execute( + """ + CREATE TRIGGER tg_client_state_updated_at + AFTER UPDATE ON client_state + FOR EACH ROW + BEGIN + UPDATE client_state + SET updated_at = CURRENT_TIMESTAMP + WHERE user_id = OLD.user_id AND key = OLD.key; + END; + """ + ) + + # Migrate existing data to 'system' user + # The 'system' user is created by migration 25, so it's guaranteed to exist at this point + for key, value in existing_data.items(): + cursor.execute( + """ + INSERT INTO client_state (user_id, key, value) + VALUES ('system', ?, ?); + """, + (key, value), + ) + + +def build_migration_27() -> Migration: + """Builds the migration object for migrating from version 26 to version 27. + + This migration adds per-user client state support to prevent data leakage between users. + """ + return Migration( + from_version=26, + to_version=27, + callback=Migration27Callback(), + ) diff --git a/invokeai/app/services/shared/sqlite_migrator/migrations/migration_28.py b/invokeai/app/services/shared/sqlite_migrator/migrations/migration_28.py new file mode 100644 index 00000000000..b4739a6f36c --- /dev/null +++ b/invokeai/app/services/shared/sqlite_migrator/migrations/migration_28.py @@ -0,0 +1,77 @@ +"""Migration 28: Add app_settings table for storing JWT secret and other app-level settings. + +This migration adds the app_settings table to securely store application-level configuration: +- Creates app_settings table with key-value storage +- Generates a random cryptographically secure JWT secret key +- Stores the JWT secret in the database for token signing/verification +""" + +import secrets +import sqlite3 + +from invokeai.app.services.shared.sqlite_migrator.sqlite_migrator_common import Migration + + +class Migration28Callback: + """Migration to add app_settings table and JWT secret.""" + + def __call__(self, cursor: sqlite3.Cursor) -> None: + self._create_app_settings_table(cursor) + self._generate_jwt_secret(cursor) + + def _create_app_settings_table(self, cursor: sqlite3.Cursor) -> None: + """Create app_settings table for storing application-level configuration.""" + cursor.execute( + """ + CREATE TABLE IF NOT EXISTS app_settings ( + key TEXT NOT NULL PRIMARY KEY, + value TEXT NOT NULL, + created_at DATETIME NOT NULL DEFAULT(STRFTIME('%Y-%m-%d %H:%M:%f', 'NOW')), + updated_at DATETIME NOT NULL DEFAULT(STRFTIME('%Y-%m-%d %H:%M:%f', 'NOW')) + ); + """ + ) + + cursor.execute( + """ + CREATE TRIGGER IF NOT EXISTS tg_app_settings_updated_at + AFTER UPDATE ON app_settings + FOR EACH ROW + BEGIN + UPDATE app_settings SET updated_at = STRFTIME('%Y-%m-%d %H:%M:%f', 'NOW') + WHERE key = OLD.key; + END; + """ + ) + + def _generate_jwt_secret(self, cursor: sqlite3.Cursor) -> None: + """Generate and store a cryptographically secure JWT secret key. + + The secret is a 64-character hexadecimal string (256 bits of entropy), + which is suitable for HS256 JWT signing. + """ + # Check if JWT secret already exists + cursor.execute("SELECT value FROM app_settings WHERE key = 'jwt_secret';") + existing_secret = cursor.fetchone() + + if existing_secret is None: + # Generate a new cryptographically secure secret (256 bits) + jwt_secret = secrets.token_hex(32) # 32 bytes = 256 bits = 64 hex characters + + # Store in database + cursor.execute( + "INSERT INTO app_settings (key, value) VALUES ('jwt_secret', ?);", + (jwt_secret,), + ) + + +def build_migration_28() -> Migration: + """Builds the migration object for migrating from version 27 to version 28. + + This migration adds the app_settings table and generates a JWT secret for token signing. + """ + return Migration( + from_version=27, + to_version=28, + callback=Migration28Callback(), + ) diff --git a/invokeai/app/services/users/__init__.py b/invokeai/app/services/users/__init__.py new file mode 100644 index 00000000000..f4976759504 --- /dev/null +++ b/invokeai/app/services/users/__init__.py @@ -0,0 +1 @@ +"""User service module.""" diff --git a/invokeai/app/services/users/users_base.py b/invokeai/app/services/users/users_base.py new file mode 100644 index 00000000000..6587a2aa3ae --- /dev/null +++ b/invokeai/app/services/users/users_base.py @@ -0,0 +1,126 @@ +"""Abstract base class for user service.""" + +from abc import ABC, abstractmethod + +from invokeai.app.services.users.users_common import UserCreateRequest, UserDTO, UserUpdateRequest + + +class UserServiceBase(ABC): + """High-level service for user management.""" + + @abstractmethod + def create(self, user_data: UserCreateRequest) -> UserDTO: + """Create a new user. + + Args: + user_data: User creation data + + Returns: + The created user + + Raises: + ValueError: If email already exists or password is weak + """ + pass + + @abstractmethod + def get(self, user_id: str) -> UserDTO | None: + """Get user by ID. + + Args: + user_id: The user ID + + Returns: + UserDTO if found, None otherwise + """ + pass + + @abstractmethod + def get_by_email(self, email: str) -> UserDTO | None: + """Get user by email. + + Args: + email: The email address + + Returns: + UserDTO if found, None otherwise + """ + pass + + @abstractmethod + def update(self, user_id: str, changes: UserUpdateRequest) -> UserDTO: + """Update user. + + Args: + user_id: The user ID + changes: Fields to update + + Returns: + The updated user + + Raises: + ValueError: If user not found or password is weak + """ + pass + + @abstractmethod + def delete(self, user_id: str) -> None: + """Delete user. + + Args: + user_id: The user ID + + Raises: + ValueError: If user not found + """ + pass + + @abstractmethod + def authenticate(self, email: str, password: str) -> UserDTO | None: + """Authenticate user credentials. + + Args: + email: User email + password: User password + + Returns: + UserDTO if authentication successful, None otherwise + """ + pass + + @abstractmethod + def has_admin(self) -> bool: + """Check if any admin user exists. + + Returns: + True if at least one admin user exists, False otherwise + """ + pass + + @abstractmethod + def create_admin(self, user_data: UserCreateRequest) -> UserDTO: + """Create an admin user (for initial setup). + + Args: + user_data: User creation data + + Returns: + The created admin user + + Raises: + ValueError: If admin already exists or password is weak + """ + pass + + @abstractmethod + def list_users(self, limit: int = 100, offset: int = 0) -> list[UserDTO]: + """List all users. + + Args: + limit: Maximum number of users to return + offset: Number of users to skip + + Returns: + List of users + """ + pass diff --git a/invokeai/app/services/users/users_common.py b/invokeai/app/services/users/users_common.py new file mode 100644 index 00000000000..c13150a3369 --- /dev/null +++ b/invokeai/app/services/users/users_common.py @@ -0,0 +1,114 @@ +"""Common types and data models for user service.""" + +from datetime import datetime + +from pydantic import BaseModel, Field, field_validator +from pydantic_core import PydanticCustomError + + +def validate_email_with_special_domains(email: str) -> str: + """Validate email address, allowing special-use domains like .local for testing. + + This validator first tries standard email validation using email-validator library. + If it fails due to special-use domains (like .local, .test, .localhost), it performs + a basic syntax check instead. This allows development/testing with non-routable domains + while still catching actual typos and malformed emails. + + Args: + email: The email address to validate + + Returns: + The validated email address (lowercased) + + Raises: + PydanticCustomError: If the email format is invalid + """ + try: + # Try standard email validation using email-validator + from email_validator import EmailNotValidError, validate_email + + result = validate_email(email, check_deliverability=False) + return result.normalized + except EmailNotValidError as e: + error_msg = str(e) + + # Check if the error is specifically about special-use/reserved domains or localhost + if ( + "special-use" in error_msg.lower() + or "reserved" in error_msg.lower() + or "should have a period" in error_msg.lower() + ): + # Perform basic email syntax validation + email = email.strip().lower() + + if "@" not in email: + raise PydanticCustomError( + "value_error", + "Email address must contain an @ symbol", + ) + + local_part, domain = email.rsplit("@", 1) + + if not local_part or not domain: + raise PydanticCustomError( + "value_error", + "Email address must have both local and domain parts", + ) + + # Allow localhost and domains with dots + if domain == "localhost" or "." in domain: + return email + + raise PydanticCustomError( + "value_error", + "Email domain must contain a dot or be 'localhost'", + ) + else: + # Re-raise other validation errors + raise PydanticCustomError( + "value_error", + f"Invalid email address: {error_msg}", + ) + + +class UserDTO(BaseModel): + """User data transfer object.""" + + user_id: str = Field(description="Unique user identifier") + email: str = Field(description="User email address") + display_name: str | None = Field(default=None, description="Display name") + is_admin: bool = Field(default=False, description="Whether user has admin privileges") + is_active: bool = Field(default=True, description="Whether user account is active") + created_at: datetime = Field(description="When the user was created") + updated_at: datetime = Field(description="When the user was last updated") + last_login_at: datetime | None = Field(default=None, description="When user last logged in") + + @field_validator("email") + @classmethod + def validate_email(cls, v: str) -> str: + """Validate email address, allowing special-use domains.""" + return validate_email_with_special_domains(v) + + +class UserCreateRequest(BaseModel): + """Request to create a new user.""" + + email: str = Field(description="User email address") + display_name: str | None = Field(default=None, description="Display name") + password: str = Field(description="User password") + is_admin: bool = Field(default=False, description="Whether user should have admin privileges") + + @field_validator("email") + @classmethod + def validate_email(cls, v: str) -> str: + """Validate email address, allowing special-use domains.""" + return validate_email_with_special_domains(v) + + +class UserUpdateRequest(BaseModel): + """Request to update a user.""" + + display_name: str | None = Field(default=None, description="Display name") + password: str | None = Field(default=None, description="New password") + is_admin: bool | None = Field(default=None, description="Whether user should have admin privileges") + is_active: bool | None = Field(default=None, description="Whether user account should be active") diff --git a/invokeai/app/services/users/users_default.py b/invokeai/app/services/users/users_default.py new file mode 100644 index 00000000000..36ccec9e7e2 --- /dev/null +++ b/invokeai/app/services/users/users_default.py @@ -0,0 +1,251 @@ +"""Default SQLite implementation of user service.""" + +import sqlite3 +from datetime import datetime, timezone +from uuid import uuid4 + +from invokeai.app.services.auth.password_utils import hash_password, validate_password_strength, verify_password +from invokeai.app.services.shared.sqlite.sqlite_database import SqliteDatabase +from invokeai.app.services.users.users_base import UserServiceBase +from invokeai.app.services.users.users_common import UserCreateRequest, UserDTO, UserUpdateRequest + + +class UserService(UserServiceBase): + """SQLite-based user service.""" + + def __init__(self, db: SqliteDatabase): + """Initialize user service. + + Args: + db: SQLite database instance + """ + self._db = db + + def create(self, user_data: UserCreateRequest) -> UserDTO: + """Create a new user.""" + # Validate password strength + is_valid, error_msg = validate_password_strength(user_data.password) + if not is_valid: + raise ValueError(error_msg) + + # Check if email already exists + if self.get_by_email(user_data.email) is not None: + raise ValueError(f"User with email {user_data.email} already exists") + + user_id = str(uuid4()) + password_hash = hash_password(user_data.password) + + with self._db.transaction() as cursor: + try: + cursor.execute( + """ + INSERT INTO users (user_id, email, display_name, password_hash, is_admin) + VALUES (?, ?, ?, ?, ?) + """, + (user_id, user_data.email, user_data.display_name, password_hash, user_data.is_admin), + ) + except sqlite3.IntegrityError as e: + raise ValueError(f"Failed to create user: {e}") from e + + user = self.get(user_id) + if user is None: + raise RuntimeError("Failed to retrieve created user") + return user + + def get(self, user_id: str) -> UserDTO | None: + """Get user by ID.""" + with self._db.transaction() as cursor: + cursor.execute( + """ + SELECT user_id, email, display_name, is_admin, is_active, created_at, updated_at, last_login_at + FROM users + WHERE user_id = ? + """, + (user_id,), + ) + row = cursor.fetchone() + + if row is None: + return None + + return UserDTO( + user_id=row[0], + email=row[1], + display_name=row[2], + is_admin=bool(row[3]), + is_active=bool(row[4]), + created_at=datetime.fromisoformat(row[5]), + updated_at=datetime.fromisoformat(row[6]), + last_login_at=datetime.fromisoformat(row[7]) if row[7] else None, + ) + + def get_by_email(self, email: str) -> UserDTO | None: + """Get user by email.""" + with self._db.transaction() as cursor: + cursor.execute( + """ + SELECT user_id, email, display_name, is_admin, is_active, created_at, updated_at, last_login_at + FROM users + WHERE email = ? + """, + (email,), + ) + row = cursor.fetchone() + + if row is None: + return None + + return UserDTO( + user_id=row[0], + email=row[1], + display_name=row[2], + is_admin=bool(row[3]), + is_active=bool(row[4]), + created_at=datetime.fromisoformat(row[5]), + updated_at=datetime.fromisoformat(row[6]), + last_login_at=datetime.fromisoformat(row[7]) if row[7] else None, + ) + + def update(self, user_id: str, changes: UserUpdateRequest) -> UserDTO: + """Update user.""" + # Check if user exists + user = self.get(user_id) + if user is None: + raise ValueError(f"User {user_id} not found") + + # Validate password if provided + if changes.password is not None: + is_valid, error_msg = validate_password_strength(changes.password) + if not is_valid: + raise ValueError(error_msg) + + # Build update query dynamically based on provided fields + updates: list[str] = [] + params: list[str | bool | int] = [] + + if changes.display_name is not None: + updates.append("display_name = ?") + params.append(changes.display_name) + + if changes.password is not None: + updates.append("password_hash = ?") + params.append(hash_password(changes.password)) + + if changes.is_admin is not None: + updates.append("is_admin = ?") + params.append(changes.is_admin) + + if changes.is_active is not None: + updates.append("is_active = ?") + params.append(changes.is_active) + + if not updates: + return user + + params.append(user_id) + query = f"UPDATE users SET {', '.join(updates)} WHERE user_id = ?" + + with self._db.transaction() as cursor: + cursor.execute(query, params) + + updated_user = self.get(user_id) + if updated_user is None: + raise RuntimeError("Failed to retrieve updated user") + return updated_user + + def delete(self, user_id: str) -> None: + """Delete user.""" + user = self.get(user_id) + if user is None: + raise ValueError(f"User {user_id} not found") + + with self._db.transaction() as cursor: + cursor.execute("DELETE FROM users WHERE user_id = ?", (user_id,)) + + def authenticate(self, email: str, password: str) -> UserDTO | None: + """Authenticate user credentials.""" + with self._db.transaction() as cursor: + cursor.execute( + """ + SELECT user_id, email, display_name, password_hash, is_admin, is_active, created_at, updated_at, last_login_at + FROM users + WHERE email = ? + """, + (email,), + ) + row = cursor.fetchone() + + if row is None: + return None + + password_hash = row[3] + if not verify_password(password, password_hash): + return None + + # Update last login time + with self._db.transaction() as cursor: + cursor.execute( + "UPDATE users SET last_login_at = ? WHERE user_id = ?", + (datetime.now(timezone.utc).isoformat(), row[0]), + ) + + return UserDTO( + user_id=row[0], + email=row[1], + display_name=row[2], + is_admin=bool(row[4]), + is_active=bool(row[5]), + created_at=datetime.fromisoformat(row[6]), + updated_at=datetime.fromisoformat(row[7]), + last_login_at=datetime.now(timezone.utc), + ) + + def has_admin(self) -> bool: + """Check if any admin user exists.""" + with self._db.transaction() as cursor: + cursor.execute("SELECT COUNT(*) FROM users WHERE is_admin = TRUE AND is_active = TRUE") + row = cursor.fetchone() + count = row[0] if row else 0 + return bool(count > 0) + + def create_admin(self, user_data: UserCreateRequest) -> UserDTO: + """Create an admin user (for initial setup).""" + if self.has_admin(): + raise ValueError("Admin user already exists") + + # Force is_admin to True + admin_data = UserCreateRequest( + email=user_data.email, + display_name=user_data.display_name, + password=user_data.password, + is_admin=True, + ) + return self.create(admin_data) + + def list_users(self, limit: int = 100, offset: int = 0) -> list[UserDTO]: + """List all users.""" + with self._db.transaction() as cursor: + cursor.execute( + """ + SELECT user_id, email, display_name, is_admin, is_active, created_at, updated_at, last_login_at + FROM users + ORDER BY created_at DESC + LIMIT ? OFFSET ? + """, + (limit, offset), + ) + rows = cursor.fetchall() + + return [ + UserDTO( + user_id=row[0], + email=row[1], + display_name=row[2], + is_admin=bool(row[3]), + is_active=bool(row[4]), + created_at=datetime.fromisoformat(row[5]), + updated_at=datetime.fromisoformat(row[6]), + last_login_at=datetime.fromisoformat(row[7]) if row[7] else None, + ) + for row in rows + ] diff --git a/invokeai/frontend/web/knip.ts b/invokeai/frontend/web/knip.ts index 0880044a298..64dcd05485b 100644 --- a/invokeai/frontend/web/knip.ts +++ b/invokeai/frontend/web/knip.ts @@ -15,6 +15,9 @@ const config: KnipConfig = { // Will be using this 'src/common/hooks/useAsyncState.ts', 'src/app/store/use-debounced-app-selector.ts', + // Auth features - exports will be used in follow-up phases + 'src/features/auth/**', + 'src/services/api/endpoints/auth.ts', ], ignoreBinaries: ['only-allow'], ignoreDependencies: ['magic-string'], diff --git a/invokeai/frontend/web/openapi.json b/invokeai/frontend/web/openapi.json index 7cc210b531c..5a96a6c2528 100644 --- a/invokeai/frontend/web/openapi.json +++ b/invokeai/frontend/web/openapi.json @@ -52426,6 +52426,36 @@ } ], "description": "The workflow associated with this queue item" + }, + "user_id": { + "type": "string", + "title": "User Id", + "description": "The id of the user who created this queue item", + "default": "system" + }, + "user_display_name": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "null" + } + ], + "title": "User Display Name", + "description": "The display name of the user who created this queue item, if available" + }, + "user_email": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "null" + } + ], + "title": "User Email", + "description": "The email of the user who created this queue item, if available" } }, "type": "object", @@ -52516,6 +52546,30 @@ "type": "integer", "title": "Total", "description": "Total number of queue items" + }, + "user_pending": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "null" + } + ], + "title": "User Pending", + "description": "Number of queue items with status 'pending' for the current user" + }, + "user_in_progress": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "null" + } + ], + "title": "User In Progress", + "description": "Number of queue items with status 'in_progress' for the current user" } }, "type": "object", @@ -59774,6 +59828,45 @@ "output": { "$ref": "#/components/schemas/ZImageConditioningOutput" } + }, + "UserDTO": { + "type": "object", + "required": ["user_id", "email", "is_admin", "is_active"], + "properties": { + "user_id": { + "type": "string", + "title": "User Id", + "description": "The user ID" + }, + "email": { + "type": "string", + "title": "Email", + "description": "The user email" + }, + "display_name": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "null" + } + ], + "title": "Display Name", + "description": "The user display name" + }, + "is_admin": { + "type": "boolean", + "title": "Is Admin", + "description": "Whether the user is an admin" + }, + "is_active": { + "type": "boolean", + "title": "Is Active", + "description": "Whether the user is active" + } + }, + "title": "UserDTO" } } } diff --git a/invokeai/frontend/web/package.json b/invokeai/frontend/web/package.json index 118fd330d07..da4e31142f2 100644 --- a/invokeai/frontend/web/package.json +++ b/invokeai/frontend/web/package.json @@ -89,6 +89,7 @@ "react-icons": "^5.5.0", "react-redux": "9.2.0", "react-resizable-panels": "^3.0.3", + "react-router-dom": "^7.12.0", "react-textarea-autosize": "^8.5.9", "react-use": "^17.6.0", "react-virtuoso": "^4.13.0", diff --git a/invokeai/frontend/web/pnpm-lock.yaml b/invokeai/frontend/web/pnpm-lock.yaml index bc37d622178..3f94ba7d692 100644 --- a/invokeai/frontend/web/pnpm-lock.yaml +++ b/invokeai/frontend/web/pnpm-lock.yaml @@ -158,6 +158,9 @@ importers: react-resizable-panels: specifier: ^3.0.3 version: 3.0.3(react-dom@18.3.1(react@18.3.1))(react@18.3.1) + react-router-dom: + specifier: ^7.12.0 + version: 7.12.0(react-dom@18.3.1(react@18.3.1))(react@18.3.1) react-textarea-autosize: specifier: ^8.5.9 version: 8.5.9(@types/react@18.3.23)(react@18.3.1) @@ -1993,6 +1996,10 @@ packages: convert-source-map@2.0.0: resolution: {integrity: sha512-Kvp459HrV2FEJ1CAsi1Ku+MY3kasH19TFykTz2xWmMeq6bk2NU3XXvfJ+Q61m0xktWwt+1HSYf3JZsTms3aRJg==} + cookie@1.1.1: + resolution: {integrity: sha512-ei8Aos7ja0weRpFzJnEA9UHJ/7XQmqglbRwnf2ATjcB9Wq874VKH9kfjjirM6UhU2/E5fFYadylyhFldcqSidQ==} + engines: {node: '>=18'} + copy-to-clipboard@3.3.3: resolution: {integrity: sha512-2KV8NhB5JqC3ky0r9PMCAZKbUHSwtEo4CwCs0KXgruG43gX5PMqDEBbVU4OUzw2MuAWUfsuFmWvEKG5QRfSnJA==} @@ -3459,6 +3466,23 @@ packages: react: ^16.14.0 || ^17.0.0 || ^18.0.0 || ^19.0.0 || ^19.0.0-rc react-dom: ^16.14.0 || ^17.0.0 || ^18.0.0 || ^19.0.0 || ^19.0.0-rc + react-router-dom@7.12.0: + resolution: {integrity: sha512-pfO9fiBcpEfX4Tx+iTYKDtPbrSLLCbwJ5EqP+SPYQu1VYCXdy79GSj0wttR0U4cikVdlImZuEZ/9ZNCgoaxwBA==} + engines: {node: '>=20.0.0'} + peerDependencies: + react: '>=18' + react-dom: '>=18' + + react-router@7.12.0: + resolution: {integrity: sha512-kTPDYPFzDVGIIGNLS5VJykK0HfHLY5MF3b+xj0/tTyNYL1gF1qs7u67Z9jEhQk2sQ98SUaHxlG31g1JtF7IfVw==} + engines: {node: '>=20.0.0'} + peerDependencies: + react: '>=18' + react-dom: '>=18' + peerDependenciesMeta: + react-dom: + optional: true + react-select@5.10.2: resolution: {integrity: sha512-Z33nHdEFWq9tfnfVXaiM12rbJmk+QjFEztWLtmXqQhz6Al4UZZ9xc0wiatmGtUOCCnHN0WizL3tCMYRENX4rVQ==} peerDependencies: @@ -3675,6 +3699,9 @@ packages: resolution: {integrity: sha512-ZYkZLAvKTKQXWuh5XpBw7CdbSzagarX39WyZ2H07CDLC5/KfsRGlIXV8d4+tfqX1M7916mRqR1QfNHSij+c9Pw==} engines: {node: '>=18'} + set-cookie-parser@2.7.2: + resolution: {integrity: sha512-oeM1lpU/UvhTxw+g3cIfxXHyJRc/uidd3yK1P242gzHds0udQBYzs3y8j4gCCW+ZJ7ad0yctld8RYO+bdurlvw==} + set-function-length@1.2.2: resolution: {integrity: sha512-pgRc4hJ4/sNjWCSS9AmnS40x3bNMDTknHgL5UaMBTMyJnU90EgWh1Rz+MC9eFu4BuN/UwZjKQuY/1v3rM7HMfg==} engines: {node: '>= 0.4'} @@ -6120,6 +6147,8 @@ snapshots: convert-source-map@2.0.0: {} + cookie@1.1.1: {} + copy-to-clipboard@3.3.3: dependencies: toggle-selection: 1.0.6 @@ -7707,6 +7736,20 @@ snapshots: react: 18.3.1 react-dom: 18.3.1(react@18.3.1) + react-router-dom@7.12.0(react-dom@18.3.1(react@18.3.1))(react@18.3.1): + dependencies: + react: 18.3.1 + react-dom: 18.3.1(react@18.3.1) + react-router: 7.12.0(react-dom@18.3.1(react@18.3.1))(react@18.3.1) + + react-router@7.12.0(react-dom@18.3.1(react@18.3.1))(react@18.3.1): + dependencies: + cookie: 1.1.1 + react: 18.3.1 + set-cookie-parser: 2.7.2 + optionalDependencies: + react-dom: 18.3.1(react@18.3.1) + react-select@5.10.2(@types/react@18.3.23)(react-dom@18.3.1(react@18.3.1))(react@18.3.1): dependencies: '@babel/runtime': 7.28.3 @@ -7982,6 +8025,8 @@ snapshots: dependencies: type-fest: 4.41.0 + set-cookie-parser@2.7.2: {} + set-function-length@1.2.2: dependencies: define-data-property: 1.1.4 diff --git a/invokeai/frontend/web/public/locales/en.json b/invokeai/frontend/web/public/locales/en.json index d2ec5b73526..1b22855d09d 100644 --- a/invokeai/frontend/web/public/locales/en.json +++ b/invokeai/frontend/web/public/locales/en.json @@ -15,6 +15,44 @@ "uploadImage": "Upload Image", "uploadImages": "Upload Image(s)" }, + "auth": { + "login": { + "title": "Sign In to InvokeAI", + "email": "Email", + "emailPlaceholder": "Email", + "password": "Password", + "passwordPlaceholder": "Password", + "rememberMe": "Remember me for 7 days", + "signIn": "Sign In", + "signingIn": "Signing in...", + "loginFailed": "Login failed. Please check your credentials." + }, + "setup": { + "title": "Welcome to InvokeAI", + "subtitle": "Set up your administrator account to get started", + "email": "Email", + "emailPlaceholder": "admin@example.com", + "emailHelper": "This will be your username for signing in", + "displayName": "Display Name", + "displayNamePlaceholder": "Administrator", + "displayNameHelper": "Your name as it will appear in the application", + "password": "Password", + "passwordPlaceholder": "Password", + "passwordHelper": "Must be at least 8 characters with uppercase, lowercase, and numbers", + "passwordTooShort": "Password must be at least 8 characters long", + "passwordMissingRequirements": "Password must contain uppercase, lowercase, and numbers", + "confirmPassword": "Confirm Password", + "confirmPasswordPlaceholder": "Confirm Password", + "passwordsDoNotMatch": "Passwords do not match", + "createAccount": "Create Administrator Account", + "creatingAccount": "Setting up...", + "setupFailed": "Setup failed. Please try again." + }, + "userMenu": "User Menu", + "admin": "Admin", + "logout": "Logout", + "adminOnlyFeature": "This feature is only available to administrators." + }, "boards": { "addBoard": "Add Board", "addPrivateBoard": "Add Private Board", @@ -266,6 +304,7 @@ "cancelTooltip": "Cancel Current Item", "cancelSucceeded": "Item Canceled", "cancelFailed": "Problem Canceling Item", + "cancelFailedAccessDenied": "Problem Canceling Item: Access Denied", "retrySucceeded": "Item Retried", "retryFailed": "Problem Retrying Item", "confirm": "Confirm", @@ -277,6 +316,7 @@ "clearTooltip": "Cancel and Clear All Items", "clearSucceeded": "Queue Cleared", "clearFailed": "Problem Clearing Queue", + "clearFailedAccessDenied": "Problem Clearing Queue: Access Denied", "cancelBatch": "Cancel Batch", "cancelItem": "Cancel Item", "retryItem": "Retry Item", @@ -297,6 +337,7 @@ "canceled": "Canceled", "completedIn": "Completed in", "batch": "Batch", + "user": "User", "origin": "Origin", "destination": "Dest", "upscaling": "Upscaling", @@ -306,6 +347,8 @@ "other": "Other", "gallery": "Gallery", "batchFieldValues": "Batch Field Values", + "fieldValuesHidden": "", + "cannotViewDetails": "You do not have permission to view the details of this queue item", "item": "Item", "session": "Session", "notReady": "Unable to Queue", @@ -1054,6 +1097,7 @@ "loraTriggerPhrases": "LoRA Trigger Phrases", "mainModelTriggerPhrases": "Main Model Trigger Phrases", "selectAll": "Select All", + "selectModelToView": "Select a model to view its details", "typePhraseHere": "Type phrase here", "t5Encoder": "T5 Encoder", "qwen3Encoder": "Qwen3 Encoder", diff --git a/invokeai/frontend/web/src/app/components/App.tsx b/invokeai/frontend/web/src/app/components/App.tsx index bfe8e231c69..678acc7de1f 100644 --- a/invokeai/frontend/web/src/app/components/App.tsx +++ b/invokeai/frontend/web/src/app/components/App.tsx @@ -1,13 +1,18 @@ -import { Box } from '@invoke-ai/ui-library'; +import { Box, Center, Spinner } from '@invoke-ai/ui-library'; import { useStore } from '@nanostores/react'; import { GlobalHookIsolator } from 'app/components/GlobalHookIsolator'; import { GlobalModalIsolator } from 'app/components/GlobalModalIsolator'; import { clearStorage } from 'app/store/enhancers/reduxRemember/driver'; import Loading from 'common/components/Loading/Loading'; +import { AdministratorSetup } from 'features/auth/components/AdministratorSetup'; +import { LoginPage } from 'features/auth/components/LoginPage'; +import { ProtectedRoute } from 'features/auth/components/ProtectedRoute'; import { AppContent } from 'features/ui/components/AppContent'; import { navigationApi } from 'features/ui/layouts/navigation-api'; -import { memo } from 'react'; +import { memo, useEffect } from 'react'; import { ErrorBoundary } from 'react-error-boundary'; +import { Route, Routes, useNavigate } from 'react-router-dom'; +import { useGetSetupStatusQuery } from 'services/api/endpoints/auth'; import AppErrorBoundaryFallback from './AppErrorBoundaryFallback'; import ThemeLocaleProvider from './ThemeLocaleProvider'; @@ -18,14 +23,67 @@ const errorBoundaryOnReset = () => { return false; }; -const App = () => { +const MainApp = () => { const isNavigationAPIConnected = useStore(navigationApi.$isConnected); + return ( + + {isNavigationAPIConnected ? : } + + ); +}; + +const SetupChecker = () => { + const { data, isLoading } = useGetSetupStatusQuery(); + const navigate = useNavigate(); + + // Check if user is already authenticated + const token = localStorage.getItem('auth_token'); + const isAuthenticated = !!token; + + useEffect(() => { + if (!isLoading && data) { + // If multiuser mode is disabled, go directly to the app + if (!data.multiuser_enabled) { + navigate('/app', { replace: true }); + } else if (isAuthenticated) { + // In multiuser mode, check authentication + navigate('/app', { replace: true }); + } else if (data.setup_required) { + navigate('/setup', { replace: true }); + } else { + navigate('/login', { replace: true }); + } + } + }, [data, isLoading, navigate, isAuthenticated]); + + if (isLoading) { + return ( +
+ +
+ ); + } + + return null; +}; + +const App = () => { return ( - - {isNavigationAPIConnected ? : } - + + } /> + } /> + } /> + + + + } + /> + diff --git a/invokeai/frontend/web/src/app/components/InvokeAIUI.tsx b/invokeai/frontend/web/src/app/components/InvokeAIUI.tsx index 775a4c7a963..f3d9c4bb28e 100644 --- a/invokeai/frontend/web/src/app/components/InvokeAIUI.tsx +++ b/invokeai/frontend/web/src/app/components/InvokeAIUI.tsx @@ -7,6 +7,7 @@ import { createStore } from 'app/store/store'; import Loading from 'common/components/Loading/Loading'; import React, { lazy, memo, useEffect, useState } from 'react'; import { Provider } from 'react-redux'; +import { BrowserRouter } from 'react-router-dom'; /* * We need to configure logging before anything else happens - useLayoutEffect ensures we set this at the first @@ -51,9 +52,11 @@ const InvokeAIUI = () => { return ( - }> - - + + }> + + + ); diff --git a/invokeai/frontend/web/src/app/store/enhancers/reduxRemember/driver.ts b/invokeai/frontend/web/src/app/store/enhancers/reduxRemember/driver.ts index 9e67770b436..fdb25b37d2c 100644 --- a/invokeai/frontend/web/src/app/store/enhancers/reduxRemember/driver.ts +++ b/invokeai/frontend/web/src/app/store/enhancers/reduxRemember/driver.ts @@ -68,10 +68,26 @@ const getIdbKey = (key: string) => { return `${IDB_STORAGE_PREFIX}${key}`; }; +// Helper to get auth headers for client_state requests +const getAuthHeaders = (): Record => { + const headers: Record = {}; + // Safe access to localStorage (not available in Node.js test environment) + if (typeof window !== 'undefined' && window.localStorage) { + const token = localStorage.getItem('auth_token'); + if (token) { + headers['Authorization'] = `Bearer ${token}`; + } + } + return headers; +}; + const getItem = async (key: string) => { try { const url = getUrl('get_by_key', key); - const res = await fetch(url, { method: 'GET' }); + const res = await fetch(url, { + method: 'GET', + headers: getAuthHeaders(), + }); if (!res.ok) { throw new Error(`Response status: ${res.status}`); } @@ -130,7 +146,11 @@ const setItem = async (key: string, value: string) => { } log.trace({ key, last: lastPersistedState.get(key), next: value }, `Persisting state for ${key}`); const url = getUrl('set_by_key', key); - const res = await fetch(url, { method: 'POST', body: value }); + const res = await fetch(url, { + method: 'POST', + body: value, + headers: getAuthHeaders(), + }); if (!res.ok) { throw new Error(`Response status: ${res.status}`); } @@ -158,7 +178,10 @@ export const clearStorage = async () => { try { persistRefCount++; const url = getUrl('delete'); - const res = await fetch(url, { method: 'POST' }); + const res = await fetch(url, { + method: 'POST', + headers: getAuthHeaders(), + }); if (!res.ok) { throw new Error(`Response status: ${res.status}`); } diff --git a/invokeai/frontend/web/src/app/store/store.ts b/invokeai/frontend/web/src/app/store/store.ts index 3babf2404ae..077211c1fac 100644 --- a/invokeai/frontend/web/src/app/store/store.ts +++ b/invokeai/frontend/web/src/app/store/store.ts @@ -19,6 +19,7 @@ import { addSocketConnectedEventListener } from 'app/store/middleware/listenerMi import { deepClone } from 'common/util/deepClone'; import { merge } from 'es-toolkit'; import { omit, pick } from 'es-toolkit/compat'; +import { authSliceConfig } from 'features/auth/store/authSlice'; import { changeBoardModalSliceConfig } from 'features/changeBoardModal/store/slice'; import { canvasSettingsSliceConfig } from 'features/controlLayers/store/canvasSettingsSlice'; import { canvasSliceConfig } from 'features/controlLayers/store/canvasSlice'; @@ -60,6 +61,7 @@ const log = logger('system'); // When adding a slice, add the config to the SLICE_CONFIGS object below, then add the reducer to ALL_REDUCERS. const SLICE_CONFIGS = { + [authSliceConfig.slice.reducerPath]: authSliceConfig, [canvasSessionSliceConfig.slice.reducerPath]: canvasSessionSliceConfig, [canvasSettingsSliceConfig.slice.reducerPath]: canvasSettingsSliceConfig, [canvasSliceConfig.slice.reducerPath]: canvasSliceConfig, @@ -85,6 +87,7 @@ const SLICE_CONFIGS = { // Remember to wrap undoable reducers in `undoable()`! const ALL_REDUCERS = { [api.reducerPath]: api.reducer, + [authSliceConfig.slice.reducerPath]: authSliceConfig.slice.reducer, [canvasSessionSliceConfig.slice.reducerPath]: canvasSessionSliceConfig.slice.reducer, [canvasSettingsSliceConfig.slice.reducerPath]: canvasSettingsSliceConfig.slice.reducer, // Undoable! diff --git a/invokeai/frontend/web/src/features/auth/components/AdministratorSetup.tsx b/invokeai/frontend/web/src/features/auth/components/AdministratorSetup.tsx new file mode 100644 index 00000000000..9827a4d9769 --- /dev/null +++ b/invokeai/frontend/web/src/features/auth/components/AdministratorSetup.tsx @@ -0,0 +1,246 @@ +import { + Box, + Button, + Center, + Flex, + FormControl, + FormErrorMessage, + FormHelperText, + FormLabel, + Grid, + GridItem, + Heading, + Input, + Spinner, + Text, + VStack, +} from '@invoke-ai/ui-library'; +import type { ChangeEvent, FormEvent } from 'react'; +import { memo, useCallback, useEffect, useState } from 'react'; +import { useTranslation } from 'react-i18next'; +import { useNavigate } from 'react-router-dom'; +import { useGetSetupStatusQuery, useSetupMutation } from 'services/api/endpoints/auth'; + +const validatePasswordStrength = ( + password: string, + t: (key: string) => string +): { isValid: boolean; message: string } => { + if (password.length < 8) { + return { isValid: false, message: t('auth.setup.passwordTooShort') }; + } + + const hasUpper = /[A-Z]/.test(password); + const hasLower = /[a-z]/.test(password); + const hasDigit = /\d/.test(password); + + if (!hasUpper || !hasLower || !hasDigit) { + return { + isValid: false, + message: t('auth.setup.passwordMissingRequirements'), + }; + } + + return { isValid: true, message: '' }; +}; + +export const AdministratorSetup = memo(() => { + const { t } = useTranslation(); + const navigate = useNavigate(); + const [email, setEmail] = useState(''); + const [displayName, setDisplayName] = useState(''); + const [password, setPassword] = useState(''); + const [confirmPassword, setConfirmPassword] = useState(''); + const [setup, { isLoading, error }] = useSetupMutation(); + const { data: setupStatus, isLoading: isLoadingSetup } = useGetSetupStatusQuery(); + + // Redirect to app if multiuser mode is disabled + useEffect(() => { + if (!isLoadingSetup && setupStatus && !setupStatus.multiuser_enabled) { + navigate('/app', { replace: true }); + } + }, [setupStatus, isLoadingSetup, navigate]); + + const passwordValidation = validatePasswordStrength(password, t); + const passwordsMatch = password === confirmPassword; + + const handleSubmit = useCallback( + async (e: FormEvent) => { + e.preventDefault(); + + if (!passwordValidation.isValid) { + return; + } + + if (!passwordsMatch) { + return; + } + + try { + const result = await setup({ email, display_name: displayName, password }).unwrap(); + if (result.success) { + // Auto-login after setup - need to call login API + // For now, just redirect to login page + window.location.href = '/login'; + } + } catch { + // Error is handled by RTK Query and displayed via error state + } + }, + [email, displayName, password, passwordValidation.isValid, passwordsMatch, setup] + ); + + const handleEmailChange = useCallback((e: ChangeEvent) => { + setEmail(e.target.value); + }, []); + + const handleDisplayNameChange = useCallback((e: ChangeEvent) => { + setDisplayName(e.target.value); + }, []); + + const handlePasswordChange = useCallback((e: ChangeEvent) => { + setPassword(e.target.value); + }, []); + + const handleConfirmPasswordChange = useCallback((e: ChangeEvent) => { + setConfirmPassword(e.target.value); + }, []); + + const errorMessage = error + ? 'data' in error && typeof error.data === 'object' && error.data && 'detail' in error.data + ? String(error.data.detail) + : t('auth.setup.setupFailed') + : null; + + // Show loading spinner while checking setup status or redirecting + if (isLoadingSetup || (setupStatus && !setupStatus.multiuser_enabled)) { + return ( +
+ +
+ ); + } + + return ( +
+ +
+ + + + {t('auth.setup.title')} + + + {t('auth.setup.subtitle')} + + + + + + + + {t('auth.setup.email')} + + + + + {t('auth.setup.emailHelper')} + + + + + + + + + {t('auth.setup.displayName')} + + + + + {t('auth.setup.displayNameHelper')} + + + + + 0 && !passwordValidation.isValid}> + + + + {t('auth.setup.password')} + + + + + {password.length > 0 && !passwordValidation.isValid && ( + {passwordValidation.message} + )} + {password.length === 0 && {t('auth.setup.passwordHelper')}} + + + + + 0 && !passwordsMatch}> + + + + {t('auth.setup.confirmPassword')} + + + + + {confirmPassword.length > 0 && !passwordsMatch && ( + {t('auth.setup.passwordsDoNotMatch')} + )} + + + + + + + {errorMessage && ( + + {errorMessage} + + )} + +
+ +
+ ); +}); + +AdministratorSetup.displayName = 'AdministratorSetup'; diff --git a/invokeai/frontend/web/src/features/auth/components/LoginPage.tsx b/invokeai/frontend/web/src/features/auth/components/LoginPage.tsx new file mode 100644 index 00000000000..ddc813163de --- /dev/null +++ b/invokeai/frontend/web/src/features/auth/components/LoginPage.tsx @@ -0,0 +1,168 @@ +import { + Box, + Button, + Center, + Checkbox, + Flex, + FormControl, + FormErrorMessage, + FormLabel, + Heading, + Input, + Spinner, + Text, + VStack, +} from '@invoke-ai/ui-library'; +import { useAppDispatch } from 'app/store/storeHooks'; +import { setCredentials } from 'features/auth/store/authSlice'; +import type { ChangeEvent, FormEvent } from 'react'; +import { memo, useCallback, useEffect, useState } from 'react'; +import { useTranslation } from 'react-i18next'; +import { useNavigate } from 'react-router-dom'; +import { useGetSetupStatusQuery, useLoginMutation } from 'services/api/endpoints/auth'; + +export const LoginPage = memo(() => { + const { t } = useTranslation(); + const navigate = useNavigate(); + const [email, setEmail] = useState(''); + const [password, setPassword] = useState(''); + const [rememberMe, setRememberMe] = useState(true); + const [login, { isLoading, error }] = useLoginMutation(); + const dispatch = useAppDispatch(); + const { data: setupStatus, isLoading: isLoadingSetup } = useGetSetupStatusQuery(); + + // Redirect to app if multiuser mode is disabled + useEffect(() => { + if (!isLoadingSetup && setupStatus && !setupStatus.multiuser_enabled) { + navigate('/app', { replace: true }); + } + }, [setupStatus, isLoadingSetup, navigate]); + + // Redirect to setup page if setup is required + useEffect(() => { + if (!isLoadingSetup && setupStatus?.setup_required) { + navigate('/setup', { replace: true }); + } + }, [setupStatus, isLoadingSetup, navigate]); + + const handleSubmit = useCallback( + async (e: FormEvent) => { + e.preventDefault(); + try { + const result = await login({ email, password, remember_me: rememberMe }).unwrap(); + // Map the UserDTO from API to our User type + const user = { + user_id: result.user.user_id, + email: result.user.email, + display_name: result.user.display_name || null, + is_admin: result.user.is_admin || false, + is_active: result.user.is_active || true, + }; + dispatch(setCredentials({ token: result.token, user })); + // Force a page reload to ensure all user-specific state is loaded from server + // This is important for multiuser isolation to prevent state leakage + window.location.href = '/app'; + } catch { + // Error is handled by RTK Query and displayed via error state + } + }, + [email, password, rememberMe, login, dispatch] + ); + + const handleEmailChange = useCallback((e: ChangeEvent) => { + setEmail(e.target.value); + }, []); + + const handlePasswordChange = useCallback((e: ChangeEvent) => { + setPassword(e.target.value); + }, []); + + const handleRememberMeChange = useCallback((e: ChangeEvent) => { + setRememberMe(e.target.checked); + }, []); + + const errorMessage = error + ? 'data' in error && typeof error.data === 'object' && error.data && 'detail' in error.data + ? String(error.data.detail) + : t('auth.login.loginFailed') + : null; + + // Show loading spinner while checking setup status or redirecting + if (isLoadingSetup || (setupStatus && !setupStatus.multiuser_enabled)) { + return ( +
+ +
+ ); + } + + // Show loading spinner if setup is required (redirecting to setup) + if (setupStatus?.setup_required) { + return ( +
+ +
+ ); + } + + return ( +
+ +
+ + + {t('auth.login.title')} + + + + {t('auth.login.email')} + + + + + {t('auth.login.password')} + + {errorMessage && {errorMessage}} + + + + {t('auth.login.rememberMe')} + + + + + {errorMessage && ( + + {errorMessage} + + )} + +
+ +
+ ); +}); + +LoginPage.displayName = 'LoginPage'; diff --git a/invokeai/frontend/web/src/features/auth/components/ProtectedRoute.tsx b/invokeai/frontend/web/src/features/auth/components/ProtectedRoute.tsx new file mode 100644 index 00000000000..c5e85ccf7c8 --- /dev/null +++ b/invokeai/frontend/web/src/features/auth/components/ProtectedRoute.tsx @@ -0,0 +1,96 @@ +import { Center, Spinner } from '@invoke-ai/ui-library'; +import type { RootState } from 'app/store/store'; +import { useAppDispatch, useAppSelector } from 'app/store/storeHooks'; +import { logout, setCredentials } from 'features/auth/store/authSlice'; +import type { PropsWithChildren } from 'react'; +import { memo, useEffect } from 'react'; +import { useNavigate } from 'react-router-dom'; +import { useGetCurrentUserQuery, useGetSetupStatusQuery } from 'services/api/endpoints/auth'; + +interface ProtectedRouteProps { + requireAdmin?: boolean; +} + +export const ProtectedRoute = memo(({ children, requireAdmin = false }: PropsWithChildren) => { + const isAuthenticated = useAppSelector((state: RootState) => state.auth?.isAuthenticated || false); + const token = useAppSelector((state: RootState) => state.auth?.token); + const user = useAppSelector((state: RootState) => state.auth?.user); + const navigate = useNavigate(); + const dispatch = useAppDispatch(); + + // Check if multiuser mode is enabled + const { data: setupStatus } = useGetSetupStatusQuery(); + const multiuserEnabled = setupStatus?.multiuser_enabled ?? true; // Default to true for safety + + // Only fetch user if we have a token but no user data + const shouldFetchUser = isAuthenticated && token && !user; + const { + data: currentUser, + isLoading: isLoadingUser, + error: userError, + } = useGetCurrentUserQuery(undefined, { + skip: !shouldFetchUser, + }); + + useEffect(() => { + // If we have a token but fetching user failed, token is invalid - logout + if (userError && isAuthenticated) { + dispatch(logout()); + navigate('/login', { replace: true }); + } + }, [userError, isAuthenticated, dispatch, navigate]); + + useEffect(() => { + // If we successfully fetched user data, update auth state + if (currentUser && token && !user) { + const userObj = { + user_id: currentUser.user_id, + email: currentUser.email, + display_name: currentUser.display_name || null, + is_admin: currentUser.is_admin || false, + is_active: currentUser.is_active || true, + }; + dispatch(setCredentials({ token, user: userObj })); + } + }, [currentUser, token, user, dispatch]); + + useEffect(() => { + // If multiuser is disabled, allow access without authentication + if (!multiuserEnabled) { + return; + } + + // In multiuser mode, check authentication + if (!isLoadingUser && !isAuthenticated) { + navigate('/login', { replace: true }); + } else if (!isLoadingUser && isAuthenticated && user && requireAdmin && !user.is_admin) { + navigate('/', { replace: true }); + } + }, [isAuthenticated, isLoadingUser, requireAdmin, user, navigate, multiuserEnabled]); + + // In single-user mode, always allow access + if (!multiuserEnabled) { + return <>{children}; + } + + // Show loading while fetching user data + if (isLoadingUser || (isAuthenticated && !user)) { + return ( +
+ +
+ ); + } + + if (!isAuthenticated) { + return null; + } + + if (requireAdmin && !user?.is_admin) { + return null; + } + + return <>{children}; +}); + +ProtectedRoute.displayName = 'ProtectedRoute'; diff --git a/invokeai/frontend/web/src/features/auth/components/UserMenu.tsx b/invokeai/frontend/web/src/features/auth/components/UserMenu.tsx new file mode 100644 index 00000000000..970c1d75332 --- /dev/null +++ b/invokeai/frontend/web/src/features/auth/components/UserMenu.tsx @@ -0,0 +1,71 @@ +import { Badge, Flex, IconButton, Menu, MenuButton, MenuItem, MenuList, Text, Tooltip } from '@invoke-ai/ui-library'; +import { useAppDispatch, useAppSelector } from 'app/store/storeHooks'; +import { logout, selectCurrentUser } from 'features/auth/store/authSlice'; +import { memo, useCallback } from 'react'; +import { useTranslation } from 'react-i18next'; +import { PiSignOutBold, PiUserBold } from 'react-icons/pi'; +import { useNavigate } from 'react-router-dom'; +import { useLogoutMutation } from 'services/api/endpoints/auth'; + +export const UserMenu = memo(() => { + const { t } = useTranslation(); + const user = useAppSelector(selectCurrentUser); + const dispatch = useAppDispatch(); + const navigate = useNavigate(); + const [logoutMutation] = useLogoutMutation(); + + const handleLogout = useCallback(() => { + // Call backend logout endpoint + logoutMutation() + .unwrap() + .catch(() => { + // Ignore errors - we'll log out locally anyway + }) + .finally(() => { + // Clear local state regardless of backend response + dispatch(logout()); + navigate('/login'); + }); + }, [dispatch, navigate, logoutMutation]); + + if (!user) { + return null; + } + + return ( + + + } + variant="link" + minW={8} + w={8} + h={8} + borderRadius="base" + /> + + + + + {user.display_name || user.email} + + + {user.email} + + {user.is_admin && ( + + {t('auth.admin')} + + )} + + } onClick={handleLogout}> + {t('auth.logout')} + + + + ); +}); + +UserMenu.displayName = 'UserMenu'; diff --git a/invokeai/frontend/web/src/features/auth/store/authSlice.ts b/invokeai/frontend/web/src/features/auth/store/authSlice.ts new file mode 100644 index 00000000000..6ac65ef03ce --- /dev/null +++ b/invokeai/frontend/web/src/features/auth/store/authSlice.ts @@ -0,0 +1,83 @@ +import type { PayloadAction } from '@reduxjs/toolkit'; +import { createSlice } from '@reduxjs/toolkit'; +import type { SliceConfig } from 'app/store/types'; +import { z } from 'zod'; + +const zUser = z.object({ + user_id: z.string(), + email: z.string(), + display_name: z.string().nullable(), + is_admin: z.boolean(), + is_active: z.boolean(), +}); + +const zAuthState = z.object({ + isAuthenticated: z.boolean(), + token: z.string().nullable(), + user: zUser.nullable(), + isLoading: z.boolean(), +}); + +type User = z.infer; +type AuthState = z.infer; + +// Helper to safely access localStorage (not available in test environment) +const getStoredAuthToken = (): string | null => { + if (typeof window !== 'undefined' && window.localStorage) { + return localStorage.getItem('auth_token'); + } + return null; +}; + +const initialState: AuthState = { + isAuthenticated: !!getStoredAuthToken(), + token: getStoredAuthToken(), + user: null, + isLoading: false, +}; + +const getInitialAuthState = (): AuthState => initialState; + +const authSlice = createSlice({ + name: 'auth', + initialState, + reducers: { + setCredentials: (state, action: PayloadAction<{ token: string; user: User }>) => { + state.token = action.payload.token; + state.user = action.payload.user; + state.isAuthenticated = true; + if (typeof window !== 'undefined' && window.localStorage) { + localStorage.setItem('auth_token', action.payload.token); + } + }, + logout: (state) => { + state.token = null; + state.user = null; + state.isAuthenticated = false; + if (typeof window !== 'undefined' && window.localStorage) { + localStorage.removeItem('auth_token'); + } + }, + setLoading: (state, action: PayloadAction) => { + state.isLoading = action.payload; + }, + }, +}); + +export const { setCredentials, logout, setLoading } = authSlice.actions; + +export const authSliceConfig: SliceConfig = { + slice: authSlice, + schema: zAuthState, + getInitialState: getInitialAuthState, + persistConfig: { + migrate: () => getInitialAuthState(), + // Don't persist auth state - token is stored in localStorage + persistDenylist: ['isAuthenticated', 'token', 'user', 'isLoading'], + }, +}; + +export const selectIsAuthenticated = (state: { auth: AuthState }) => state.auth.isAuthenticated; +export const selectCurrentUser = (state: { auth: AuthState }) => state.auth.user; +export const selectAuthToken = (state: { auth: AuthState }) => state.auth.token; +export const selectIsAuthLoading = (state: { auth: AuthState }) => state.auth.isLoading; diff --git a/invokeai/frontend/web/src/features/controlLayers/store/paramsSlice.ts b/invokeai/frontend/web/src/features/controlLayers/store/paramsSlice.ts index 1f8ad18d350..3d3fe20f21d 100644 --- a/invokeai/frontend/web/src/features/controlLayers/store/paramsSlice.ts +++ b/invokeai/frontend/web/src/features/controlLayers/store/paramsSlice.ts @@ -6,6 +6,7 @@ import { deepClone } from 'common/util/deepClone'; import { roundDownToMultiple, roundToMultiple } from 'common/util/roundDownToMultiple'; import { isPlainObject } from 'es-toolkit'; import { clamp } from 'es-toolkit/compat'; +import { logout } from 'features/auth/store/authSlice'; import type { AspectRatioID, InfillMethod, ParamsState, RgbaColor } from 'features/controlLayers/store/types'; import { ASPECT_RATIO_MAP, @@ -427,6 +428,12 @@ const slice = createSlice({ }, paramsReset: (state) => resetState(state), }, + extraReducers(builder) { + // Reset params state on logout to prevent user data leakage when switching users + builder.addCase(logout, () => { + return getInitialParamsState(); + }); + }, }); const applyClipSkip = (state: { clipSkip: number }, model: ParameterModel | null, clipSkip: number) => { diff --git a/invokeai/frontend/web/src/features/gallery/components/Boards/BoardsList/GalleryBoard.tsx b/invokeai/frontend/web/src/features/gallery/components/Boards/BoardsList/GalleryBoard.tsx index 1ddc4b0db36..4d821f819c6 100644 --- a/invokeai/frontend/web/src/features/gallery/components/Boards/BoardsList/GalleryBoard.tsx +++ b/invokeai/frontend/web/src/features/gallery/components/Boards/BoardsList/GalleryBoard.tsx @@ -2,6 +2,7 @@ import type { SystemStyleObject } from '@invoke-ai/ui-library'; import { Box, Flex, Icon, Image, Text, Tooltip } from '@invoke-ai/ui-library'; import { skipToken } from '@reduxjs/toolkit/query'; import { useAppDispatch, useAppSelector } from 'app/store/storeHooks'; +import { selectCurrentUser } from 'features/auth/store/authSlice'; import type { AddImageToBoardDndTargetData } from 'features/dnd/dnd'; import { addImageToBoardDndTarget } from 'features/dnd/dnd'; import { DndDropTarget } from 'features/dnd/DndDropTarget'; @@ -36,6 +37,7 @@ const GalleryBoard = ({ board, isSelected }: GalleryBoardProps) => { const autoAddBoardId = useAppSelector(selectAutoAddBoardId); const autoAssignBoardOnClick = useAppSelector(selectAutoAssignBoardOnClick); const selectedBoardId = useAppSelector(selectSelectedBoardId); + const currentUser = useAppSelector(selectCurrentUser); const onClick = useCallback(() => { if (selectedBoardId !== board.board_id) { dispatch(boardIdSelected({ boardId: board.board_id })); @@ -58,6 +60,8 @@ const GalleryBoard = ({ board, isSelected }: GalleryBoardProps) => { [board] ); + const showOwner = currentUser?.is_admin && board.owner_username; + return ( @@ -85,8 +89,13 @@ const GalleryBoard = ({ board, isSelected }: GalleryBoardProps) => { h="full" > - + + {showOwner && ( + + {board.owner_username} + + )} {autoAddBoardId === board.board_id && } {board.archived && } diff --git a/invokeai/frontend/web/src/features/gallery/store/gallerySlice.ts b/invokeai/frontend/web/src/features/gallery/store/gallerySlice.ts index d66feefa2c9..9d4d2bfd75d 100644 --- a/invokeai/frontend/web/src/features/gallery/store/gallerySlice.ts +++ b/invokeai/frontend/web/src/features/gallery/store/gallerySlice.ts @@ -3,6 +3,7 @@ import { createSlice } from '@reduxjs/toolkit'; import type { RootState } from 'app/store/store'; import type { SliceConfig } from 'app/store/types'; import { isPlainObject, uniq } from 'es-toolkit'; +import { logout } from 'features/auth/store/authSlice'; import type { BoardRecordOrderBy } from 'services/api/types'; import { assert } from 'tsafe'; @@ -142,6 +143,14 @@ const slice = createSlice({ state.boardsListOrderDir = action.payload; }, }, + extraReducers(builder) { + // Clear board-related state on logout to prevent stale data when switching users + builder.addCase(logout, (state) => { + state.selectedBoardId = 'none'; + state.autoAddBoardId = 'none'; + state.boardSearchText = ''; + }); + }, }); export const { diff --git a/invokeai/frontend/web/src/features/modelManagerV2/hooks/useIsModelManagerEnabled.ts b/invokeai/frontend/web/src/features/modelManagerV2/hooks/useIsModelManagerEnabled.ts new file mode 100644 index 00000000000..81b00eb77e5 --- /dev/null +++ b/invokeai/frontend/web/src/features/modelManagerV2/hooks/useIsModelManagerEnabled.ts @@ -0,0 +1,29 @@ +import { useAppSelector } from 'app/store/storeHooks'; +import { selectCurrentUser } from 'features/auth/store/authSlice'; +import { useMemo } from 'react'; +import { useGetSetupStatusQuery } from 'services/api/endpoints/auth'; + +/** + * Hook to determine if model manager features should be enabled for the current user. + * + * Returns true if: + * - Multiuser mode is disabled (single-user mode = always admin) + * - Multiuser mode is enabled AND user is an admin + * + * Returns false if: + * - Multiuser mode is enabled AND user is not an admin + */ +export const useIsModelManagerEnabled = (): boolean => { + const user = useAppSelector(selectCurrentUser); + const { data: setupStatus } = useGetSetupStatusQuery(); + + return useMemo(() => { + // If multiuser is disabled, treat as admin (single-user mode) + if (setupStatus && !setupStatus.multiuser_enabled) { + return true; + } + + // If multiuser is enabled, check if user is admin + return user?.is_admin ?? false; + }, [setupStatus, user]); +}; diff --git a/invokeai/frontend/web/src/features/modelManagerV2/hooks/useStarterModelsToast.tsx b/invokeai/frontend/web/src/features/modelManagerV2/hooks/useStarterModelsToast.tsx index f7e91af62fd..d1774f9ded0 100644 --- a/invokeai/frontend/web/src/features/modelManagerV2/hooks/useStarterModelsToast.tsx +++ b/invokeai/frontend/web/src/features/modelManagerV2/hooks/useStarterModelsToast.tsx @@ -1,4 +1,6 @@ import { Button, Text, useToast } from '@invoke-ai/ui-library'; +import { useAppSelector } from 'app/store/storeHooks'; +import { selectIsAuthenticated } from 'features/auth/store/authSlice'; import { setInstallModelsTabByName } from 'features/modelManagerV2/store/installModelsStore'; import { navigationApi } from 'features/ui/layouts/navigation-api'; import { useCallback, useEffect, useState } from 'react'; @@ -12,8 +14,14 @@ export const useStarterModelsToast = () => { const [didToast, setDidToast] = useState(false); const [mainModels, { data }] = useMainModels(); const toast = useToast(); + const isAuthenticated = useAppSelector(selectIsAuthenticated); useEffect(() => { + // Only show the toast if the user is authenticated + if (!isAuthenticated) { + return; + } + if (toast.isActive(TOAST_ID)) { if (mainModels.length === 0) { return; @@ -32,7 +40,7 @@ export const useStarterModelsToast = () => { onCloseComplete: () => setDidToast(true), }); } - }, [data, didToast, mainModels.length, t, toast]); + }, [data, didToast, isAuthenticated, mainModels.length, t, toast]); }; const ToastDescription = () => { diff --git a/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelManager.tsx b/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelManager.tsx index 9447bd4145f..143cd146c21 100644 --- a/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelManager.tsx +++ b/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelManager.tsx @@ -1,6 +1,7 @@ import type { SystemStyleObject } from '@invoke-ai/ui-library'; import { Button, Flex, Heading } from '@invoke-ai/ui-library'; import { useAppDispatch, useAppSelector } from 'app/store/storeHooks'; +import { useIsModelManagerEnabled } from 'features/modelManagerV2/hooks/useIsModelManagerEnabled'; import { selectSelectedModelKey, setSelectedModelKey } from 'features/modelManagerV2/store/modelManagerV2Slice'; import { memo, useCallback } from 'react'; import { useTranslation } from 'react-i18next'; @@ -22,6 +23,7 @@ const modelManagerSx: SystemStyleObject = { export const ModelManager = memo(() => { const { t } = useTranslation(); const dispatch = useAppDispatch(); + const canManageModels = useIsModelManagerEnabled(); const handleClickAddModel = useCallback(() => { dispatch(setSelectedModelKey(null)); }, [dispatch]); @@ -33,7 +35,7 @@ export const ModelManager = memo(() => { {t('common.modelManager')} - {!!selectedModelKey && ( + {!!selectedModelKey && canManageModels && ( diff --git a/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelManagerPanel/ModelListBulkActions.tsx b/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelManagerPanel/ModelListBulkActions.tsx index 1e6281f1c17..57e970b48d9 100644 --- a/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelManagerPanel/ModelListBulkActions.tsx +++ b/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelManagerPanel/ModelListBulkActions.tsx @@ -1,6 +1,7 @@ import type { SystemStyleObject } from '@invoke-ai/ui-library'; import { Button, Checkbox, Flex, Menu, MenuButton, MenuItem, MenuList, Text } from '@invoke-ai/ui-library'; import { useAppDispatch, useAppSelector } from 'app/store/storeHooks'; +import { useIsModelManagerEnabled } from 'features/modelManagerV2/hooks/useIsModelManagerEnabled'; import type { FilterableModelType } from 'features/modelManagerV2/store/modelManagerV2Slice'; import { modelSelectionChanged, @@ -32,6 +33,7 @@ type ModelListBulkActionsProps = { export const ModelListBulkActions = memo(({ sx }: ModelListBulkActionsProps) => { const dispatch = useAppDispatch(); + const canManageModels = useIsModelManagerEnabled(); const filteredModelType = useAppSelector(selectFilteredModelType); const selectedModelKeys = useAppSelector(selectSelectedModelKeys); const searchTerm = useAppSelector(selectSearchTerm); @@ -110,23 +112,25 @@ export const ModelListBulkActions = memo(({ sx }: ModelListBulkActionsProps) => {selectionCount} {t('common.selected')} - - } - flexShrink={0} - variant="outline" - > - {t('modelManager.actions')} - - - } onClick={handleBulkDelete} color="error.300"> - {t('modelManager.deleteModels', { count: selectionCount })} - - - + {canManageModels && ( + + } + flexShrink={0} + variant="outline" + > + {t('modelManager.actions')} + + + } onClick={handleBulkDelete} color="error.300"> + {t('modelManager.deleteModels', { count: selectionCount })} + + + + )} ); diff --git a/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelPane.tsx b/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelPane.tsx index b1f10839661..67cde939ba3 100644 --- a/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelPane.tsx +++ b/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelPane.tsx @@ -1,8 +1,10 @@ import type { SystemStyleObject } from '@invoke-ai/ui-library'; -import { Box } from '@invoke-ai/ui-library'; +import { Box, Center, Text } from '@invoke-ai/ui-library'; import { useAppSelector } from 'app/store/storeHooks'; +import { useIsModelManagerEnabled } from 'features/modelManagerV2/hooks/useIsModelManagerEnabled'; import { selectSelectedModelKey } from 'features/modelManagerV2/store/modelManagerV2Slice'; import { memo } from 'react'; +import { useTranslation } from 'react-i18next'; import { InstallModels } from './InstallModels'; import { Model } from './ModelPanel/Model'; @@ -23,7 +25,37 @@ const modelPaneSx: SystemStyleObject = { export const ModelPane = memo(() => { const selectedModelKey = useAppSelector(selectSelectedModelKey); - return {selectedModelKey ? : }; + const canManageModels = useIsModelManagerEnabled(); + const { t } = useTranslation(); + + // Show model details if a model is selected + if (selectedModelKey) { + return ( + + + + ); + } + + // Show install panel for users with model management permissions, empty state for others + if (canManageModels) { + return ( + + + + ); + } + + // Empty state for users without model management permissions + return ( + +
+ + {t('modelManager.selectModelToView')} + +
+ + ); }); ModelPane.displayName = 'ModelPane'; diff --git a/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelPanel/ControlAdapterModelDefaultSettings/ControlAdapterModelDefaultSettings.tsx b/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelPanel/ControlAdapterModelDefaultSettings/ControlAdapterModelDefaultSettings.tsx index 0bcd5b27161..92d509011cc 100644 --- a/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelPanel/ControlAdapterModelDefaultSettings/ControlAdapterModelDefaultSettings.tsx +++ b/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelPanel/ControlAdapterModelDefaultSettings/ControlAdapterModelDefaultSettings.tsx @@ -1,5 +1,6 @@ import { Button, Flex, Heading, SimpleGrid } from '@invoke-ai/ui-library'; import { useControlAdapterModelDefaultSettings } from 'features/modelManagerV2/hooks/useControlAdapterModelDefaultSettings'; +import { useIsModelManagerEnabled } from 'features/modelManagerV2/hooks/useIsModelManagerEnabled'; import { DefaultPreprocessor } from 'features/modelManagerV2/subpanels/ModelPanel/ControlAdapterModelDefaultSettings/DefaultPreprocessor'; import type { FormField } from 'features/modelManagerV2/subpanels/ModelPanel/MainModelDefaultSettings/MainModelDefaultSettings'; import { toast } from 'features/toast/toast'; @@ -21,6 +22,7 @@ type Props = { export const ControlAdapterModelDefaultSettings = memo(({ modelConfig }: Props) => { const { t } = useTranslation(); + const canManageModels = useIsModelManagerEnabled(); const defaultSettingsDefaults = useControlAdapterModelDefaultSettings(modelConfig); @@ -66,16 +68,18 @@ export const ControlAdapterModelDefaultSettings = memo(({ modelConfig }: Props) <> {t('modelManager.defaultSettings')} - + {canManageModels && ( + + )} diff --git a/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelPanel/LoRAModelDefaultSettings/LoRAModelDefaultSettings.tsx b/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelPanel/LoRAModelDefaultSettings/LoRAModelDefaultSettings.tsx index a012460161f..d2f55540afa 100644 --- a/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelPanel/LoRAModelDefaultSettings/LoRAModelDefaultSettings.tsx +++ b/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelPanel/LoRAModelDefaultSettings/LoRAModelDefaultSettings.tsx @@ -1,4 +1,5 @@ import { Button, Flex, Heading, SimpleGrid } from '@invoke-ai/ui-library'; +import { useIsModelManagerEnabled } from 'features/modelManagerV2/hooks/useIsModelManagerEnabled'; import { useLoRAModelDefaultSettings } from 'features/modelManagerV2/hooks/useLoRAModelDefaultSettings'; import { DefaultWeight } from 'features/modelManagerV2/subpanels/ModelPanel/LoRAModelDefaultSettings/DefaultWeight'; import type { FormField } from 'features/modelManagerV2/subpanels/ModelPanel/MainModelDefaultSettings/MainModelDefaultSettings'; @@ -21,6 +22,7 @@ type Props = { export const LoRAModelDefaultSettings = memo(({ modelConfig }: Props) => { const { t } = useTranslation(); + const canManageModels = useIsModelManagerEnabled(); const defaultSettingsDefaults = useLoRAModelDefaultSettings(modelConfig); @@ -66,16 +68,18 @@ export const LoRAModelDefaultSettings = memo(({ modelConfig }: Props) => { <> {t('modelManager.defaultSettings')} - + {canManageModels && ( + + )} diff --git a/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelPanel/MainModelDefaultSettings/MainModelDefaultSettings.tsx b/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelPanel/MainModelDefaultSettings/MainModelDefaultSettings.tsx index 4fa0f29beb4..8497eee02e1 100644 --- a/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelPanel/MainModelDefaultSettings/MainModelDefaultSettings.tsx +++ b/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelPanel/MainModelDefaultSettings/MainModelDefaultSettings.tsx @@ -1,5 +1,6 @@ import { Button, Flex, Heading, SimpleGrid } from '@invoke-ai/ui-library'; import { useAppSelector } from 'app/store/storeHooks'; +import { useIsModelManagerEnabled } from 'features/modelManagerV2/hooks/useIsModelManagerEnabled'; import { useMainModelDefaultSettings } from 'features/modelManagerV2/hooks/useMainModelDefaultSettings'; import { selectSelectedModelKey } from 'features/modelManagerV2/store/modelManagerV2Slice'; import { DefaultHeight } from 'features/modelManagerV2/subpanels/ModelPanel/MainModelDefaultSettings/DefaultHeight'; @@ -46,6 +47,7 @@ type Props = { export const MainModelDefaultSettings = memo(({ modelConfig }: Props) => { const selectedModelKey = useAppSelector(selectSelectedModelKey); + const canManageModels = useIsModelManagerEnabled(); const { t } = useTranslation(); const isFluxFamily = useMemo(() => { @@ -111,16 +113,18 @@ export const MainModelDefaultSettings = memo(({ modelConfig }: Props) => { <> {t('modelManager.defaultSettings')} - + {canManageModels && ( + + )} diff --git a/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelPanel/ModelHeader.tsx b/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelPanel/ModelHeader.tsx index a30f96b7fc6..1c1a05dbd02 100644 --- a/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelPanel/ModelHeader.tsx +++ b/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelPanel/ModelHeader.tsx @@ -1,4 +1,5 @@ import { Flex, Heading, Spacer, Text } from '@invoke-ai/ui-library'; +import { useIsModelManagerEnabled } from 'features/modelManagerV2/hooks/useIsModelManagerEnabled'; import ModelImageUpload from 'features/modelManagerV2/subpanels/ModelPanel/Fields/ModelImageUpload'; import type { PropsWithChildren } from 'react'; import { memo } from 'react'; @@ -11,9 +12,11 @@ type Props = PropsWithChildren<{ export const ModelHeader = memo(({ modelConfig, children }: Props) => { const { t } = useTranslation(); + const canManageModels = useIsModelManagerEnabled(); + return ( - + {canManageModels && } diff --git a/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelPanel/ModelView.tsx b/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelPanel/ModelView.tsx index 2650d20ceef..1345917c4d1 100644 --- a/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelPanel/ModelView.tsx +++ b/invokeai/frontend/web/src/features/modelManagerV2/subpanels/ModelPanel/ModelView.tsx @@ -1,4 +1,5 @@ import { Box, Divider, Flex, SimpleGrid } from '@invoke-ai/ui-library'; +import { useIsModelManagerEnabled } from 'features/modelManagerV2/hooks/useIsModelManagerEnabled'; import { ControlAdapterModelDefaultSettings } from 'features/modelManagerV2/subpanels/ModelPanel/ControlAdapterModelDefaultSettings/ControlAdapterModelDefaultSettings'; import { LoRAModelDefaultSettings } from 'features/modelManagerV2/subpanels/ModelPanel/LoRAModelDefaultSettings/LoRAModelDefaultSettings'; import { ModelConvertButton } from 'features/modelManagerV2/subpanels/ModelPanel/ModelConvertButton'; @@ -24,6 +25,7 @@ type Props = { export const ModelView = memo(({ modelConfig }: Props) => { const { t } = useTranslation(); + const canManageModels = useIsModelManagerEnabled(); // Only allow path updates for external models (not Invoke-controlled) const canUpdatePath = useMemo(() => isExternalModel(modelConfig.path), [modelConfig.path]); @@ -49,13 +51,13 @@ export const ModelView = memo(({ modelConfig }: Props) => { return ( - {canUpdatePath && } - - {modelConfig.format === 'checkpoint' && modelConfig.type === 'main' && ( + {canManageModels && canUpdatePath && } + {canManageModels && } + {canManageModels && modelConfig.format === 'checkpoint' && modelConfig.type === 'main' && ( )} - - + {canManageModels && } + {canManageModels && } diff --git a/invokeai/frontend/web/src/features/queue/components/QueueCountBadge.tsx b/invokeai/frontend/web/src/features/queue/components/QueueCountBadge.tsx index 5093f89d573..3417488b09e 100644 --- a/invokeai/frontend/web/src/features/queue/components/QueueCountBadge.tsx +++ b/invokeai/frontend/web/src/features/queue/components/QueueCountBadge.tsx @@ -1,20 +1,66 @@ import { Badge, Portal } from '@invoke-ai/ui-library'; +import { useAppSelector } from 'app/store/storeHooks'; +import { selectIsAuthenticated } from 'features/auth/store/authSlice'; import type { RefObject } from 'react'; -import { memo, useEffect, useState } from 'react'; +import { memo, useEffect, useMemo, useState } from 'react'; import { useGetQueueStatusQuery } from 'services/api/endpoints/queue'; +import type { components } from 'services/api/schema'; type Props = { targetRef: RefObject; }; +type SessionQueueStatus = components['schemas']['SessionQueueStatus']; + +/** + * Determines if user-specific queue counts are available. + */ +const hasUserCounts = (queueData: SessionQueueStatus): boolean => { + return ( + queueData.user_pending !== undefined && + queueData.user_pending !== null && + queueData.user_in_progress !== undefined && + queueData.user_in_progress !== null + ); +}; + +/** + * Calculates the appropriate badge text based on queue status and authentication state. + * Returns null if badge should be hidden. + */ +const getBadgeText = (queueData: SessionQueueStatus | undefined, isAuthenticated: boolean): string | null => { + if (!queueData) { + return null; + } + + const totalPending = queueData.pending + queueData.in_progress; + + // Hide badge if there are no pending jobs + if (totalPending === 0) { + return null; + } + + // In multiuser mode (authenticated user), show "X/Y" format where X is user's jobs and Y is total jobs + if (isAuthenticated && hasUserCounts(queueData)) { + const userPending = queueData.user_pending! + queueData.user_in_progress!; + return `${userPending}/${totalPending}`; + } + + // In single-user mode or when user counts aren't available, show total count only + return totalPending.toString(); +}; + export const QueueCountBadge = memo(({ targetRef }: Props) => { const [badgePos, setBadgePos] = useState<{ x: string; y: string } | null>(null); - const { queueSize } = useGetQueueStatusQuery(undefined, { + const isAuthenticated = useAppSelector(selectIsAuthenticated); + const { queueData } = useGetQueueStatusQuery(undefined, { selectFromResult: (res) => ({ - queueSize: res.data ? res.data.queue.pending + res.data.queue.in_progress : 0, + queueData: res.data?.queue, }), }); + const badgeText = useMemo(() => getBadgeText(queueData, isAuthenticated), [queueData, isAuthenticated]); + useEffect(() => { if (!targetRef.current) { return; @@ -57,7 +103,7 @@ export const QueueCountBadge = memo(({ targetRef }: Props) => { }; }, [targetRef]); - if (queueSize === 0) { + if (!badgeText) { return null; } if (!badgePos) { @@ -75,7 +121,7 @@ export const QueueCountBadge = memo(({ targetRef }: Props) => { shadow="dark-lg" userSelect="none" > - {queueSize} + {badgeText} ); diff --git a/invokeai/frontend/web/src/features/queue/components/QueueList/QueueItemComponent.tsx b/invokeai/frontend/web/src/features/queue/components/QueueList/QueueItemComponent.tsx index e0109a6b052..15ededc99c5 100644 --- a/invokeai/frontend/web/src/features/queue/components/QueueList/QueueItemComponent.tsx +++ b/invokeai/frontend/web/src/features/queue/components/QueueList/QueueItemComponent.tsx @@ -1,5 +1,7 @@ import type { ChakraProps, CollapseProps, FlexProps } from '@invoke-ai/ui-library'; import { ButtonGroup, Collapse, Flex, IconButton, Text } from '@invoke-ai/ui-library'; +import { useAppSelector } from 'app/store/storeHooks'; +import { selectCurrentUser } from 'features/auth/store/authSlice'; import QueueStatusBadge from 'features/queue/components/common/QueueStatusBadge'; import { useDestinationText } from 'features/queue/components/QueueList/useDestinationText'; import { useOriginText } from 'features/queue/components/QueueList/useOriginText'; @@ -12,7 +14,7 @@ import { useTranslation } from 'react-i18next'; import { PiArrowCounterClockwiseBold, PiXBold } from 'react-icons/pi'; import type { S } from 'services/api/types'; -import { COLUMN_WIDTHS } from './constants'; +import { COLUMN_WIDTHS, SYSTEM_USER_ID } from './constants'; import QueueItemDetail from './QueueItemDetail'; const selectedStyles = { bg: 'base.700' }; @@ -30,7 +32,44 @@ const sx: ChakraProps['sx'] = { const QueueItemComponent = ({ index, item }: InnerItemProps) => { const { t } = useTranslation(); const [isOpen, setIsOpen] = useState(false); - const handleToggle = useCallback(() => setIsOpen((s) => !s), [setIsOpen]); + const currentUser = useAppSelector(selectCurrentUser); + + // Check if current user can manage this queue item + const canManageItem = useMemo(() => { + if (!currentUser) { + return false; + } + // Admin users can manage all items + if (currentUser.is_admin) { + return true; + } + // Non-admin users can only manage their own items + return item.user_id === currentUser.user_id; + }, [currentUser, item.user_id]); + + // Check if the current user can view this queue item's details + const canViewDetails = useMemo(() => { + // Admins can view all items + if (currentUser?.is_admin) { + return true; + } + // Users can view their own items + if (currentUser?.user_id === item.user_id) { + return true; + } + // System items can be viewed by anyone + if (item.user_id === SYSTEM_USER_ID) { + return true; + } + return false; + }, [currentUser, item.user_id]); + + const handleToggle = useCallback(() => { + if (canViewDetails) { + setIsOpen((s) => !s); + } + }, [canViewDetails]); + const cancelQueueItem = useCancelQueueItem(); const onClickCancelQueueItem = useCallback( (e: MouseEvent) => { @@ -61,6 +100,17 @@ const QueueItemComponent = ({ index, item }: InnerItemProps) => { const originText = useOriginText(item.origin); const destinationText = useDestinationText(item.destination); + // Display user name - prefer display_name, fallback to email, then user_id + const userText = useMemo(() => { + if (item.user_display_name) { + return item.user_display_name; + } + if (item.user_email) { + return item.user_email; + } + return item.user_id || SYSTEM_USER_ID; + }, [item.user_display_name, item.user_email, item.user_id]); + return ( { sx={sx} data-testid="queue-item" > - + {index + 1} @@ -95,6 +154,11 @@ const QueueItemComponent = ({ index, item }: InnerItemProps) => { {item.batch_id} + + + {userText} + + {item.field_values && ( @@ -110,6 +174,11 @@ const QueueItemComponent = ({ index, item }: InnerItemProps) => { ))} )} + {!item.field_values && item.user_id !== SYSTEM_USER_ID && ( + + {t('queue.fieldValuesHidden')} + + )} @@ -117,7 +186,7 @@ const QueueItemComponent = ({ index, item }: InnerItemProps) => { {!isFailed && ( } @@ -126,6 +195,7 @@ const QueueItemComponent = ({ index, item }: InnerItemProps) => { {isFailed && ( } diff --git a/invokeai/frontend/web/src/features/queue/components/QueueList/QueueListHeader.tsx b/invokeai/frontend/web/src/features/queue/components/QueueList/QueueListHeader.tsx index cdfd47f2112..4cd3397d217 100644 --- a/invokeai/frontend/web/src/features/queue/components/QueueList/QueueListHeader.tsx +++ b/invokeai/frontend/web/src/features/queue/components/QueueList/QueueListHeader.tsx @@ -42,6 +42,7 @@ const QueueListHeader = () => { alignItems="center" /> + { title: t('queue.cancelSucceeded'), status: 'success', }); - } catch { + } catch (error) { + // Check if this is a 403 access denied error + const isAccessDenied = error instanceof Object && 'status' in error && error.status === 403; toast({ id: 'QUEUE_CANCEL_FAILED', - title: t('queue.cancelFailed'), + title: isAccessDenied ? t('queue.cancelFailedAccessDenied') : t('queue.cancelFailed'), status: 'error', }); } diff --git a/invokeai/frontend/web/src/features/queue/hooks/useCancelCurrentQueueItem.ts b/invokeai/frontend/web/src/features/queue/hooks/useCancelCurrentQueueItem.ts index 98213288710..797a940507b 100644 --- a/invokeai/frontend/web/src/features/queue/hooks/useCancelCurrentQueueItem.ts +++ b/invokeai/frontend/web/src/features/queue/hooks/useCancelCurrentQueueItem.ts @@ -1,11 +1,30 @@ +import { useAppSelector } from 'app/store/storeHooks'; +import { selectCurrentUser } from 'features/auth/store/authSlice'; import { useCurrentQueueItemId } from 'features/queue/hooks/useCurrentQueueItemId'; -import { useCallback } from 'react'; +import { useCallback, useMemo } from 'react'; +import { useGetCurrentQueueItemQuery } from 'services/api/endpoints/queue'; import { useCancelQueueItem } from './useCancelQueueItem'; export const useCancelCurrentQueueItem = () => { const currentQueueItemId = useCurrentQueueItemId(); + const { data: currentQueueItem } = useGetCurrentQueueItemQuery(); + const currentUser = useAppSelector(selectCurrentUser); const cancelQueueItem = useCancelQueueItem(); + + // Check if current user can cancel the current item + const canCancelCurrentItem = useMemo(() => { + if (!currentUser || !currentQueueItem) { + return false; + } + // Admin users can cancel all items + if (currentUser.is_admin) { + return true; + } + // Non-admin users can only cancel their own items + return currentQueueItem.user_id === currentUser.user_id; + }, [currentUser, currentQueueItem]); + const trigger = useCallback( (options?: { withToast?: boolean }) => { if (currentQueueItemId === null) { @@ -19,6 +38,6 @@ export const useCancelCurrentQueueItem = () => { return { trigger, isLoading: cancelQueueItem.isLoading, - isDisabled: cancelQueueItem.isDisabled || currentQueueItemId === null, + isDisabled: cancelQueueItem.isDisabled || currentQueueItemId === null || !canCancelCurrentItem, }; }; diff --git a/invokeai/frontend/web/src/features/queue/hooks/useCancelQueueItem.ts b/invokeai/frontend/web/src/features/queue/hooks/useCancelQueueItem.ts index c122241cbd1..b85fe8d3734 100644 --- a/invokeai/frontend/web/src/features/queue/hooks/useCancelQueueItem.ts +++ b/invokeai/frontend/web/src/features/queue/hooks/useCancelQueueItem.ts @@ -25,11 +25,13 @@ export const useCancelQueueItem = () => { status: 'success', }); } - } catch { + } catch (error) { if (withToast) { + // Check if this is a 403 access denied error + const isAccessDenied = error instanceof Object && 'status' in error && error.status === 403; toast({ id: 'QUEUE_CANCEL_FAILED', - title: t('queue.cancelFailed'), + title: isAccessDenied ? t('queue.cancelFailedAccessDenied') : t('queue.cancelFailed'), status: 'error', }); } diff --git a/invokeai/frontend/web/src/features/queue/hooks/useCancelQueueItemsByDestination.ts b/invokeai/frontend/web/src/features/queue/hooks/useCancelQueueItemsByDestination.ts index 14864e0e3f5..df0eabcb527 100644 --- a/invokeai/frontend/web/src/features/queue/hooks/useCancelQueueItemsByDestination.ts +++ b/invokeai/frontend/web/src/features/queue/hooks/useCancelQueueItemsByDestination.ts @@ -26,11 +26,13 @@ export const useCancelQueueItemsByDestination = () => { status: 'success', }); } - } catch { + } catch (error) { if (withToast) { + // Check if this is a 403 access denied error + const isAccessDenied = error instanceof Object && 'status' in error && error.status === 403; toast({ id: 'QUEUE_CANCEL_FAILED', - title: t('queue.cancelFailed'), + title: isAccessDenied ? t('queue.cancelFailedAccessDenied') : t('queue.cancelFailed'), status: 'error', }); } diff --git a/invokeai/frontend/web/src/features/queue/hooks/useClearQueue.ts b/invokeai/frontend/web/src/features/queue/hooks/useClearQueue.ts index a81f7254be3..bd6ea2cc02d 100644 --- a/invokeai/frontend/web/src/features/queue/hooks/useClearQueue.ts +++ b/invokeai/frontend/web/src/features/queue/hooks/useClearQueue.ts @@ -25,10 +25,12 @@ export const useClearQueue = () => { title: t('queue.clearSucceeded'), status: 'success', }); - } catch { + } catch (error) { + // Check if this is a 403 access denied error + const isAccessDenied = error instanceof Object && 'status' in error && error.status === 403; toast({ id: 'QUEUE_CLEAR_FAILED', - title: t('queue.clearFailed'), + title: isAccessDenied ? t('queue.clearFailedAccessDenied') : t('queue.clearFailed'), status: 'error', }); } diff --git a/invokeai/frontend/web/src/features/queue/hooks/useDeleteAllExceptCurrentQueueItem.ts b/invokeai/frontend/web/src/features/queue/hooks/useDeleteAllExceptCurrentQueueItem.ts index 1f34a76d24d..b96c3914703 100644 --- a/invokeai/frontend/web/src/features/queue/hooks/useDeleteAllExceptCurrentQueueItem.ts +++ b/invokeai/frontend/web/src/features/queue/hooks/useDeleteAllExceptCurrentQueueItem.ts @@ -25,10 +25,12 @@ export const useDeleteAllExceptCurrentQueueItem = () => { title: t('queue.cancelSucceeded'), status: 'success', }); - } catch { + } catch (error) { + // Check if this is a 403 access denied error + const isAccessDenied = error instanceof Object && 'status' in error && error.status === 403; toast({ id: 'QUEUE_CANCEL_FAILED', - title: t('queue.cancelFailed'), + title: isAccessDenied ? t('queue.cancelFailedAccessDenied') : t('queue.cancelFailed'), status: 'error', }); } diff --git a/invokeai/frontend/web/src/features/queue/hooks/useDeleteQueueItem.ts b/invokeai/frontend/web/src/features/queue/hooks/useDeleteQueueItem.ts index af91196ddfe..699a81ac740 100644 --- a/invokeai/frontend/web/src/features/queue/hooks/useDeleteQueueItem.ts +++ b/invokeai/frontend/web/src/features/queue/hooks/useDeleteQueueItem.ts @@ -25,11 +25,13 @@ export const useDeleteQueueItem = () => { status: 'success', }); } - } catch { + } catch (error) { if (withToast) { + // Check if this is a 403 access denied error + const isAccessDenied = error instanceof Object && 'status' in error && error.status === 403; toast({ id: 'QUEUE_CANCEL_FAILED', - title: t('queue.cancelFailed'), + title: isAccessDenied ? t('queue.cancelFailedAccessDenied') : t('queue.cancelFailed'), status: 'error', }); } diff --git a/invokeai/frontend/web/src/features/queue/hooks/usePauseProcessor.ts b/invokeai/frontend/web/src/features/queue/hooks/usePauseProcessor.ts index 9e82576a4f4..bc0a95d7bb2 100644 --- a/invokeai/frontend/web/src/features/queue/hooks/usePauseProcessor.ts +++ b/invokeai/frontend/web/src/features/queue/hooks/usePauseProcessor.ts @@ -1,6 +1,8 @@ import { useStore } from '@nanostores/react'; +import { useAppSelector } from 'app/store/storeHooks'; +import { selectCurrentUser } from 'features/auth/store/authSlice'; import { toast } from 'features/toast/toast'; -import { useCallback } from 'react'; +import { useCallback, useMemo } from 'react'; import { useTranslation } from 'react-i18next'; import { useGetQueueStatusQuery, usePauseProcessorMutation } from 'services/api/endpoints/queue'; import { $isConnected } from 'services/events/stores'; @@ -9,10 +11,14 @@ export const usePauseProcessor = () => { const { t } = useTranslation(); const isConnected = useStore($isConnected); const { data: queueStatus } = useGetQueueStatusQuery(); + const currentUser = useAppSelector(selectCurrentUser); const [_trigger, { isLoading }] = usePauseProcessorMutation({ fixedCacheKey: 'pauseProcessor', }); + // Only admin users can pause the processor + const isAdmin = useMemo(() => currentUser?.is_admin ?? false, [currentUser]); + const trigger = useCallback(async () => { try { await _trigger().unwrap(); @@ -30,5 +36,5 @@ export const usePauseProcessor = () => { } }, [_trigger, t]); - return { trigger, isLoading, isDisabled: !isConnected || !queueStatus?.processor.is_started }; + return { trigger, isLoading, isDisabled: !isConnected || !queueStatus?.processor.is_started || !isAdmin }; }; diff --git a/invokeai/frontend/web/src/features/queue/hooks/useResumeProcessor.ts b/invokeai/frontend/web/src/features/queue/hooks/useResumeProcessor.ts index 901bac39f83..10961abde0c 100644 --- a/invokeai/frontend/web/src/features/queue/hooks/useResumeProcessor.ts +++ b/invokeai/frontend/web/src/features/queue/hooks/useResumeProcessor.ts @@ -1,6 +1,8 @@ import { useStore } from '@nanostores/react'; +import { useAppSelector } from 'app/store/storeHooks'; +import { selectCurrentUser } from 'features/auth/store/authSlice'; import { toast } from 'features/toast/toast'; -import { useCallback } from 'react'; +import { useCallback, useMemo } from 'react'; import { useTranslation } from 'react-i18next'; import { useGetQueueStatusQuery, useResumeProcessorMutation } from 'services/api/endpoints/queue'; import { $isConnected } from 'services/events/stores'; @@ -9,10 +11,14 @@ export const useResumeProcessor = () => { const isConnected = useStore($isConnected); const { data: queueStatus } = useGetQueueStatusQuery(); const { t } = useTranslation(); + const currentUser = useAppSelector(selectCurrentUser); const [_trigger, { isLoading }] = useResumeProcessorMutation({ fixedCacheKey: 'resumeProcessor', }); + // Only admin users can resume the processor + const isAdmin = useMemo(() => currentUser?.is_admin ?? false, [currentUser]); + const trigger = useCallback(async () => { try { await _trigger().unwrap(); @@ -30,5 +36,5 @@ export const useResumeProcessor = () => { } }, [_trigger, t]); - return { trigger, isLoading, isDisabled: !isConnected || queueStatus?.processor.is_started }; + return { trigger, isLoading, isDisabled: !isConnected || queueStatus?.processor.is_started || !isAdmin }; }; diff --git a/invokeai/frontend/web/src/features/ui/components/VerticalNavBar.tsx b/invokeai/frontend/web/src/features/ui/components/VerticalNavBar.tsx index 4d2696c2e3f..be3fa3e6898 100644 --- a/invokeai/frontend/web/src/features/ui/components/VerticalNavBar.tsx +++ b/invokeai/frontend/web/src/features/ui/components/VerticalNavBar.tsx @@ -1,4 +1,5 @@ import { Divider, Flex, Spacer } from '@invoke-ai/ui-library'; +import { UserMenu } from 'features/auth/components/UserMenu'; import InvokeAILogoComponent from 'features/system/components/InvokeAILogoComponent'; import SettingsMenu from 'features/system/components/SettingsModal/SettingsMenu'; import StatusIndicator from 'features/system/components/StatusIndicator'; @@ -39,6 +40,7 @@ export const VerticalNavBar = memo(() => { + diff --git a/invokeai/frontend/web/src/i18n.ts b/invokeai/frontend/web/src/i18n.ts index 89c855bcd02..adf53c0fd94 100644 --- a/invokeai/frontend/web/src/i18n.ts +++ b/invokeai/frontend/web/src/i18n.ts @@ -32,7 +32,7 @@ if (import.meta.env.MODE === 'package') { fallbackLng: 'en', debug: false, backend: { - loadPath: `${window.location.href.replace(/\/$/, '')}/locales/{{lng}}.json`, + loadPath: `${window.location.origin}/locales/{{lng}}.json`, }, interpolation: { escapeValue: false, diff --git a/invokeai/frontend/web/src/services/api/endpoints/auth.ts b/invokeai/frontend/web/src/services/api/endpoints/auth.ts new file mode 100644 index 00000000000..ba81c08136e --- /dev/null +++ b/invokeai/frontend/web/src/services/api/endpoints/auth.ts @@ -0,0 +1,74 @@ +import { api } from 'services/api'; +import type { components } from 'services/api/schema'; + +type LoginRequest = { + email: string; + password: string; + remember_me?: boolean; +}; + +type LoginResponse = { + token: string; + user: components['schemas']['UserDTO']; + expires_in: number; +}; + +type SetupRequest = { + email: string; + display_name: string; + password: string; +}; + +type SetupResponse = { + success: boolean; + user: components['schemas']['UserDTO']; +}; + +type MeResponse = components['schemas']['UserDTO']; + +type LogoutResponse = { + success: boolean; +}; + +type SetupStatusResponse = { + setup_required: boolean; + multiuser_enabled: boolean; +}; + +export const authApi = api.injectEndpoints({ + endpoints: (build) => ({ + login: build.mutation({ + query: (credentials) => ({ + url: 'api/v1/auth/login', + method: 'POST', + body: credentials, + }), + // Invalidate boards and images cache on successful login to refresh data for new user + invalidatesTags: ['Board', 'Image', 'ImageList', 'ImageNameList', 'ImageCollection', 'ImageMetadata'], + }), + logout: build.mutation({ + query: () => ({ + url: 'api/v1/auth/logout', + method: 'POST', + }), + // Invalidate boards and images cache on logout to clear stale data + invalidatesTags: ['Board', 'Image', 'ImageList', 'ImageNameList', 'ImageCollection', 'ImageMetadata'], + }), + getCurrentUser: build.query({ + query: () => 'api/v1/auth/me', + }), + setup: build.mutation({ + query: (setupData) => ({ + url: 'api/v1/auth/setup', + method: 'POST', + body: setupData, + }), + }), + getSetupStatus: build.query({ + query: () => 'api/v1/auth/status', + }), + }), +}); + +export const { useLoginMutation, useLogoutMutation, useGetCurrentUserQuery, useSetupMutation, useGetSetupStatusQuery } = + authApi; diff --git a/invokeai/frontend/web/src/services/api/endpoints/queue.ts b/invokeai/frontend/web/src/services/api/endpoints/queue.ts index c246bc30beb..e2788406c11 100644 --- a/invokeai/frontend/web/src/services/api/endpoints/queue.ts +++ b/invokeai/frontend/web/src/services/api/endpoints/queue.ts @@ -278,9 +278,12 @@ export const queueApi = api.injectEndpoints({ return []; } return [ + 'SessionQueueStatus', + 'BatchStatus', 'CurrentSessionQueueItem', 'NextSessionQueueItem', 'QueueCountsByDestination', + 'SessionQueueItemIdList', { type: 'SessionQueueItem', id: LIST_TAG }, { type: 'SessionQueueItem', id: LIST_ALL_TAG }, ...item_ids.map((id) => ({ type: 'SessionQueueItem', id }) satisfies ApiTagDescription), diff --git a/invokeai/frontend/web/src/services/api/index.ts b/invokeai/frontend/web/src/services/api/index.ts index fdd30029a75..2afae3a4cd1 100644 --- a/invokeai/frontend/web/src/services/api/index.ts +++ b/invokeai/frontend/web/src/services/api/index.ts @@ -63,7 +63,7 @@ export const LIST_TAG = 'LIST'; export const LIST_ALL_TAG = 'LIST_ALL'; export const getBaseUrl = (): string => { - return window.location.href.replace(/\/$/, ''); + return window.location.origin; }; const dynamicBaseQuery: BaseQueryFn = (args, api, extraOptions) => { @@ -73,6 +73,20 @@ const dynamicBaseQuery: BaseQueryFn { + // Add auth token to all requests except setup and login + const token = localStorage.getItem('auth_token'); + const isAuthEndpoint = + (args instanceof Object && + typeof args.url === 'string' && + (args.url.includes('/auth/login') || args.url.includes('/auth/setup'))) || + (typeof args === 'string' && (args.includes('/auth/login') || args.includes('/auth/setup'))); + + if (token && !isAuthEndpoint) { + headers.set('Authorization', `Bearer ${token}`); + } + return headers; + }, }; // When fetching the openapi.json, we need to remove circular references from the JSON. diff --git a/invokeai/frontend/web/src/services/api/schema.ts b/invokeai/frontend/web/src/services/api/schema.ts index a8a47986462..4ba34e864dd 100644 --- a/invokeai/frontend/web/src/services/api/schema.ts +++ b/invokeai/frontend/web/src/services/api/schema.ts @@ -1,4 +1,152 @@ export type paths = { + "/api/v1/auth/status": { + parameters: { + query?: never; + header?: never; + path?: never; + cookie?: never; + }; + /** + * Get Setup Status + * @description Check if initial administrator setup is required. + * + * Returns: + * SetupStatusResponse indicating whether setup is needed and multiuser mode status + */ + get: operations["get_setup_status_api_v1_auth_status_get"]; + put?: never; + post?: never; + delete?: never; + options?: never; + head?: never; + patch?: never; + trace?: never; + }; + "/api/v1/auth/login": { + parameters: { + query?: never; + header?: never; + path?: never; + cookie?: never; + }; + get?: never; + put?: never; + /** + * Login + * @description Authenticate user and return access token. + * + * Args: + * request: Login credentials (email and password) + * + * Returns: + * LoginResponse containing JWT token and user information + * + * Raises: + * HTTPException: 401 if credentials are invalid or user is inactive + * HTTPException: 403 if multiuser mode is disabled + */ + post: operations["login_api_v1_auth_login_post"]; + delete?: never; + options?: never; + head?: never; + patch?: never; + trace?: never; + }; + "/api/v1/auth/logout": { + parameters: { + query?: never; + header?: never; + path?: never; + cookie?: never; + }; + get?: never; + put?: never; + /** + * Logout + * @description Logout current user. + * + * Currently a no-op since we use stateless JWT tokens. For token invalidation in + * future implementations, consider: + * - Token blacklist: Store invalidated tokens in Redis/database with expiration + * - Token versioning: Add version field to user record, increment on logout + * - Short-lived tokens: Use refresh token pattern with token rotation + * - Session storage: Track active sessions server-side for revocation + * + * Args: + * current_user: The authenticated user (validates token) + * + * Returns: + * LogoutResponse indicating success + */ + post: operations["logout_api_v1_auth_logout_post"]; + delete?: never; + options?: never; + head?: never; + patch?: never; + trace?: never; + }; + "/api/v1/auth/me": { + parameters: { + query?: never; + header?: never; + path?: never; + cookie?: never; + }; + /** + * Get Current User Info + * @description Get current authenticated user's information. + * + * Args: + * current_user: The authenticated user's token data + * + * Returns: + * UserDTO containing user information + * + * Raises: + * HTTPException: 404 if user is not found (should not happen normally) + */ + get: operations["get_current_user_info_api_v1_auth_me_get"]; + put?: never; + post?: never; + delete?: never; + options?: never; + head?: never; + patch?: never; + trace?: never; + }; + "/api/v1/auth/setup": { + parameters: { + query?: never; + header?: never; + path?: never; + cookie?: never; + }; + get?: never; + put?: never; + /** + * Setup Admin + * @description Set up initial administrator account. + * + * This endpoint can only be called once, when no admin user exists. It creates + * the first admin user for the system. + * + * Args: + * request: Admin account details (email, display_name, password) + * + * Returns: + * SetupResponse containing the created admin user + * + * Raises: + * HTTPException: 400 if admin already exists or password is weak + * HTTPException: 403 if multiuser mode is disabled + */ + post: operations["setup_admin_api_v1_auth_setup_post"]; + delete?: never; + options?: never; + head?: never; + patch?: never; + trace?: never; + }; "/api/v1/utilities/dynamicprompts": { parameters: { query?: never; @@ -525,7 +673,7 @@ export type paths = { put?: never; /** * Upload Image - * @description Uploads an image + * @description Uploads an image for the current user */ post: operations["upload_image"]; delete?: never; @@ -543,7 +691,7 @@ export type paths = { }; /** * List Image Dtos - * @description Gets a list of image DTOs + * @description Gets a list of image DTOs for the current user */ get: operations["list_image_dtos"]; put?: never; @@ -868,13 +1016,13 @@ export type paths = { }; /** * List Boards - * @description Gets a list of boards + * @description Gets a list of boards for the current user, including shared boards. Admin users see all boards. */ get: operations["list_boards"]; put?: never; /** * Create Board - * @description Creates a board + * @description Creates a board for the current user */ post: operations["create_board"]; delete?: never; @@ -892,21 +1040,21 @@ export type paths = { }; /** * Get Board - * @description Gets a board + * @description Gets a board (user must have access to it) */ get: operations["get_board"]; put?: never; post?: never; /** * Delete Board - * @description Deletes a board + * @description Deletes a board (user must have access to it) */ delete: operations["delete_board"]; options?: never; head?: never; /** * Update Board - * @description Updates a board + * @description Updates a board (user must have access to it) */ patch: operations["update_board"]; trace?: never; @@ -1242,7 +1390,7 @@ export type paths = { put?: never; /** * Enqueue Batch - * @description Processes a batch and enqueues the output graphs for execution. + * @description Processes a batch and enqueues the output graphs for execution for the current user. */ post: operations["enqueue_batch"]; delete?: never; @@ -1321,7 +1469,7 @@ export type paths = { get?: never; /** * Resume - * @description Resumes session processor + * @description Resumes session processor. Admin only. */ put: operations["resume"]; post?: never; @@ -1341,7 +1489,7 @@ export type paths = { get?: never; /** * Pause - * @description Pauses session processor + * @description Pauses session processor. Admin only. */ put: operations["pause"]; post?: never; @@ -1361,7 +1509,7 @@ export type paths = { get?: never; /** * Cancel All Except Current - * @description Immediately cancels all queue items except in-processing items + * @description Immediately cancels all queue items except in-processing items. Non-admin users can only cancel their own items. */ put: operations["cancel_all_except_current"]; post?: never; @@ -1381,7 +1529,7 @@ export type paths = { get?: never; /** * Delete All Except Current - * @description Immediately deletes all queue items except in-processing items + * @description Immediately deletes all queue items except in-processing items. Non-admin users can only delete their own items. */ put: operations["delete_all_except_current"]; post?: never; @@ -1401,7 +1549,7 @@ export type paths = { get?: never; /** * Cancel By Batch Ids - * @description Immediately cancels all queue items from the given batch ids + * @description Immediately cancels all queue items from the given batch ids. Non-admin users can only cancel their own items. */ put: operations["cancel_by_batch_ids"]; post?: never; @@ -1421,7 +1569,7 @@ export type paths = { get?: never; /** * Cancel By Destination - * @description Immediately cancels all queue items with the given origin + * @description Immediately cancels all queue items with the given destination. Non-admin users can only cancel their own items. */ put: operations["cancel_by_destination"]; post?: never; @@ -1441,7 +1589,7 @@ export type paths = { get?: never; /** * Retry Items By Id - * @description Immediately cancels all queue items with the given origin + * @description Retries the given queue items. Users can only retry their own items unless they are an admin. */ put: operations["retry_items_by_id"]; post?: never; @@ -1461,7 +1609,7 @@ export type paths = { get?: never; /** * Clear - * @description Clears the queue entirely, immediately canceling the currently-executing session + * @description Clears the queue entirely. If there's a currently-executing item, users can only cancel it if they own it or are an admin. */ put: operations["clear"]; post?: never; @@ -1481,7 +1629,7 @@ export type paths = { get?: never; /** * Prune - * @description Prunes all completed or errored queue items + * @description Prunes all completed or errored queue items. Non-admin users can only prune their own items. */ put: operations["prune"]; post?: never; @@ -1587,7 +1735,7 @@ export type paths = { post?: never; /** * Delete Queue Item - * @description Deletes a queue item + * @description Deletes a queue item. Users can only delete their own items unless they are an admin. */ delete: operations["delete_queue_item"]; options?: never; @@ -1605,7 +1753,7 @@ export type paths = { get?: never; /** * Cancel Queue Item - * @description Deletes a queue item + * @description Cancels a queue item. Users can only cancel their own items unless they are an admin. */ put: operations["cancel_queue_item"]; post?: never; @@ -1647,7 +1795,7 @@ export type paths = { post?: never; /** * Delete By Destination - * @description Deletes all items with the given destination + * @description Deletes all items with the given destination. Non-admin users can only delete their own items. */ delete: operations["delete_by_destination"]; options?: never; @@ -1930,7 +2078,7 @@ export type paths = { }; /** * Get Client State By Key - * @description Gets the client state + * @description Gets the client state for the current user (or system user if not authenticated) */ get: operations["get_client_state_by_key"]; put?: never; @@ -1952,7 +2100,7 @@ export type paths = { put?: never; /** * Set Client State - * @description Sets the client state + * @description Sets the client state for the current user (or system user if not authenticated) */ post: operations["set_client_state"]; delete?: never; @@ -1972,7 +2120,7 @@ export type paths = { put?: never; /** * Delete Client State - * @description Deletes the client state + * @description Deletes the client state for the current user (or system user if not authenticated) */ post: operations["delete_client_state"]; delete?: never; @@ -2530,6 +2678,11 @@ export type components = { * @description The name of the board. */ board_name: string; + /** + * User Id + * @description The user ID of the board owner. + */ + user_id: string; /** * Created At * @description The created timestamp of the board. @@ -2565,6 +2718,11 @@ export type components = { * @description The number of assets in the board. */ asset_count: number; + /** + * Owner Username + * @description The username of the board owner (for admin view). + */ + owner_username?: string | null; }; /** * BoardField @@ -13005,6 +13163,12 @@ export type components = { * @default null */ destination: string | null; + /** + * User Id + * @description The ID of the user who created the queue item + * @default system + */ + user_id: string; /** * Session Id * @description The ID of the session (aka graph execution state) @@ -13063,6 +13227,12 @@ export type components = { * @default null */ destination: string | null; + /** + * User Id + * @description The ID of the user who created the queue item + * @default system + */ + user_id: string; /** * Session Id * @description The ID of the session (aka graph execution state) @@ -13361,6 +13531,12 @@ export type components = { * @default null */ destination: string | null; + /** + * User Id + * @description The ID of the user who created the queue item + * @default system + */ + user_id: string; /** * Session Id * @description The ID of the session (aka graph execution state) @@ -13430,6 +13606,12 @@ export type components = { * @default null */ destination: string | null; + /** + * User Id + * @description The ID of the user who created the queue item + * @default system + */ + user_id: string; /** * Session Id * @description The ID of the session (aka graph execution state) @@ -13510,6 +13692,7 @@ export type components = { * scan_models_on_startup: Scan the models directory on startup, registering orphaned models. This is typically only used in conjunction with `use_memory_db` for testing purposes. * unsafe_disable_picklescan: UNSAFE. Disable the picklescan security check during model installation. Recommended only for development and testing purposes. This will allow arbitrary code execution during model installation, so should never be used in production. * allow_unknown_models: Allow installation of models that we are unable to identify. If enabled, models will be marked as `unknown` in the database, and will not have any metadata associated with them. If disabled, unknown models will be rejected during installation. + * multiuser: Enable multiuser support. When disabled, the application runs in single-user mode using a default system account with administrator privileges. When enabled, requires user authentication and authorization. */ InvokeAIAppConfig: { /** @@ -13877,6 +14060,12 @@ export type components = { * @default true */ allow_unknown_models?: boolean; + /** + * Multiuser + * @description Enable multiuser support. When disabled, the application runs in single-user mode using a default system account with administrator privileges. When enabled, requires user authentication and authorization. + * @default false + */ + multiuser?: boolean; }; /** * InvokeAIAppConfigWithSetFields @@ -16102,6 +16291,57 @@ export type components = { * @enum {integer} */ LogLevel: 0 | 10 | 20 | 30 | 40 | 50; + /** + * LoginRequest + * @description Request body for user login. + */ + LoginRequest: { + /** + * Email + * @description User email address + */ + email: string; + /** + * Password + * @description User password + */ + password: string; + /** + * Remember Me + * @description Whether to extend session duration + * @default false + */ + remember_me?: boolean; + }; + /** + * LoginResponse + * @description Response from successful login. + */ + LoginResponse: { + /** + * Token + * @description JWT access token + */ + token: string; + /** @description User information */ + user: components["schemas"]["UserDTO"]; + /** + * Expires In + * @description Token expiration time in seconds + */ + expires_in: number; + }; + /** + * LogoutResponse + * @description Response from logout. + */ + LogoutResponse: { + /** + * Success + * @description Whether logout was successful + */ + success: boolean; + }; /** LoraModelDefaultSettings */ LoraModelDefaultSettings: { /** @@ -20945,6 +21185,12 @@ export type components = { * @default null */ destination: string | null; + /** + * User Id + * @description The ID of the user who created the queue item + * @default system + */ + user_id: string; /** * Status * @description The new status of the queue item @@ -23019,6 +23265,22 @@ export type components = { * @description The id of the queue with which this item is associated */ queue_id: string; + /** + * User Id + * @description The id of the user who created this queue item + * @default system + */ + user_id?: string; + /** + * User Display Name + * @description The display name of the user who created this queue item, if available + */ + user_display_name?: string | null; + /** + * User Email + * @description The email of the user who created this queue item, if available + */ + user_email?: string | null; /** * Field Values * @description The field values that were used for this queue item @@ -23086,6 +23348,66 @@ export type components = { * @description Total number of queue items */ total: number; + /** + * User Pending + * @description Number of queue items with status 'pending' for the current user + */ + user_pending?: number | null; + /** + * User In Progress + * @description Number of queue items with status 'in_progress' for the current user + */ + user_in_progress?: number | null; + }; + /** + * SetupRequest + * @description Request body for initial admin setup. + */ + SetupRequest: { + /** + * Email + * @description Admin email address + */ + email: string; + /** + * Display Name + * @description Admin display name + */ + display_name?: string | null; + /** + * Password + * @description Admin password + */ + password: string; + }; + /** + * SetupResponse + * @description Response from successful admin setup. + */ + SetupResponse: { + /** + * Success + * @description Whether setup was successful + */ + success: boolean; + /** @description Created admin user information */ + user: components["schemas"]["UserDTO"]; + }; + /** + * SetupStatusResponse + * @description Response for setup status check. + */ + SetupStatusResponse: { + /** + * Setup Required + * @description Whether initial setup is required + */ + setup_required: boolean; + /** + * Multiuser Enabled + * @description Whether multiuser mode is enabled + */ + multiuser_enabled: boolean; }; /** * Show Image @@ -25409,6 +25731,56 @@ export type components = { */ unstarred_images: string[]; }; + /** + * UserDTO + * @description User data transfer object. + */ + UserDTO: { + /** + * User Id + * @description Unique user identifier + */ + user_id: string; + /** + * Email + * @description User email address + */ + email: string; + /** + * Display Name + * @description Display name + */ + display_name?: string | null; + /** + * Is Admin + * @description Whether user has admin privileges + * @default false + */ + is_admin?: boolean; + /** + * Is Active + * @description Whether user account is active + * @default true + */ + is_active?: boolean; + /** + * Created At + * Format: date-time + * @description When the user was created + */ + created_at: string; + /** + * Updated At + * Format: date-time + * @description When the user was last updated + */ + updated_at: string; + /** + * Last Login At + * @description When user last logged in + */ + last_login_at?: string | null; + }; /** VAEField */ VAEField: { /** @description Info to load vae submodel */ @@ -27156,6 +27528,132 @@ export type components = { }; export type $defs = Record; export interface operations { + get_setup_status_api_v1_auth_status_get: { + parameters: { + query?: never; + header?: never; + path?: never; + cookie?: never; + }; + requestBody?: never; + responses: { + /** @description Successful Response */ + 200: { + headers: { + [name: string]: unknown; + }; + content: { + "application/json": components["schemas"]["SetupStatusResponse"]; + }; + }; + }; + }; + login_api_v1_auth_login_post: { + parameters: { + query?: never; + header?: never; + path?: never; + cookie?: never; + }; + requestBody: { + content: { + "application/json": components["schemas"]["LoginRequest"]; + }; + }; + responses: { + /** @description Successful Response */ + 200: { + headers: { + [name: string]: unknown; + }; + content: { + "application/json": components["schemas"]["LoginResponse"]; + }; + }; + /** @description Validation Error */ + 422: { + headers: { + [name: string]: unknown; + }; + content: { + "application/json": components["schemas"]["HTTPValidationError"]; + }; + }; + }; + }; + logout_api_v1_auth_logout_post: { + parameters: { + query?: never; + header?: never; + path?: never; + cookie?: never; + }; + requestBody?: never; + responses: { + /** @description Successful Response */ + 200: { + headers: { + [name: string]: unknown; + }; + content: { + "application/json": components["schemas"]["LogoutResponse"]; + }; + }; + }; + }; + get_current_user_info_api_v1_auth_me_get: { + parameters: { + query?: never; + header?: never; + path?: never; + cookie?: never; + }; + requestBody?: never; + responses: { + /** @description Successful Response */ + 200: { + headers: { + [name: string]: unknown; + }; + content: { + "application/json": components["schemas"]["UserDTO"]; + }; + }; + }; + }; + setup_admin_api_v1_auth_setup_post: { + parameters: { + query?: never; + header?: never; + path?: never; + cookie?: never; + }; + requestBody: { + content: { + "application/json": components["schemas"]["SetupRequest"]; + }; + }; + responses: { + /** @description Successful Response */ + 200: { + headers: { + [name: string]: unknown; + }; + content: { + "application/json": components["schemas"]["SetupResponse"]; + }; + }; + /** @description Validation Error */ + 422: { + headers: { + [name: string]: unknown; + }; + content: { + "application/json": components["schemas"]["HTTPValidationError"]; + }; + }; + }; + }; parse_dynamicprompts: { parameters: { query?: never; @@ -31345,7 +31843,7 @@ export interface operations { }; header?: never; path: { - /** @description The queue id to perform this operation on */ + /** @description The queue id (ignored, kept for backwards compatibility) */ queue_id: string; }; cookie?: never; @@ -31380,7 +31878,7 @@ export interface operations { }; header?: never; path: { - /** @description The queue id to perform this operation on */ + /** @description The queue id (ignored, kept for backwards compatibility) */ queue_id: string; }; cookie?: never; @@ -31416,7 +31914,7 @@ export interface operations { query?: never; header?: never; path: { - /** @description The queue id to perform this operation on */ + /** @description The queue id (ignored, kept for backwards compatibility) */ queue_id: string; }; cookie?: never; diff --git a/invokeai/frontend/web/src/services/events/setEventListeners.tsx b/invokeai/frontend/web/src/services/events/setEventListeners.tsx index f998627d26c..74069b084ae 100644 --- a/invokeai/frontend/web/src/services/events/setEventListeners.tsx +++ b/invokeai/frontend/web/src/services/events/setEventListeners.tsx @@ -387,10 +387,13 @@ export const setEventListeners = ({ socket, store, setIsConnected }: SetEventLis ); // Invalidate caches for things we cannot easily update + // Invalidate SessionQueueStatus to refetch with user-specific counts const tagsToInvalidate: ApiTagDescription[] = [ 'CurrentSessionQueueItem', 'NextSessionQueueItem', 'InvocationCacheStatus', + 'SessionQueueStatus', + 'SessionQueueItemIdList', { type: 'SessionQueueItem', id: item_id }, { type: 'SessionQueueItem', id: LIST_TAG }, { type: 'SessionQueueItem', id: LIST_ALL_TAG }, @@ -400,16 +403,6 @@ export const setEventListeners = ({ socket, store, setIsConnected }: SetEventLis tagsToInvalidate.push({ type: 'QueueCountsByDestination', id: destination }); } dispatch(queueApi.util.invalidateTags(tagsToInvalidate)); - dispatch( - queueApi.util.updateQueryData('getQueueStatus', undefined, (draft) => { - draft.queue = data.queue_status; - }) - ); - dispatch( - queueApi.util.updateQueryData('getBatchStatus', { batch_id: data.batch_id }, (draft) => { - Object.assign(draft, data.batch_status); - }) - ); if (status === 'in_progress') { forEach($nodeExecutionStates.get(), (nes) => { @@ -443,14 +436,55 @@ export const setEventListeners = ({ socket, store, setIsConnected }: SetEventLis socket.on('queue_cleared', (data) => { log.debug({ data }, 'Queue cleared'); + dispatch( + queueApi.util.invalidateTags([ + 'SessionQueueStatus', + 'SessionProcessorStatus', + 'BatchStatus', + 'CurrentSessionQueueItem', + 'NextSessionQueueItem', + 'QueueCountsByDestination', + 'SessionQueueItemIdList', + { type: 'SessionQueueItem', id: LIST_TAG }, + { type: 'SessionQueueItem', id: LIST_ALL_TAG }, + ]) + ); }); socket.on('batch_enqueued', (data) => { log.debug({ data }, 'Batch enqueued'); + dispatch( + queueApi.util.invalidateTags([ + 'SessionQueueStatus', + 'CurrentSessionQueueItem', + 'NextSessionQueueItem', + 'QueueCountsByDestination', + 'SessionQueueItemIdList', + { type: 'SessionQueueItem', id: LIST_TAG }, + { type: 'SessionQueueItem', id: LIST_ALL_TAG }, + ]) + ); }); socket.on('queue_items_retried', (data) => { log.debug({ data }, 'Queue items retried'); + const tagsToInvalidate: ApiTagDescription[] = [ + 'SessionQueueStatus', + 'BatchStatus', + 'CurrentSessionQueueItem', + 'NextSessionQueueItem', + 'QueueCountsByDestination', + 'SessionQueueItemIdList', + { type: 'SessionQueueItem', id: LIST_TAG }, + { type: 'SessionQueueItem', id: LIST_ALL_TAG }, + ]; + // Invalidate each retried item specifically + if (data.retried_item_ids) { + for (const itemId of data.retried_item_ids) { + tagsToInvalidate.push({ type: 'SessionQueueItem', id: itemId }); + } + } + dispatch(queueApi.util.invalidateTags(tagsToInvalidate)); }); socket.on('bulk_download_started', (data) => { diff --git a/invokeai/frontend/web/src/services/events/useSocketIO.ts b/invokeai/frontend/web/src/services/events/useSocketIO.ts index cdbfb882247..dcbe2501f3c 100644 --- a/invokeai/frontend/web/src/services/events/useSocketIO.ts +++ b/invokeai/frontend/web/src/services/events/useSocketIO.ts @@ -30,11 +30,18 @@ export const useSocketIO = () => { }, []); const socketOptions = useMemo(() => { + const token = localStorage.getItem('auth_token'); const options: Partial = { timeout: 60000, - path: `${window.location.pathname}ws/socket.io`, + path: '/ws/socket.io', autoConnect: false, // achtung! removing this breaks the dynamic middleware forceNew: true, + auth: token ? { token } : undefined, + extraHeaders: token + ? { + Authorization: `Bearer ${token}`, + } + : undefined, }; return options; diff --git a/mkdocs.yml b/mkdocs.yml index 656baec9c3d..4c6d3039cf2 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -124,7 +124,6 @@ nav: - Docker: 'installation/docker.md' - PatchMatch: 'installation/patchmatch.md' - Models: 'installation/models.md' - - Legacy Scripts: 'installation/legacy_scripts.md' - Workflows & Nodes: - Nodes Overview: 'nodes/overview.md' - Workflow Editor Basics: 'nodes/NODES.md' @@ -137,9 +136,16 @@ nav: - Invocation API: 'nodes/invocation-api.md' - Configuration: 'configuration.md' - Features: + - New to InvokeAI?: 'help/gettingStartedWithAI.md' - Low VRAM mode: 'features/low-vram.md' - Database: 'features/database.md' - - New to InvokeAI?: 'help/gettingStartedWithAI.md' + - Gallery: 'features/gallery.md' + - Hot Keys: 'features/hotkeys.md' + - Multi-User Mode: + - User Guide: 'multiuser/user_guide.md' + - Administrator Guide: 'multiuser/admin_guide.md' + - API Guide: 'multiuser/api_guide.md' + - Specification: 'multiuser/specification.md' - Contributing: - Overview: 'contributing/index.md' - Code of Conduct: 'CODE_OF_CONDUCT.md' @@ -148,7 +154,10 @@ nav: - Overview: 'contributing/contribution_guides/development.md' - New Contributors: 'contributing/contribution_guides/newContributorChecklist.md' - Model Manager v2: 'contributing/MODEL_MANAGER.md' + - Multiuser Mode: 'multiuser/specification.md' - Local Development: 'contributing/LOCAL_DEVELOPMENT.md' + - System Architecture: 'contributing/ARCHITECTURE.md' + - Hotkeys: 'contributing/HOTKEYS.md' - Testing: 'contributing/TESTS.md' - Frontend: - Overview: 'contributing/frontend/index.md' diff --git a/pyproject.toml b/pyproject.toml index adfe5982baf..c83480202a9 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -65,14 +65,18 @@ dependencies = [ # Auxiliary dependencies, pinned only if necessary. "blake3", + "bcrypt<4.0.0", "Deprecated", "dnspython", "dynamicprompts", "einops", + "email-validator>=2.0.0", + "passlib[bcrypt]>=1.7.4", "picklescan", "pillow", "prompt-toolkit", "pypatchmatch", + "python-jose[cryptography]>=3.3.0", "python-multipart", "requests", "semver~=3.0.1", diff --git a/scripts/useradd.py b/scripts/useradd.py new file mode 100755 index 00000000000..a3006d940d9 --- /dev/null +++ b/scripts/useradd.py @@ -0,0 +1,179 @@ +#!/usr/bin/env python3 +"""Script to add a user to the InvokeAI database. + +This script provides a convenient way to add users (admin or regular) to the InvokeAI +database for testing and administration purposes. It can be run from the command line +or imported and used programmatically. + +Usage: + # Interactive mode (prompts for all details) + python scripts/add_user.py + + # Command line mode + python scripts/add_user.py --email user@example.com --password securepass123 --name "Test User" + + # Add admin user + python scripts/add_user.py --email admin@example.com --password adminpass123 --admin + +Examples: + # Add a regular user + python scripts/add_user.py --email alice@test.local --password Password123 --name "Alice Smith" + + # Add an admin user + python scripts/add_user.py --email admin@test.local --password AdminPass123 --name "Admin User" --admin +""" + +import argparse +import getpass +import sys +from pathlib import Path + +# Add parent directory to path for imports +sys.path.insert(0, str(Path(__file__).parent.parent)) + + +def add_user_interactive(): + """Add a user interactively by prompting for details.""" + from invokeai.app.services.auth.password_utils import validate_password_strength + from invokeai.app.services.config import get_config + from invokeai.app.services.shared.sqlite.sqlite_database import SqliteDatabase + from invokeai.app.services.users.users_common import UserCreateRequest + from invokeai.app.services.users.users_default import UserService + from invokeai.backend.util.logging import InvokeAILogger + + print("=== Add InvokeAI User ===\n") + + # Get user details + email = input("Email address: ").strip() + if not email: + print("Error: Email is required") + return False + + display_name = input("Display name (optional): ").strip() or None + + # Get password with confirmation + while True: + password = getpass.getpass("Password: ") + password_confirm = getpass.getpass("Confirm password: ") + + if password != password_confirm: + print("Error: Passwords do not match. Please try again.\n") + continue + + # Validate password strength + is_valid, error_msg = validate_password_strength(password) + if not is_valid: + print(f"Error: {error_msg}\n") + continue + + break + + # Ask if user should be admin + is_admin_input = input("Make this user an administrator? (y/N): ").strip().lower() + is_admin = is_admin_input in ("y", "yes") + + # Create user + try: + config = get_config() + db = SqliteDatabase(config.db_path, InvokeAILogger.get_logger()) + user_service = UserService(db) + + user_data = UserCreateRequest(email=email, display_name=display_name, password=password, is_admin=is_admin) + + user = user_service.create(user_data) + + print("\n✅ User created successfully!") + print(f" User ID: {user.user_id}") + print(f" Email: {user.email}") + print(f" Display Name: {user.display_name or '(not set)'}") + print(f" Admin: {'Yes' if user.is_admin else 'No'}") + print(f" Active: {'Yes' if user.is_active else 'No'}") + + return True + + except ValueError as e: + print(f"\n❌ Error: {e}") + return False + except Exception as e: + print(f"\n❌ Unexpected error: {e}") + import traceback + + traceback.print_exc() + return False + + +def add_user_cli(email: str, password: str, display_name: str | None = None, is_admin: bool = False): + """Add a user via CLI arguments.""" + from invokeai.app.services.auth.password_utils import validate_password_strength + from invokeai.app.services.config import get_config + from invokeai.app.services.shared.sqlite.sqlite_database import SqliteDatabase + from invokeai.app.services.users.users_common import UserCreateRequest + from invokeai.app.services.users.users_default import UserService + from invokeai.backend.util.logging import InvokeAILogger + + # Validate password + is_valid, error_msg = validate_password_strength(password) + if not is_valid: + print(f"❌ Password validation failed: {error_msg}") + return False + + try: + config = get_config() + db = SqliteDatabase(config.db_path, InvokeAILogger.get_logger()) + user_service = UserService(db) + + user_data = UserCreateRequest(email=email, display_name=display_name, password=password, is_admin=is_admin) + + user = user_service.create(user_data) + + print("✅ User created successfully!") + print(f" User ID: {user.user_id}") + print(f" Email: {user.email}") + print(f" Display Name: {user.display_name or '(not set)'}") + print(f" Admin: {'Yes' if user.is_admin else 'No'}") + print(f" Active: {'Yes' if user.is_active else 'No'}") + + return True + + except ValueError as e: + print(f"❌ Error: {e}") + return False + except Exception as e: + print(f"❌ Unexpected error: {e}") + import traceback + + traceback.print_exc() + return False + + +def main(): + """Main entry point.""" + parser = argparse.ArgumentParser( + description="Add a user to the InvokeAI database", + epilog="If no arguments are provided, the script will run in interactive mode.", + ) + parser.add_argument("--email", "-e", help="User email address") + parser.add_argument("--password", "-p", help="User password") + parser.add_argument("--name", "-n", help="User display name (optional)") + parser.add_argument("--admin", "-a", action="store_true", help="Make user an administrator") + + args = parser.parse_args() + + # Check if any arguments were provided + if args.email or args.password: + # CLI mode - require both email and password + if not args.email or not args.password: + print("❌ Error: Both --email and --password are required when using CLI mode") + print(" Run without arguments for interactive mode") + sys.exit(1) + + success = add_user_cli(args.email, args.password, args.name, args.admin) + else: + # Interactive mode + success = add_user_interactive() + + sys.exit(0 if success else 1) + + +if __name__ == "__main__": + main() diff --git a/scripts/userdel.py b/scripts/userdel.py new file mode 100755 index 00000000000..d0bb4649e82 --- /dev/null +++ b/scripts/userdel.py @@ -0,0 +1,159 @@ +#!/usr/bin/env python3 +"""Script to delete a user from the InvokeAI database. + +This script provides a convenient way to delete users from the InvokeAI database +for administration purposes. It can be run from the command line or imported and +used programmatically. + +Usage: + # Interactive mode (prompts for email) + python scripts/userdel.py + + # Command line mode + python scripts/userdel.py --email user@example.com + + # Force delete without confirmation + python scripts/userdel.py --email user@example.com --force + +Examples: + # Delete a user with confirmation + python scripts/userdel.py --email alice@test.local + + # Delete a user without confirmation prompt + python scripts/userdel.py --email alice@test.local --force +""" + +import argparse +import sys +from pathlib import Path + +# Add parent directory to path for imports +sys.path.insert(0, str(Path(__file__).parent.parent)) + + +def delete_user_interactive(): + """Delete a user interactively by prompting for email.""" + from invokeai.app.services.config import get_config + from invokeai.app.services.shared.sqlite.sqlite_database import SqliteDatabase + from invokeai.app.services.users.users_default import UserService + from invokeai.backend.util.logging import InvokeAILogger + + print("=== Delete InvokeAI User ===\n") + + # Get user email + email = input("Email address of user to delete: ").strip() + if not email: + print("Error: Email is required") + return False + + try: + config = get_config() + db = SqliteDatabase(config.db_path, InvokeAILogger.get_logger()) + user_service = UserService(db) + + # Get user to show details before deletion + user = user_service.get_by_email(email) + if not user: + print(f"\n❌ Error: No user found with email '{email}'") + return False + + print("\nUser to delete:") + print(f" User ID: {user.user_id}") + print(f" Email: {user.email}") + print(f" Display Name: {user.display_name or '(not set)'}") + print(f" Admin: {'Yes' if user.is_admin else 'No'}") + print(f" Active: {'Yes' if user.is_active else 'No'}") + + # Confirm deletion + confirm = input("\n⚠️ Are you sure you want to delete this user? (yes/no): ").strip().lower() + if confirm not in ("yes", "y"): + print("Deletion cancelled.") + return False + + user_service.delete(user.user_id) + + print("\n✅ User deleted successfully!") + return True + + except ValueError as e: + print(f"\n❌ Error: {e}") + return False + except Exception as e: + print(f"\n❌ Unexpected error: {e}") + import traceback + + traceback.print_exc() + return False + + +def delete_user_cli(email: str, force: bool = False): + """Delete a user via CLI arguments.""" + from invokeai.app.services.config import get_config + from invokeai.app.services.shared.sqlite.sqlite_database import SqliteDatabase + from invokeai.app.services.users.users_default import UserService + from invokeai.backend.util.logging import InvokeAILogger + + try: + config = get_config() + db = SqliteDatabase(config.db_path, InvokeAILogger.get_logger()) + user_service = UserService(db) + + # Get user to show details before deletion + user = user_service.get_by_email(email) + if not user: + print(f"❌ Error: No user found with email '{email}'") + return False + + if not force: + print("User to delete:") + print(f" User ID: {user.user_id}") + print(f" Email: {user.email}") + print(f" Display Name: {user.display_name or '(not set)'}") + print(f" Admin: {'Yes' if user.is_admin else 'No'}") + print(f" Active: {'Yes' if user.is_active else 'No'}") + + confirm = input("\n⚠️ Are you sure you want to delete this user? (yes/no): ").strip().lower() + if confirm not in ("yes", "y"): + print("Deletion cancelled.") + return False + + user_service.delete(user.user_id) + + print("✅ User deleted successfully!") + return True + + except ValueError as e: + print(f"❌ Error: {e}") + return False + except Exception as e: + print(f"❌ Unexpected error: {e}") + import traceback + + traceback.print_exc() + return False + + +def main(): + """Main entry point.""" + parser = argparse.ArgumentParser( + description="Delete a user from the InvokeAI database", + epilog="If no arguments are provided, the script will run in interactive mode.", + ) + parser.add_argument("--email", "-e", help="User email address") + parser.add_argument("--force", "-f", action="store_true", help="Delete without confirmation prompt") + + args = parser.parse_args() + + # Check if email was provided + if args.email: + # CLI mode + success = delete_user_cli(args.email, args.force) + else: + # Interactive mode + success = delete_user_interactive() + + sys.exit(0 if success else 1) + + +if __name__ == "__main__": + main() diff --git a/scripts/userlist.py b/scripts/userlist.py new file mode 100755 index 00000000000..54559512444 --- /dev/null +++ b/scripts/userlist.py @@ -0,0 +1,144 @@ +#!/usr/bin/env python3 +"""Script to list users from the InvokeAI database. + +This script provides a convenient way to view all users in the InvokeAI database +with their details. It can output in table format (default) or JSON format. + +Usage: + # Display users as a table + python scripts/userlist.py + + # Display users as JSON + python scripts/userlist.py --json + +Examples: + # View all users in table format + python scripts/userlist.py + + # View all users in JSON format for scripting + python scripts/userlist.py --json +""" + +import argparse +import json +import sys +from pathlib import Path + +# Add parent directory to path for imports +sys.path.insert(0, str(Path(__file__).parent.parent)) + + +def list_users_table(): + """List all users in a formatted table.""" + from invokeai.app.services.config import get_config + from invokeai.app.services.shared.sqlite.sqlite_database import SqliteDatabase + from invokeai.app.services.users.users_default import UserService + from invokeai.backend.util.logging import InvokeAILogger + + config = get_config() + logger = InvokeAILogger.get_logger(config=config) + db = SqliteDatabase(config.db_path, logger) + user_service = UserService(db) + + try: + # Get all users + users = user_service.list_users() + + if not users: + print("No users found in database.") + return True + + # Print header + print("\n=== InvokeAI Users ===\n") + print(f"{'User ID':<36} {'Email':<30} {'Display Name':<20} {'Admin':<8} {'Active':<8}") + print("-" * 108) + + # Print each user + for user in users: + user_id = user.user_id + email = user.email[:29] if len(user.email) > 29 else user.email + name = user.display_name[:19] if len(user.display_name) > 19 else user.display_name + is_admin = "Yes" if user.is_admin else "No" + is_active = "Yes" if user.is_active else "No" + + print(f"{user_id:<36} {email:<30} {name:<20} {is_admin:<8} {is_active:<8}") + + print(f"\nTotal users: {len(users)}") + return True + + except Exception as e: + print(f"Error listing users: {e}") + return False + + +def list_users_json(): + """List all users in JSON format.""" + from invokeai.app.services.config import get_config + from invokeai.app.services.shared.sqlite.sqlite_database import SqliteDatabase + from invokeai.app.services.users.users_default import UserService + from invokeai.backend.util.logging import InvokeAILogger + + config = get_config() + logger = InvokeAILogger.get_logger(config=config) + db = SqliteDatabase(config.db_path, logger) + user_service = UserService(db) + + try: + # Get all users + users = user_service.list_users() + + # Convert to JSON-serializable format + users_data = [ + { + "id": user.user_id, + "email": user.email, + "name": user.display_name, + "is_admin": user.is_admin, + "is_active": user.is_active, + } + for user in users + ] + + # Print JSON + print(json.dumps(users_data, indent=2)) + return True + + except Exception as e: + print(f'{{"error": "{e}"}}', file=sys.stderr) + return False + + +def main(): + """Main entry point for the script.""" + parser = argparse.ArgumentParser( + description="List users from the InvokeAI database", + formatter_class=argparse.RawDescriptionHelpFormatter, + epilog=""" +Examples: + # View all users in table format + python scripts/userlist.py + + # View all users in JSON format for scripting + python scripts/userlist.py --json + """, + ) + + parser.add_argument( + "--json", + action="store_true", + help="Output users in JSON format instead of table", + ) + + args = parser.parse_args() + + # List users in requested format + if args.json: + success = list_users_json() + else: + success = list_users_table() + + sys.exit(0 if success else 1) + + +if __name__ == "__main__": + main() diff --git a/scripts/usermod.py b/scripts/usermod.py new file mode 100755 index 00000000000..c64e5a22526 --- /dev/null +++ b/scripts/usermod.py @@ -0,0 +1,244 @@ +#!/usr/bin/env python3 +"""Script to modify a user in the InvokeAI database. + +This script provides a convenient way to modify user details (name, password, admin status) +in the InvokeAI database for administration purposes. It can be run from the command line +or imported and used programmatically. + +Usage: + # Interactive mode (prompts for details) + python scripts/usermod.py + + # Command line mode + python scripts/usermod.py --email user@example.com --name "New Name" + python scripts/usermod.py --email user@example.com --password newpass123 + python scripts/usermod.py --email user@example.com --admin + python scripts/usermod.py --email user@example.com --no-admin + +Examples: + # Change user's display name + python scripts/usermod.py --email alice@test.local --name "Alice Johnson" + + # Change user's password + python scripts/usermod.py --email alice@test.local --password NewPassword123 + + # Make user an admin + python scripts/usermod.py --email alice@test.local --admin + + # Remove admin privileges + python scripts/usermod.py --email alice@test.local --no-admin + + # Change multiple properties at once + python scripts/usermod.py --email alice@test.local --name "Alice Admin" --password Secret123 --admin +""" + +import argparse +import getpass +import sys +from pathlib import Path + +# Add parent directory to path for imports +sys.path.insert(0, str(Path(__file__).parent.parent)) + + +def modify_user_interactive(): + """Modify a user interactively by prompting for details.""" + from invokeai.app.services.auth.password_utils import validate_password_strength + from invokeai.app.services.config import get_config + from invokeai.app.services.shared.sqlite.sqlite_database import SqliteDatabase + from invokeai.app.services.users.users_common import UserUpdateRequest + from invokeai.app.services.users.users_default import UserService + from invokeai.backend.util.logging import InvokeAILogger + + print("=== Modify InvokeAI User ===\n") + + # Get user email + email = input("Email address of user to modify: ").strip() + if not email: + print("Error: Email is required") + return False + + try: + config = get_config() + db = SqliteDatabase(config.db_path, InvokeAILogger.get_logger()) + user_service = UserService(db) + + # Get user to show current details + user = user_service.get_by_email(email) + if not user: + print(f"\n❌ Error: No user found with email '{email}'") + return False + + print("\nCurrent user details:") + print(f" User ID: {user.user_id}") + print(f" Email: {user.email}") + print(f" Display Name: {user.display_name or '(not set)'}") + print(f" Admin: {'Yes' if user.is_admin else 'No'}") + print(f" Active: {'Yes' if user.is_active else 'No'}") + + print("\n--- What would you like to change? (leave blank to keep current value) ---\n") + + # Get new display name + new_name = input(f"New display name [{user.display_name or '(not set)'}]: ").strip() + display_name = new_name if new_name else None + + # Get new password + change_password = input("Change password? (y/N): ").strip().lower() + password = None + if change_password in ("y", "yes"): + while True: + password = getpass.getpass("New password: ") + if not password: + print("Keeping existing password.") + password = None + break + + password_confirm = getpass.getpass("Confirm new password: ") + + if password != password_confirm: + print("Error: Passwords do not match. Please try again.\n") + continue + + # Validate password strength + is_valid, error_msg = validate_password_strength(password) + if not is_valid: + print(f"Error: {error_msg}\n") + continue + + break + + # Get new admin status + change_admin = input("Change admin status? (y/N): ").strip().lower() + is_admin = None + if change_admin in ("y", "yes"): + is_admin_input = ( + input(f"Make administrator? [current: {'Yes' if user.is_admin else 'No'}] (y/N): ").strip().lower() + ) + is_admin = is_admin_input in ("y", "yes") + + # Check if any changes were made + if display_name is None and password is None and is_admin is None: + print("\nNo changes requested. User not modified.") + return True + + # Update user + changes = UserUpdateRequest(display_name=display_name, password=password, is_admin=is_admin) + updated_user = user_service.update(user.user_id, changes) + + print("\n✅ User updated successfully!") + print(f" User ID: {updated_user.user_id}") + print(f" Email: {updated_user.email}") + print(f" Display Name: {updated_user.display_name or '(not set)'}") + print(f" Admin: {'Yes' if updated_user.is_admin else 'No'}") + print(f" Active: {'Yes' if updated_user.is_active else 'No'}") + + return True + + except ValueError as e: + print(f"\n❌ Error: {e}") + return False + except Exception as e: + print(f"\n❌ Unexpected error: {e}") + import traceback + + traceback.print_exc() + return False + + +def modify_user_cli( + email: str, + display_name: str | None = None, + password: str | None = None, + is_admin: bool | None = None, +): + """Modify a user via CLI arguments.""" + from invokeai.app.services.auth.password_utils import validate_password_strength + from invokeai.app.services.config import get_config + from invokeai.app.services.shared.sqlite.sqlite_database import SqliteDatabase + from invokeai.app.services.users.users_common import UserUpdateRequest + from invokeai.app.services.users.users_default import UserService + from invokeai.backend.util.logging import InvokeAILogger + + # Validate password if provided + if password is not None: + is_valid, error_msg = validate_password_strength(password) + if not is_valid: + print(f"❌ Password validation failed: {error_msg}") + return False + + try: + config = get_config() + db = SqliteDatabase(config.db_path, InvokeAILogger.get_logger()) + user_service = UserService(db) + + # Get user to verify existence + user = user_service.get_by_email(email) + if not user: + print(f"❌ Error: No user found with email '{email}'") + return False + + # Check if any changes were requested + if display_name is None and password is None and is_admin is None: + print("❌ Error: No changes specified. Use --name, --password, --admin, or --no-admin") + return False + + # Update user + changes = UserUpdateRequest(display_name=display_name, password=password, is_admin=is_admin) + updated_user = user_service.update(user.user_id, changes) + + print("✅ User updated successfully!") + print(f" User ID: {updated_user.user_id}") + print(f" Email: {updated_user.email}") + print(f" Display Name: {updated_user.display_name or '(not set)'}") + print(f" Admin: {'Yes' if updated_user.is_admin else 'No'}") + print(f" Active: {'Yes' if updated_user.is_active else 'No'}") + + return True + + except ValueError as e: + print(f"❌ Error: {e}") + return False + except Exception as e: + print(f"❌ Unexpected error: {e}") + import traceback + + traceback.print_exc() + return False + + +def main(): + """Main entry point.""" + parser = argparse.ArgumentParser( + description="Modify a user in the InvokeAI database", + epilog="If no arguments are provided, the script will run in interactive mode.", + ) + parser.add_argument("--email", "-e", help="User email address") + parser.add_argument("--name", "-n", help="New display name") + parser.add_argument("--password", "-p", help="New password") + + admin_group = parser.add_mutually_exclusive_group() + admin_group.add_argument("--admin", "-a", action="store_true", help="Grant administrator privileges") + admin_group.add_argument("--no-admin", dest="no_admin", action="store_true", help="Remove administrator privileges") + + args = parser.parse_args() + + # Determine admin status change + is_admin = None + if args.admin: + is_admin = True + elif args.no_admin: + is_admin = False + + # Check if email was provided + if args.email: + # CLI mode + success = modify_user_cli(args.email, args.name, args.password, is_admin) + else: + # Interactive mode + success = modify_user_interactive() + + sys.exit(0 if success else 1) + + +if __name__ == "__main__": + main() diff --git a/tests/app/routers/test_auth.py b/tests/app/routers/test_auth.py new file mode 100644 index 00000000000..0949048e607 --- /dev/null +++ b/tests/app/routers/test_auth.py @@ -0,0 +1,336 @@ +"""Integration tests for authentication router endpoints.""" + +import os +from pathlib import Path +from typing import Any + +import pytest +from fastapi.testclient import TestClient + +from invokeai.app.api.dependencies import ApiDependencies +from invokeai.app.api_app import app +from invokeai.app.services.auth.token_service import set_jwt_secret +from invokeai.app.services.invoker import Invoker +from invokeai.app.services.users.users_common import UserCreateRequest + + +@pytest.fixture(autouse=True, scope="module") +def setup_jwt_secret(): + """Set up JWT secret for all tests in this module.""" + # Use a test secret key + set_jwt_secret("test-secret-key-for-unit-tests-only-do-not-use-in-production") + + +@pytest.fixture(autouse=True, scope="module") +def client(invokeai_root_dir: Path) -> TestClient: + """Create a test client for the FastAPI app.""" + os.environ["INVOKEAI_ROOT"] = invokeai_root_dir.as_posix() + return TestClient(app) + + +@pytest.fixture(autouse=True) +def enable_multiuser_for_auth_tests(mock_invoker: Invoker) -> None: + """Enable multiuser mode for auth tests. + + Auth tests need multiuser mode enabled since the login/setup endpoints + return 403 when multiuser is disabled. + """ + mock_invoker.services.configuration.multiuser = True + + +class MockApiDependencies(ApiDependencies): + """Mock API dependencies for testing.""" + + invoker: Invoker + + def __init__(self, invoker) -> None: + self.invoker = invoker + + +def setup_test_user(mock_invoker: Invoker, email: str = "test@example.com", password: str = "TestPass123") -> str: + """Helper to create a test user and return user_id.""" + user_service = mock_invoker.services.users + user_data = UserCreateRequest( + email=email, + display_name="Test User", + password=password, + is_admin=False, + ) + user = user_service.create(user_data) + return user.user_id + + +def setup_test_admin(mock_invoker: Invoker, email: str = "admin@example.com", password: str = "AdminPass123") -> str: + """Helper to create a test admin user and return user_id.""" + user_service = mock_invoker.services.users + user_data = UserCreateRequest( + email=email, + display_name="Admin User", + password=password, + is_admin=True, + ) + user = user_service.create(user_data) + return user.user_id + + +def test_login_success(monkeypatch: Any, mock_invoker: Invoker, client: TestClient) -> None: + """Test successful login with valid credentials.""" + monkeypatch.setattr("invokeai.app.api.routers.auth.ApiDependencies", MockApiDependencies(mock_invoker)) + + # Create a test user + setup_test_user(mock_invoker, "test@example.com", "TestPass123") + + # Attempt login + response = client.post( + "/api/v1/auth/login", + json={ + "email": "test@example.com", + "password": "TestPass123", + "remember_me": False, + }, + ) + + assert response.status_code == 200 + json_response = response.json() + assert "token" in json_response + assert "user" in json_response + assert "expires_in" in json_response + assert json_response["user"]["email"] == "test@example.com" + assert json_response["user"]["is_admin"] is False + + +def test_login_with_remember_me(monkeypatch: Any, mock_invoker: Invoker, client: TestClient) -> None: + """Test login with remember_me flag sets longer expiration.""" + monkeypatch.setattr("invokeai.app.api.routers.auth.ApiDependencies", MockApiDependencies(mock_invoker)) + + setup_test_user(mock_invoker, "test2@example.com", "TestPass123") + + # Login with remember_me=True + response = client.post( + "/api/v1/auth/login", + json={ + "email": "test2@example.com", + "password": "TestPass123", + "remember_me": True, + }, + ) + + assert response.status_code == 200 + json_response = response.json() + # Remember me should give 7 days = 604800 seconds + assert json_response["expires_in"] == 604800 + + +def test_login_invalid_password(monkeypatch: Any, mock_invoker: Invoker, client: TestClient) -> None: + """Test login fails with invalid password.""" + monkeypatch.setattr("invokeai.app.api.routers.auth.ApiDependencies", MockApiDependencies(mock_invoker)) + + setup_test_user(mock_invoker, "test3@example.com", "TestPass123") + + response = client.post( + "/api/v1/auth/login", + json={ + "email": "test3@example.com", + "password": "WrongPassword", + "remember_me": False, + }, + ) + + assert response.status_code == 401 + assert "Incorrect email or password" in response.json()["detail"] + + +def test_login_nonexistent_user(monkeypatch: Any, mock_invoker: Invoker, client: TestClient) -> None: + """Test login fails with nonexistent user.""" + monkeypatch.setattr("invokeai.app.api.routers.auth.ApiDependencies", MockApiDependencies(mock_invoker)) + + response = client.post( + "/api/v1/auth/login", + json={ + "email": "nonexistent@example.com", + "password": "TestPass123", + "remember_me": False, + }, + ) + + assert response.status_code == 401 + assert "Incorrect email or password" in response.json()["detail"] + + +def test_login_inactive_user(monkeypatch: Any, mock_invoker: Invoker, client: TestClient) -> None: + """Test login fails with inactive user.""" + monkeypatch.setattr("invokeai.app.api.routers.auth.ApiDependencies", MockApiDependencies(mock_invoker)) + + user_id = setup_test_user(mock_invoker, "inactive@example.com", "TestPass123") + + # Deactivate the user + user_service = mock_invoker.services.users + from invokeai.app.services.users.users_common import UserUpdateRequest + + user_service.update(user_id, UserUpdateRequest(is_active=False)) + + response = client.post( + "/api/v1/auth/login", + json={ + "email": "inactive@example.com", + "password": "TestPass123", + "remember_me": False, + }, + ) + + assert response.status_code == 403 + assert "disabled" in response.json()["detail"] + + +def test_logout(monkeypatch: Any, mock_invoker: Invoker, client: TestClient) -> None: + """Test logout endpoint.""" + monkeypatch.setattr("invokeai.app.api.routers.auth.ApiDependencies", MockApiDependencies(mock_invoker)) + monkeypatch.setattr("invokeai.app.api.auth_dependencies.ApiDependencies", MockApiDependencies(mock_invoker)) + + setup_test_user(mock_invoker, "test4@example.com", "TestPass123") + + # Login first to get token + login_response = client.post( + "/api/v1/auth/login", + json={ + "email": "test4@example.com", + "password": "TestPass123", + "remember_me": False, + }, + ) + token = login_response.json()["token"] + + # Logout with token + response = client.post("/api/v1/auth/logout", headers={"Authorization": f"Bearer {token}"}) + + assert response.status_code == 200 + assert response.json()["success"] is True + + +def test_logout_without_token(client: TestClient) -> None: + """Test logout fails without authentication token.""" + response = client.post("/api/v1/auth/logout") + + assert response.status_code == 401 + + +def test_get_current_user_info(monkeypatch: Any, mock_invoker: Invoker, client: TestClient) -> None: + """Test getting current user info with valid token.""" + monkeypatch.setattr("invokeai.app.api.routers.auth.ApiDependencies", MockApiDependencies(mock_invoker)) + monkeypatch.setattr("invokeai.app.api.auth_dependencies.ApiDependencies", MockApiDependencies(mock_invoker)) + + setup_test_user(mock_invoker, "test5@example.com", "TestPass123") + + # Login to get token + login_response = client.post( + "/api/v1/auth/login", + json={ + "email": "test5@example.com", + "password": "TestPass123", + "remember_me": False, + }, + ) + token = login_response.json()["token"] + + # Get user info + response = client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {token}"}) + + assert response.status_code == 200 + json_response = response.json() + assert json_response["email"] == "test5@example.com" + assert json_response["display_name"] == "Test User" + assert json_response["is_admin"] is False + + +def test_get_current_user_info_without_token(client: TestClient) -> None: + """Test getting user info fails without token.""" + response = client.get("/api/v1/auth/me") + + assert response.status_code == 401 + + +def test_get_current_user_info_invalid_token(monkeypatch: Any, mock_invoker: Invoker, client: TestClient) -> None: + """Test getting user info fails with invalid token.""" + monkeypatch.setattr("invokeai.app.api.auth_dependencies.ApiDependencies", MockApiDependencies(mock_invoker)) + + response = client.get("/api/v1/auth/me", headers={"Authorization": "Bearer invalid_token"}) + + assert response.status_code == 401 + + +def test_setup_admin_first_time(monkeypatch: Any, mock_invoker: Invoker, client: TestClient) -> None: + """Test setting up first admin user.""" + monkeypatch.setattr("invokeai.app.api.routers.auth.ApiDependencies", MockApiDependencies(mock_invoker)) + + response = client.post( + "/api/v1/auth/setup", + json={ + "email": "admin@example.com", + "display_name": "Admin User", + "password": "AdminPass123", + }, + ) + + assert response.status_code == 200 + json_response = response.json() + assert json_response["success"] is True + assert json_response["user"]["email"] == "admin@example.com" + assert json_response["user"]["is_admin"] is True + + +def test_setup_admin_already_exists(monkeypatch: Any, mock_invoker: Invoker, client: TestClient) -> None: + """Test setup fails when admin already exists.""" + monkeypatch.setattr("invokeai.app.api.routers.auth.ApiDependencies", MockApiDependencies(mock_invoker)) + + # Create first admin + setup_test_admin(mock_invoker, "admin1@example.com", "AdminPass123") + + # Try to setup another admin + response = client.post( + "/api/v1/auth/setup", + json={ + "email": "admin2@example.com", + "display_name": "Second Admin", + "password": "AdminPass123", + }, + ) + + assert response.status_code == 400 + assert "already configured" in response.json()["detail"] + + +def test_setup_admin_weak_password(monkeypatch: Any, mock_invoker: Invoker, client: TestClient) -> None: + """Test setup fails with weak password.""" + monkeypatch.setattr("invokeai.app.api.routers.auth.ApiDependencies", MockApiDependencies(mock_invoker)) + + response = client.post( + "/api/v1/auth/setup", + json={ + "email": "admin3@example.com", + "display_name": "Admin User", + "password": "weak", + }, + ) + + assert response.status_code == 400 + assert "Password" in response.json()["detail"] + + +def test_admin_user_token_has_admin_flag(monkeypatch: Any, mock_invoker: Invoker, client: TestClient) -> None: + """Test that admin user login returns token with admin flag.""" + monkeypatch.setattr("invokeai.app.api.routers.auth.ApiDependencies", MockApiDependencies(mock_invoker)) + + setup_test_admin(mock_invoker, "admin4@example.com", "AdminPass123") + + response = client.post( + "/api/v1/auth/login", + json={ + "email": "admin4@example.com", + "password": "AdminPass123", + "remember_me": False, + }, + ) + + assert response.status_code == 200 + json_response = response.json() + assert json_response["user"]["is_admin"] is True diff --git a/tests/app/routers/test_boards_multiuser.py b/tests/app/routers/test_boards_multiuser.py new file mode 100644 index 00000000000..ca42e285c6a --- /dev/null +++ b/tests/app/routers/test_boards_multiuser.py @@ -0,0 +1,165 @@ +"""Tests for multiuser boards functionality.""" + +from typing import Any + +import pytest +from fastapi import status +from fastapi.testclient import TestClient + +from invokeai.app.api.dependencies import ApiDependencies +from invokeai.app.api_app import app +from invokeai.app.services.invoker import Invoker +from invokeai.app.services.users.users_common import UserCreateRequest + + +@pytest.fixture +def setup_jwt_secret(): + """Initialize JWT secret for token generation.""" + from invokeai.app.services.auth.token_service import set_jwt_secret + + # Use a test secret key + set_jwt_secret("test-secret-key-for-unit-tests-only-do-not-use-in-production") + + +@pytest.fixture +def client(): + """Create a test client.""" + return TestClient(app) + + +def setup_test_admin(mock_invoker: Invoker, email: str = "admin@test.com", password: str = "TestPass123") -> str: + """Helper to create a test admin user and return user_id.""" + user_service = mock_invoker.services.users + user_data = UserCreateRequest( + email=email, + display_name="Test Admin", + password=password, + is_admin=True, + ) + user = user_service.create(user_data) + return user.user_id + + +@pytest.fixture +def enable_multiuser_for_tests(monkeypatch: Any, mock_invoker: Invoker): + """Enable multiuser mode and set up ApiDependencies for testing.""" + # Enable multiuser mode + mock_invoker.services.configuration.multiuser = True + + # Set ApiDependencies.invoker as a class attribute + ApiDependencies.invoker = mock_invoker + + yield + + # Cleanup + if hasattr(ApiDependencies, "invoker"): + delattr(ApiDependencies, "invoker") + + +@pytest.fixture +def admin_token(setup_jwt_secret: str, enable_multiuser_for_tests: Any, mock_invoker: Invoker, client: TestClient): + """Get an admin token for testing.""" + # Create admin user + setup_test_admin(mock_invoker, "admin@test.com", "TestPass123") + + # Login to get token + response = client.post( + "/api/v1/auth/login", + json={ + "email": "admin@test.com", + "password": "TestPass123", + "remember_me": False, + }, + ) + assert response.status_code == 200 + return response.json()["token"] + + +@pytest.fixture +def user1_token(admin_token): + """Get a token for test user 1.""" + # For now, we'll reuse admin token since user creation requires admin + # In a full implementation, we'd create a separate user + return admin_token + + +def test_create_board_requires_auth(enable_multiuser_for_tests: Any, client: TestClient): + """Test that creating a board requires authentication.""" + response = client.post("/api/v1/boards/?board_name=Test+Board") + assert response.status_code == status.HTTP_401_UNAUTHORIZED + + +def test_list_boards_requires_auth(enable_multiuser_for_tests: Any, client: TestClient): + """Test that listing boards requires authentication.""" + response = client.get("/api/v1/boards/?all=true") + assert response.status_code == status.HTTP_401_UNAUTHORIZED + + +def test_create_board_with_auth(client: TestClient, admin_token: str): + """Test that authenticated users can create boards.""" + response = client.post( + "/api/v1/boards/?board_name=My+Test+Board", + headers={"Authorization": f"Bearer {admin_token}"}, + ) + assert response.status_code == status.HTTP_201_CREATED + data = response.json() + assert data["board_name"] == "My Test Board" + assert "board_id" in data + + +def test_list_boards_with_auth(client: TestClient, admin_token: str): + """Test that authenticated users can list their boards.""" + # First create a board + client.post( + "/api/v1/boards/?board_name=Listed+Board", + headers={"Authorization": f"Bearer {admin_token}"}, + ) + + # Now list boards + response = client.get( + "/api/v1/boards/?all=true", + headers={"Authorization": f"Bearer {admin_token}"}, + ) + assert response.status_code == status.HTTP_200_OK + boards = response.json() + assert isinstance(boards, list) + # Should include the board we just created + board_names = [b["board_name"] for b in boards] + assert "Listed Board" in board_names + + +def test_user_boards_are_isolated(client: TestClient, admin_token: str, user1_token: str): + """Test that boards are isolated between users.""" + # Admin creates a board + admin_response = client.post( + "/api/v1/boards/?board_name=Admin+Board", + headers={"Authorization": f"Bearer {admin_token}"}, + ) + assert admin_response.status_code == status.HTTP_201_CREATED + + # If we had separate users, we'd verify isolation here + # For now, we'll just verify the board exists + list_response = client.get( + "/api/v1/boards/?all=true", + headers={"Authorization": f"Bearer {admin_token}"}, + ) + assert list_response.status_code == status.HTTP_200_OK + boards = list_response.json() + board_names = [b["board_name"] for b in boards] + assert "Admin Board" in board_names + + +def test_enqueue_batch_requires_auth(enable_multiuser_for_tests: Any, client: TestClient): + """Test that enqueuing a batch requires authentication.""" + response = client.post( + "/api/v1/queue/default/enqueue_batch", + json={ + "batch": { + "batch_id": "test-batch", + "data": [], + "graph": {"nodes": {}, "edges": []}, + }, + "prepend": False, + }, + ) + assert response.status_code == status.HTTP_401_UNAUTHORIZED diff --git a/tests/app/routers/test_client_state_multiuser.py b/tests/app/routers/test_client_state_multiuser.py new file mode 100644 index 00000000000..814c9182fec --- /dev/null +++ b/tests/app/routers/test_client_state_multiuser.py @@ -0,0 +1,299 @@ +"""Tests for multiuser client state functionality.""" + +from typing import Any + +import pytest +from fastapi import status +from fastapi.testclient import TestClient + +from invokeai.app.api.dependencies import ApiDependencies +from invokeai.app.api_app import app +from invokeai.app.services.invoker import Invoker +from invokeai.app.services.users.users_common import UserCreateRequest + + +@pytest.fixture +def client(): + """Create a test client.""" + return TestClient(app) + + +class MockApiDependencies(ApiDependencies): + """Mock API dependencies for testing.""" + + invoker: Invoker + + def __init__(self, invoker: Invoker) -> None: + self.invoker = invoker + + +def setup_test_user( + mock_invoker: Invoker, email: str, display_name: str, password: str = "TestPass123", is_admin: bool = False +) -> str: + """Helper to create a test user and return user_id.""" + user_service = mock_invoker.services.users + user_data = UserCreateRequest( + email=email, + display_name=display_name, + password=password, + is_admin=is_admin, + ) + user = user_service.create(user_data) + return user.user_id + + +def get_user_token(client: TestClient, email: str, password: str = "TestPass123") -> str: + """Helper to login and get a user token.""" + response = client.post( + "/api/v1/auth/login", + json={ + "email": email, + "password": password, + "remember_me": False, + }, + ) + assert response.status_code == 200 + return response.json()["token"] + + +@pytest.fixture +def admin_token(monkeypatch: Any, mock_invoker: Invoker, client: TestClient): + """Get an admin token for testing.""" + # Enable multiuser mode for auth endpoints + mock_invoker.services.configuration.multiuser = True + + # Mock ApiDependencies for auth and client_state routers + monkeypatch.setattr("invokeai.app.api.routers.auth.ApiDependencies", MockApiDependencies(mock_invoker)) + monkeypatch.setattr("invokeai.app.api.auth_dependencies.ApiDependencies", MockApiDependencies(mock_invoker)) + monkeypatch.setattr("invokeai.app.api.routers.client_state.ApiDependencies", MockApiDependencies(mock_invoker)) + + # Create admin user + setup_test_user(mock_invoker, "admin@test.com", "Admin User", is_admin=True) + + return get_user_token(client, "admin@test.com") + + +@pytest.fixture +def user1_token(monkeypatch: Any, mock_invoker: Invoker, client: TestClient, admin_token: str): + """Get a token for test user 1.""" + # Create a regular user + setup_test_user(mock_invoker, "user1@test.com", "User One", is_admin=False) + + return get_user_token(client, "user1@test.com") + + +@pytest.fixture +def user2_token(monkeypatch: Any, mock_invoker: Invoker, client: TestClient, admin_token: str): + """Get a token for test user 2.""" + # Create another regular user + setup_test_user(mock_invoker, "user2@test.com", "User Two", is_admin=False) + + return get_user_token(client, "user2@test.com") + + +def test_get_client_state_without_auth_uses_system_user(client: TestClient, monkeypatch, mock_invoker: Invoker): + """Test that getting client state without authentication uses the system user.""" + # Mock ApiDependencies + monkeypatch.setattr("invokeai.app.api.auth_dependencies.ApiDependencies", MockApiDependencies(mock_invoker)) + monkeypatch.setattr("invokeai.app.api.routers.client_state.ApiDependencies", MockApiDependencies(mock_invoker)) + + # Set a value for the system user directly + mock_invoker.services.client_state_persistence.set_by_key("system", "test_key", "system_value") + + # Get without authentication - should return system user's value + response = client.get("/api/v1/client_state/default/get_by_key?key=test_key") + assert response.status_code == status.HTTP_200_OK + assert response.json() == "system_value" + + +def test_set_client_state_without_auth_uses_system_user(client: TestClient, monkeypatch, mock_invoker: Invoker): + """Test that setting client state without authentication uses the system user.""" + # Mock ApiDependencies + monkeypatch.setattr("invokeai.app.api.auth_dependencies.ApiDependencies", MockApiDependencies(mock_invoker)) + monkeypatch.setattr("invokeai.app.api.routers.client_state.ApiDependencies", MockApiDependencies(mock_invoker)) + + # Set without authentication - should set for system user + response = client.post( + "/api/v1/client_state/default/set_by_key?key=test_key", + json="unauthenticated_value", + ) + assert response.status_code == status.HTTP_200_OK + + # Verify it was set for system user + value = mock_invoker.services.client_state_persistence.get_by_key("system", "test_key") + assert value == "unauthenticated_value" + + +def test_delete_client_state_without_auth_uses_system_user(client: TestClient, monkeypatch, mock_invoker: Invoker): + """Test that deleting client state without authentication uses the system user.""" + # Mock ApiDependencies + monkeypatch.setattr("invokeai.app.api.auth_dependencies.ApiDependencies", MockApiDependencies(mock_invoker)) + monkeypatch.setattr("invokeai.app.api.routers.client_state.ApiDependencies", MockApiDependencies(mock_invoker)) + + # Set a value for system user + mock_invoker.services.client_state_persistence.set_by_key("system", "test_key", "system_value") + + # Delete without authentication - should delete system user's data + response = client.post("/api/v1/client_state/default/delete") + assert response.status_code == status.HTTP_200_OK + + # Verify it was deleted for system user + value = mock_invoker.services.client_state_persistence.get_by_key("system", "test_key") + assert value is None + + +def test_set_and_get_client_state(client: TestClient, admin_token: str): + """Test that authenticated users can set and get their client state.""" + # Set a value + set_response = client.post( + "/api/v1/client_state/default/set_by_key?key=test_key", + json="test_value", + headers={"Authorization": f"Bearer {admin_token}"}, + ) + assert set_response.status_code == status.HTTP_200_OK + assert set_response.json() == "test_value" + + # Get the value back + get_response = client.get( + "/api/v1/client_state/default/get_by_key?key=test_key", + headers={"Authorization": f"Bearer {admin_token}"}, + ) + assert get_response.status_code == status.HTTP_200_OK + assert get_response.json() == "test_value" + + +def test_client_state_isolation_between_users(client: TestClient, user1_token: str, user2_token: str): + """Test that client state is isolated between different users.""" + # User 1 sets a value + user1_set_response = client.post( + "/api/v1/client_state/default/set_by_key?key=shared_key", + json="user1_value", + headers={"Authorization": f"Bearer {user1_token}"}, + ) + assert user1_set_response.status_code == status.HTTP_200_OK + + # User 2 sets a different value for the same key + user2_set_response = client.post( + "/api/v1/client_state/default/set_by_key?key=shared_key", + json="user2_value", + headers={"Authorization": f"Bearer {user2_token}"}, + ) + assert user2_set_response.status_code == status.HTTP_200_OK + + # User 1 should still see their own value + user1_get_response = client.get( + "/api/v1/client_state/default/get_by_key?key=shared_key", + headers={"Authorization": f"Bearer {user1_token}"}, + ) + assert user1_get_response.status_code == status.HTTP_200_OK + assert user1_get_response.json() == "user1_value" + + # User 2 should see their own value + user2_get_response = client.get( + "/api/v1/client_state/default/get_by_key?key=shared_key", + headers={"Authorization": f"Bearer {user2_token}"}, + ) + assert user2_get_response.status_code == status.HTTP_200_OK + assert user2_get_response.json() == "user2_value" + + +def test_get_nonexistent_key_returns_null(client: TestClient, admin_token: str): + """Test that getting a nonexistent key returns null.""" + response = client.get( + "/api/v1/client_state/default/get_by_key?key=nonexistent_key", + headers={"Authorization": f"Bearer {admin_token}"}, + ) + assert response.status_code == status.HTTP_200_OK + assert response.json() is None + + +def test_delete_client_state(client: TestClient, admin_token: str): + """Test that users can delete their own client state.""" + # Set some values + client.post( + "/api/v1/client_state/default/set_by_key?key=key1", + json="value1", + headers={"Authorization": f"Bearer {admin_token}"}, + ) + client.post( + "/api/v1/client_state/default/set_by_key?key=key2", + json="value2", + headers={"Authorization": f"Bearer {admin_token}"}, + ) + + # Verify values exist + get_response = client.get( + "/api/v1/client_state/default/get_by_key?key=key1", + headers={"Authorization": f"Bearer {admin_token}"}, + ) + assert get_response.json() == "value1" + + # Delete all client state + delete_response = client.post( + "/api/v1/client_state/default/delete", + headers={"Authorization": f"Bearer {admin_token}"}, + ) + assert delete_response.status_code == status.HTTP_200_OK + + # Verify values are gone + get_response = client.get( + "/api/v1/client_state/default/get_by_key?key=key1", + headers={"Authorization": f"Bearer {admin_token}"}, + ) + assert get_response.json() is None + + get_response = client.get( + "/api/v1/client_state/default/get_by_key?key=key2", + headers={"Authorization": f"Bearer {admin_token}"}, + ) + assert get_response.json() is None + + +def test_update_existing_key(client: TestClient, admin_token: str): + """Test that updating an existing key works correctly.""" + # Set initial value + client.post( + "/api/v1/client_state/default/set_by_key?key=update_key", + json="initial_value", + headers={"Authorization": f"Bearer {admin_token}"}, + ) + + # Update the value + update_response = client.post( + "/api/v1/client_state/default/set_by_key?key=update_key", + json="updated_value", + headers={"Authorization": f"Bearer {admin_token}"}, + ) + assert update_response.status_code == status.HTTP_200_OK + + # Verify the updated value + get_response = client.get( + "/api/v1/client_state/default/get_by_key?key=update_key", + headers={"Authorization": f"Bearer {admin_token}"}, + ) + assert get_response.status_code == status.HTTP_200_OK + assert get_response.json() == "updated_value" + + +def test_complex_json_values(client: TestClient, admin_token: str): + """Test that complex JSON values can be stored and retrieved.""" + import json + + complex_dict = {"params": {"model": "test-model", "steps": 50}, "prompt": "a beautiful landscape"} + complex_value = json.dumps(complex_dict) + + # Set complex value + set_response = client.post( + "/api/v1/client_state/default/set_by_key?key=complex_key", + json=complex_value, + headers={"Authorization": f"Bearer {admin_token}"}, + ) + assert set_response.status_code == status.HTTP_200_OK + + # Get it back + get_response = client.get( + "/api/v1/client_state/default/get_by_key?key=complex_key", + headers={"Authorization": f"Bearer {admin_token}"}, + ) + assert get_response.status_code == status.HTTP_200_OK + assert get_response.json() == complex_value diff --git a/tests/app/routers/test_session_queue_sanitization.py b/tests/app/routers/test_session_queue_sanitization.py new file mode 100644 index 00000000000..09742a99173 --- /dev/null +++ b/tests/app/routers/test_session_queue_sanitization.py @@ -0,0 +1,126 @@ +"""Tests for session queue item sanitization in multiuser mode.""" + +from datetime import datetime + +import pytest + +from invokeai.app.api.routers.session_queue import sanitize_queue_item_for_user +from invokeai.app.invocations.baseinvocation import BaseInvocation, BaseInvocationOutput, invocation, invocation_output +from invokeai.app.invocations.fields import InputField, OutputField +from invokeai.app.services.session_queue.session_queue_common import NodeFieldValue, SessionQueueItem +from invokeai.app.services.shared.graph import Graph, GraphExecutionState +from invokeai.app.services.shared.invocation_context import InvocationContext + + +# Define a minimal test invocation for the test +@invocation_output("test_sanitization_output") +class TestSanitizationInvocationOutput(BaseInvocationOutput): + value: str = OutputField(default="") + + +@invocation("test_sanitization", version="1.0.0") +class TestSanitizationInvocation(BaseInvocation): + test_field: str = InputField(default="") + + def invoke(self, context: InvocationContext) -> TestSanitizationInvocationOutput: + return TestSanitizationInvocationOutput(value=self.test_field) + + +@pytest.fixture +def sample_session_queue_item() -> SessionQueueItem: + """Create a sample queue item with full data for testing.""" + graph = Graph() + # Add a simple node to the graph + graph.add_node(TestSanitizationInvocation(id="test_node", test_field="test value")) + + session = GraphExecutionState(id="test_session", graph=graph) + + # Create timestamps for the queue item + now = datetime.now() + + return SessionQueueItem( + item_id=1, + status="pending", + batch_id="batch_123", + session_id="session_123", + queue_id="default", + user_id="user_123", + user_display_name="Test User", + user_email="test@example.com", + field_values=[ + NodeFieldValue(node_path="test_node", field_name="test_field", value="sensitive prompt data"), + ], + session=session, + workflow=None, + created_at=now, + updated_at=now, + started_at=None, + completed_at=None, + ) + + +def test_sanitize_queue_item_for_admin(sample_session_queue_item): + """Test that admins can see all data regardless of user_id.""" + result = sanitize_queue_item_for_user( + queue_item=sample_session_queue_item, + current_user_id="different_user", + is_admin=True, + ) + + # Admin should see everything + assert result.field_values is not None + assert len(result.field_values) == 1 + assert result.session.graph.nodes is not None + assert len(result.session.graph.nodes) == 1 + + +def test_sanitize_queue_item_for_owner(sample_session_queue_item): + """Test that queue item owners can see their own data.""" + result = sanitize_queue_item_for_user( + queue_item=sample_session_queue_item, + current_user_id="user_123", # Same as queue item user_id + is_admin=False, + ) + + # Owner should see everything + assert result.field_values is not None + assert len(result.field_values) == 1 + assert result.session.graph.nodes is not None + assert len(result.session.graph.nodes) == 1 + + +def test_sanitize_queue_item_for_different_user(sample_session_queue_item): + """Test that non-admin users cannot see other users' sensitive data.""" + result = sanitize_queue_item_for_user( + queue_item=sample_session_queue_item, + current_user_id="different_user", + is_admin=False, + ) + + # Non-admin viewing another user's item should have sanitized data + assert result.field_values is None + assert result.workflow is None + # Session should be replaced with empty graph + assert result.session.graph.nodes is not None + assert len(result.session.graph.nodes) == 0 + # Session ID should be preserved + assert result.session.id == "test_session" + + +def test_sanitize_preserves_non_sensitive_fields(sample_session_queue_item): + """Test that sanitization preserves non-sensitive fields.""" + result = sanitize_queue_item_for_user( + queue_item=sample_session_queue_item, + current_user_id="different_user", + is_admin=False, + ) + + # These fields should be preserved + assert result.item_id == 1 + assert result.status == "pending" + assert result.batch_id == "batch_123" + assert result.session_id == "session_123" + assert result.queue_id == "default" + assert result.user_id == "user_123" + assert result.user_display_name == "Test User" + assert result.user_email == "test@example.com" diff --git a/tests/app/services/auth/__init__.py b/tests/app/services/auth/__init__.py new file mode 100644 index 00000000000..be14ae18fea --- /dev/null +++ b/tests/app/services/auth/__init__.py @@ -0,0 +1 @@ +"""Tests for authentication services.""" diff --git a/tests/app/services/auth/test_data_isolation.py b/tests/app/services/auth/test_data_isolation.py new file mode 100644 index 00000000000..45a538a6beb --- /dev/null +++ b/tests/app/services/auth/test_data_isolation.py @@ -0,0 +1,411 @@ +"""Integration tests for multi-user data isolation. + +Tests to ensure users can only access their own data and cannot access +other users' data unless explicitly shared. +""" + +import os +from pathlib import Path +from typing import Any + +import pytest +from fastapi.testclient import TestClient + +from invokeai.app.api.dependencies import ApiDependencies +from invokeai.app.api_app import app +from invokeai.app.services.board_records.board_records_common import BoardRecordOrderBy +from invokeai.app.services.invoker import Invoker +from invokeai.app.services.shared.sqlite.sqlite_common import SQLiteDirection +from invokeai.app.services.users.users_common import UserCreateRequest + + +@pytest.fixture(autouse=True, scope="module") +def client(invokeai_root_dir: Path) -> TestClient: + """Create a test client for the FastAPI app.""" + os.environ["INVOKEAI_ROOT"] = invokeai_root_dir.as_posix() + return TestClient(app) + + +@pytest.fixture(autouse=True) +def enable_multiuser_for_auth_tests(mock_invoker: Invoker) -> None: + """Enable multiuser mode for auth tests. + + Auth tests need multiuser mode enabled since the login/setup endpoints + return 403 when multiuser is disabled. + """ + mock_invoker.services.configuration.multiuser = True + + +class MockApiDependencies(ApiDependencies): + """Mock API dependencies for testing.""" + + invoker: Invoker + + def __init__(self, invoker) -> None: + self.invoker = invoker + + +def create_user_and_login( + mock_invoker: Invoker, client: TestClient, monkeypatch: Any, email: str, password: str, is_admin: bool = False +) -> tuple[str, str]: + """Helper to create a user, login, and return (user_id, token).""" + monkeypatch.setattr("invokeai.app.api.routers.auth.ApiDependencies", MockApiDependencies(mock_invoker)) + monkeypatch.setattr("invokeai.app.api.auth_dependencies.ApiDependencies", MockApiDependencies(mock_invoker)) + + user_service = mock_invoker.services.users + user_data = UserCreateRequest( + email=email, + display_name=f"User {email}", + password=password, + is_admin=is_admin, + ) + user = user_service.create(user_data) + + # Login to get token + response = client.post( + "/api/v1/auth/login", + json={ + "email": email, + "password": password, + "remember_me": False, + }, + ) + + assert response.status_code == 200 + token = response.json()["token"] + + return user.user_id, token + + +class TestBoardDataIsolation: + """Tests for board data isolation between users.""" + + def test_user_can_only_see_own_boards(self, monkeypatch: Any, mock_invoker: Invoker, client: TestClient): + """Test that users can only see their own boards.""" + monkeypatch.setattr("invokeai.app.api.routers.boards.ApiDependencies", MockApiDependencies(mock_invoker)) + + # Create two users + user1_id, user1_token = create_user_and_login( + mock_invoker, client, monkeypatch, "user1@example.com", "TestPass123" + ) + user2_id, user2_token = create_user_and_login( + mock_invoker, client, monkeypatch, "user2@example.com", "TestPass123" + ) + + # Create board for user1 + board_service = mock_invoker.services.boards + user1_board = board_service.create(board_name="User 1 Board", user_id=user1_id) + + # Create board for user2 + user2_board = board_service.create(board_name="User 2 Board", user_id=user2_id) + + # User1 should only see their board + user1_boards = board_service.get_many( + user_id=user1_id, + is_admin=False, + order_by=BoardRecordOrderBy.CreatedAt, + direction=SQLiteDirection.Ascending, + ) + + user1_board_ids = [b.board_id for b in user1_boards.items] + assert user1_board.board_id in user1_board_ids + assert user2_board.board_id not in user1_board_ids + + # User2 should only see their board + user2_boards = board_service.get_many( + user_id=user2_id, + is_admin=False, + order_by=BoardRecordOrderBy.CreatedAt, + direction=SQLiteDirection.Ascending, + ) + + user2_board_ids = [b.board_id for b in user2_boards.items] + assert user2_board.board_id in user2_board_ids + assert user1_board.board_id not in user2_board_ids + + def test_user_cannot_access_other_user_board_directly(self, mock_invoker: Invoker): + """Test that users cannot access other users' boards by ID.""" + board_service = mock_invoker.services.boards + user_service = mock_invoker.services.users + + # Create two users + user1_data = UserCreateRequest( + email="user1@example.com", display_name="User 1", password="TestPass123", is_admin=False + ) + user1 = user_service.create(user1_data) + + user2_data = UserCreateRequest( + email="user2@example.com", display_name="User 2", password="TestPass123", is_admin=False + ) + user2 = user_service.create(user2_data) + + # User1 creates a board + user1_board = board_service.create(board_name="User 1 Private Board", user_id=user1.user_id) + + # User2 tries to access user1's board + # The get method should check ownership + try: + retrieved_board = board_service.get(board_id=user1_board.board_id, user_id=user2.user_id) + # If get doesn't check ownership, this test needs to be updated + # or the implementation needs to be fixed + if retrieved_board is not None: + # Board was retrieved - check if it's because of missing authorization check + # This would be a security issue that needs fixing + pytest.fail("User was able to access another user's board without authorization") + except Exception: + # Expected - user2 should not be able to access user1's board + pass + + def test_admin_can_see_all_boards(self, mock_invoker: Invoker): + """Test that admin users can see all boards.""" + board_service = mock_invoker.services.boards + user_service = mock_invoker.services.users + + # Create admin user + admin_data = UserCreateRequest( + email="admin@example.com", display_name="Admin", password="AdminPass123", is_admin=True + ) + admin = user_service.create(admin_data) + + # Create regular user + user_data = UserCreateRequest( + email="user@example.com", display_name="User", password="TestPass123", is_admin=False + ) + user = user_service.create(user_data) + + # User creates a board + board_service.create(board_name="User Board", user_id=user.user_id) + + # Admin creates a board + board_service.create(board_name="Admin Board", user_id=admin.user_id) + + # Admin should be able to get all boards (implementation dependent) + # Note: Current implementation may not have admin override for board listing + # This test documents expected behavior + + +class TestImageDataIsolation: + """Tests for image data isolation between users.""" + + def test_user_images_isolated_from_other_users(self, mock_invoker: Invoker): + """Test that users cannot see other users' images.""" + user_service = mock_invoker.services.users + + # Create two users + user1_data = UserCreateRequest( + email="user1@example.com", display_name="User 1", password="TestPass123", is_admin=False + ) + user_service.create(user1_data) + + user2_data = UserCreateRequest( + email="user2@example.com", display_name="User 2", password="TestPass123", is_admin=False + ) + user_service.create(user2_data) + + # Note: Image service tests would require actual image creation + # which is beyond the scope of basic security testing + # This test documents expected behavior: + # - Images should have user_id field + # - Image queries should filter by user_id + # - Users should not be able to access images by knowing the image_name + + +class TestWorkflowDataIsolation: + """Tests for workflow data isolation between users.""" + + def test_user_workflows_isolated_from_other_users(self, mock_invoker: Invoker): + """Test that users cannot see other users' private workflows.""" + user_service = mock_invoker.services.users + + # Create two users + user1_data = UserCreateRequest( + email="user1@example.com", display_name="User 1", password="TestPass123", is_admin=False + ) + user_service.create(user1_data) + + user2_data = UserCreateRequest( + email="user2@example.com", display_name="User 2", password="TestPass123", is_admin=False + ) + user_service.create(user2_data) + + # Note: Workflow service tests would require workflow creation + # This test documents expected behavior: + # - Workflows should have user_id and is_public fields + # - Private workflows should only be visible to owner + # - Public workflows should be visible to all users + + +class TestQueueDataIsolation: + """Tests for session queue data isolation between users.""" + + def test_user_queue_items_isolated_from_other_users(self, mock_invoker: Invoker): + """Test that users cannot see other users' queue items.""" + user_service = mock_invoker.services.users + + # Create two users + user1_data = UserCreateRequest( + email="user1@example.com", display_name="User 1", password="TestPass123", is_admin=False + ) + user_service.create(user1_data) + + user2_data = UserCreateRequest( + email="user2@example.com", display_name="User 2", password="TestPass123", is_admin=False + ) + user_service.create(user2_data) + + # Note: Queue service tests would require session creation + # This test documents expected behavior: + # - Queue items should have user_id field + # - Users should only see their own queue items + # - Admin should see all queue items + + +class TestSharedBoardAccess: + """Tests for shared board functionality.""" + + @pytest.mark.skip(reason="Shared board functionality not yet fully implemented") + def test_shared_board_access(self, mock_invoker: Invoker): + """Test that users can access boards shared with them.""" + board_service = mock_invoker.services.boards + user_service = mock_invoker.services.users + + # Create two users + user1_data = UserCreateRequest( + email="user1@example.com", display_name="User 1", password="TestPass123", is_admin=False + ) + user1 = user_service.create(user1_data) + + user2_data = UserCreateRequest( + email="user2@example.com", display_name="User 2", password="TestPass123", is_admin=False + ) + user_service.create(user2_data) + + # User1 creates a board + board_service.create(board_name="Shared Board", user_id=user1.user_id) + + # User1 shares the board with user2 + # (This functionality is not yet implemented) + + # User2 should be able to see the shared board + # Expected behavior documented for future implementation + + +class TestAdminAuthorization: + """Tests for admin-only functionality.""" + + def test_regular_user_cannot_create_admin(self, mock_invoker: Invoker): + """Test that regular users cannot create admin accounts.""" + user_service = mock_invoker.services.users + + # Create first admin + admin_data = UserCreateRequest( + email="admin@example.com", display_name="Admin", password="AdminPass123", is_admin=True + ) + user_service.create(admin_data) + + # Try to create another admin (should fail) + with pytest.raises(ValueError, match="already exists"): + another_admin_data = UserCreateRequest( + email="another@example.com", display_name="Another Admin", password="AdminPass123" + ) + user_service.create_admin(another_admin_data) + + def test_regular_user_cannot_list_all_users(self, mock_invoker: Invoker): + """Test that regular users cannot list all users. + + Note: This depends on API endpoint implementation. + At the service level, list_users is available to all callers. + Authorization should be enforced at the API level. + """ + user_service = mock_invoker.services.users + + # Create users + user1_data = UserCreateRequest( + email="user1@example.com", display_name="User 1", password="TestPass123", is_admin=False + ) + user_service.create(user1_data) + + # Service level does not enforce authorization + # API level should check if caller is admin before allowing user listing + user_service.list_users() + # This will succeed at service level - API must enforce auth + + +class TestDataIntegrity: + """Tests for data integrity in multi-user scenarios.""" + + def test_user_deletion_cascades_to_owned_data(self, mock_invoker: Invoker): + """Test that deleting a user also deletes their owned data.""" + user_service = mock_invoker.services.users + board_service = mock_invoker.services.boards + + # Create user + user_data = UserCreateRequest( + email="deleteme@example.com", display_name="Delete Me", password="TestPass123", is_admin=False + ) + user = user_service.create(user_data) + + # User creates a board + board = board_service.create(board_name="My Board", user_id=user.user_id) + + # Delete user + user_service.delete(user.user_id) + + # Board should be deleted too (CASCADE in database) + # Note: get_dto doesn't take user_id parameter, it gets the board by ID only + # We'll check that it raises an exception or returns None after cascade delete + try: + board_service.get_dto(board_id=board.board_id) + # If we get here, the board wasn't deleted - this is a failure + raise AssertionError("Board should have been deleted by CASCADE") + except Exception: + # Expected - board was deleted by CASCADE + pass + + def test_concurrent_user_operations_maintain_isolation(self, mock_invoker: Invoker): + """Test that concurrent operations from different users maintain data isolation. + + This is a basic test - comprehensive concurrency testing would require + multiple threads/processes and more complex scenarios. + """ + user_service = mock_invoker.services.users + board_service = mock_invoker.services.boards + + # Create two users + user1_data = UserCreateRequest( + email="user1@example.com", display_name="User 1", password="TestPass123", is_admin=False + ) + user1 = user_service.create(user1_data) + + user2_data = UserCreateRequest( + email="user2@example.com", display_name="User 2", password="TestPass123", is_admin=False + ) + user2 = user_service.create(user2_data) + + # Both users create boards + user1_board = board_service.create(board_name="User 1 Board", user_id=user1.user_id) + user2_board = board_service.create(board_name="User 2 Board", user_id=user2.user_id) + + # Verify isolation is maintained + user1_boards = board_service.get_many( + user_id=user1.user_id, + is_admin=False, + order_by=BoardRecordOrderBy.CreatedAt, + direction=SQLiteDirection.Ascending, + ) + user2_boards = board_service.get_many( + user_id=user2.user_id, + is_admin=False, + order_by=BoardRecordOrderBy.CreatedAt, + direction=SQLiteDirection.Ascending, + ) + + user1_board_ids = [b.board_id for b in user1_boards.items] + user2_board_ids = [b.board_id for b in user2_boards.items] + + # Each user should only see their own board + assert user1_board.board_id in user1_board_ids + assert user2_board.board_id not in user1_board_ids + + assert user2_board.board_id in user2_board_ids + assert user1_board.board_id not in user2_board_ids diff --git a/tests/app/services/auth/test_password_utils.py b/tests/app/services/auth/test_password_utils.py new file mode 100644 index 00000000000..64fdeb9d424 --- /dev/null +++ b/tests/app/services/auth/test_password_utils.py @@ -0,0 +1,272 @@ +"""Unit tests for password utilities.""" + +from invokeai.app.services.auth.password_utils import hash_password, validate_password_strength, verify_password + + +class TestPasswordHashing: + """Tests for password hashing functionality.""" + + def test_hash_password_returns_different_hash_each_time(self): + """Test that hashing the same password twice produces different hashes (due to salt).""" + password = "TestPassword123" + hash1 = hash_password(password) + hash2 = hash_password(password) + + assert hash1 != hash2 + assert hash1 != password + assert hash2 != password + + def test_hash_password_with_special_characters(self): + """Test hashing passwords with special characters.""" + password = "Test!@#$%^&*()_+{}[]|:;<>?,./~`" + hashed = hash_password(password) + + assert hashed is not None + assert verify_password(password, hashed) + + def test_hash_password_with_unicode(self): + """Test hashing passwords with Unicode characters.""" + password = "Test密码123パスワード" + hashed = hash_password(password) + + assert hashed is not None + assert verify_password(password, hashed) + + def test_hash_password_empty_string(self): + """Test hashing empty password (should work but fail validation).""" + password = "" + hashed = hash_password(password) + + assert hashed is not None + assert verify_password(password, hashed) + + def test_hash_password_very_long(self): + """Test hashing very long passwords (bcrypt has 72 byte limit).""" + # Create a password longer than 72 bytes + password = "A" * 100 + hashed = hash_password(password) + + assert hashed is not None + # Verify with original password + assert verify_password(password, hashed) + # Should also match the truncated version + assert verify_password("A" * 72, hashed) + + def test_hash_password_with_newlines(self): + """Test hashing passwords containing newlines.""" + password = "Test\nPassword\n123" + hashed = hash_password(password) + + assert hashed is not None + assert verify_password(password, hashed) + + +class TestPasswordVerification: + """Tests for password verification functionality.""" + + def test_verify_password_correct(self): + """Test verifying correct password.""" + password = "TestPassword123" + hashed = hash_password(password) + + assert verify_password(password, hashed) is True + + def test_verify_password_incorrect(self): + """Test verifying incorrect password.""" + password = "TestPassword123" + hashed = hash_password(password) + + assert verify_password("WrongPassword123", hashed) is False + + def test_verify_password_case_sensitive(self): + """Test that password verification is case-sensitive.""" + password = "TestPassword123" + hashed = hash_password(password) + + assert verify_password("testpassword123", hashed) is False + assert verify_password("TESTPASSWORD123", hashed) is False + + def test_verify_password_whitespace_sensitive(self): + """Test that whitespace matters in password verification.""" + password = "TestPassword123" + hashed = hash_password(password) + + assert verify_password(" TestPassword123", hashed) is False + assert verify_password("TestPassword123 ", hashed) is False + assert verify_password("Test Password123", hashed) is False + + def test_verify_password_with_special_characters(self): + """Test verifying passwords with special characters.""" + password = "Test!@#$%^&*()_+" + hashed = hash_password(password) + + assert verify_password(password, hashed) is True + assert verify_password("Test!@#$%^&*()_+X", hashed) is False + + def test_verify_password_with_unicode(self): + """Test verifying passwords with Unicode.""" + password = "Test密码123" + hashed = hash_password(password) + + assert verify_password(password, hashed) is True + assert verify_password("Test密码124", hashed) is False + + def test_verify_password_empty_against_hashed(self): + """Test verifying empty password.""" + password = "" + hashed = hash_password(password) + + assert verify_password("", hashed) is True + assert verify_password("notEmpty", hashed) is False + + def test_verify_password_invalid_hash_format(self): + """Test verifying password against invalid hash format.""" + password = "TestPassword123" + + # Should return False for invalid hash, not raise exception + assert verify_password(password, "not_a_valid_hash") is False + assert verify_password(password, "") is False + + +class TestPasswordStrengthValidation: + """Tests for password strength validation.""" + + def test_validate_strong_password(self): + """Test validating a strong password.""" + valid, message = validate_password_strength("StrongPass123") + + assert valid is True + assert message == "" + + def test_validate_password_too_short(self): + """Test validating password shorter than 8 characters.""" + valid, message = validate_password_strength("Short1") + + assert valid is False + assert "at least 8 characters" in message + + def test_validate_password_minimum_length(self): + """Test validating password with exactly 8 characters.""" + valid, message = validate_password_strength("Pass123A") + + assert valid is True + assert message == "" + + def test_validate_password_no_uppercase(self): + """Test validating password without uppercase letters.""" + valid, message = validate_password_strength("lowercase123") + + assert valid is False + assert "uppercase" in message.lower() + + def test_validate_password_no_lowercase(self): + """Test validating password without lowercase letters.""" + valid, message = validate_password_strength("UPPERCASE123") + + assert valid is False + assert "lowercase" in message.lower() + + def test_validate_password_no_digits(self): + """Test validating password without digits.""" + valid, message = validate_password_strength("NoDigitsHere") + + assert valid is False + assert "number" in message.lower() + + def test_validate_password_with_special_characters(self): + """Test that special characters are allowed but not required.""" + # With special characters + valid, message = validate_password_strength("Pass!@#$123") + assert valid is True + + # Without special characters (but meets other requirements) + valid, message = validate_password_strength("Password123") + assert valid is True + + def test_validate_password_with_spaces(self): + """Test validating password with spaces.""" + # Password with spaces that meets requirements + valid, message = validate_password_strength("Pass Word 123") + + assert valid is True + assert message == "" + + def test_validate_password_unicode(self): + """Test validating password with Unicode characters.""" + # Unicode with uppercase, lowercase, and digits + valid, message = validate_password_strength("密码Pass123") + + assert valid is True + + def test_validate_password_empty(self): + """Test validating empty password.""" + valid, message = validate_password_strength("") + + assert valid is False + assert "at least 8 characters" in message + + def test_validate_password_all_requirements_barely_met(self): + """Test password that barely meets all requirements.""" + # 8 chars, 1 upper, 1 lower, 1 digit + valid, message = validate_password_strength("Passwor1") + + assert valid is True + assert message == "" + + def test_validate_password_very_long(self): + """Test validating very long password.""" + # Very long password that meets requirements + password = "A" * 50 + "a" * 50 + "1" * 50 + valid, message = validate_password_strength(password) + + assert valid is True + assert message == "" + + +class TestPasswordSecurityProperties: + """Tests for security properties of password handling.""" + + def test_timing_attack_resistance_same_length(self): + """Test that password verification takes similar time for correct and incorrect passwords. + + Note: This is a basic check. Real timing attack resistance requires more sophisticated testing. + """ + import time + + password = "TestPassword123" + hashed = hash_password(password) + + # Measure time for correct password + start = time.perf_counter() + for _ in range(100): + verify_password(password, hashed) + correct_time = time.perf_counter() - start + + # Measure time for incorrect password of same length + start = time.perf_counter() + for _ in range(100): + verify_password("WrongPassword12", hashed) + incorrect_time = time.perf_counter() - start + + # Times should be relatively similar (within 50% difference) + # This is a loose check as bcrypt is designed to be slow and timing-resistant + ratio = max(correct_time, incorrect_time) / min(correct_time, incorrect_time) + assert ratio < 1.5, "Timing difference too large, potential timing attack vulnerability" + + def test_different_hashes_for_same_password(self): + """Test that the same password produces different hashes (salt randomization).""" + password = "TestPassword123" + hashes = {hash_password(password) for _ in range(10)} + + # All hashes should be unique due to random salt + assert len(hashes) == 10 + + def test_hash_output_format(self): + """Test that hash output follows bcrypt format.""" + password = "TestPassword123" + hashed = hash_password(password) + + # Bcrypt hashes start with $2b$ (or other valid bcrypt identifiers) + assert hashed.startswith("$2") + # Bcrypt hashes are 60 characters long + assert len(hashed) == 60 diff --git a/tests/app/services/auth/test_performance.py b/tests/app/services/auth/test_performance.py new file mode 100644 index 00000000000..ad033ac84cd --- /dev/null +++ b/tests/app/services/auth/test_performance.py @@ -0,0 +1,474 @@ +"""Performance tests for multiuser authentication system. + +These tests measure the performance overhead of authentication and +ensure the system performs acceptably under load. +""" + +import time +from concurrent.futures import ThreadPoolExecutor, as_completed +from logging import Logger + +import pytest + +from invokeai.app.services.auth.password_utils import hash_password, verify_password +from invokeai.app.services.auth.token_service import TokenData, create_access_token, verify_token +from invokeai.app.services.shared.sqlite.sqlite_database import SqliteDatabase +from invokeai.app.services.users.users_common import UserCreateRequest +from invokeai.app.services.users.users_default import UserService + + +@pytest.fixture +def logger() -> Logger: + """Create a logger for testing.""" + return Logger("test_performance") + + +@pytest.fixture +def user_service(logger: Logger) -> UserService: + """Create a user service with in-memory database for testing.""" + db = SqliteDatabase(db_path=None, logger=logger, verbose=False) + + # Create users table + db._conn.execute(""" + CREATE TABLE users ( + user_id TEXT NOT NULL PRIMARY KEY, + email TEXT NOT NULL UNIQUE, + display_name TEXT, + password_hash TEXT NOT NULL, + is_admin BOOLEAN NOT NULL DEFAULT FALSE, + is_active BOOLEAN NOT NULL DEFAULT TRUE, + created_at DATETIME NOT NULL DEFAULT(STRFTIME('%Y-%m-%d %H:%M:%f', 'NOW')), + updated_at DATETIME NOT NULL DEFAULT(STRFTIME('%Y-%m-%d %H:%M:%f', 'NOW')), + last_login_at DATETIME + ); + """) + db._conn.commit() + + return UserService(db) + + +class TestPasswordPerformance: + """Tests for password hashing and verification performance.""" + + def test_password_hashing_performance(self): + """Test that password hashing completes in reasonable time. + + bcrypt is intentionally slow for security. Each hash should take + approximately 50-100ms on modern hardware. + """ + password = "TestPassword123" + iterations = 10 + + start_time = time.time() + for _ in range(iterations): + hash_password(password) + elapsed_time = time.time() - start_time + + avg_time_ms = (elapsed_time / iterations) * 1000 + + # Each hash should take between 10ms and 500ms + # (bcrypt is designed to be slow, 50-100ms is typical) + assert 10 < avg_time_ms < 500, f"Password hashing took {avg_time_ms:.2f}ms per hash" + + # Log performance for reference + print(f"\nPassword hashing performance: {avg_time_ms:.2f}ms per hash") + + def test_password_verification_performance(self): + """Test that password verification completes in reasonable time.""" + password = "TestPassword123" + hashed = hash_password(password) + iterations = 10 + + start_time = time.time() + for _ in range(iterations): + verify_password(password, hashed) + elapsed_time = time.time() - start_time + + avg_time_ms = (elapsed_time / iterations) * 1000 + + # Verification should take similar time to hashing + assert 10 < avg_time_ms < 500, f"Password verification took {avg_time_ms:.2f}ms per verification" + + print(f"Password verification performance: {avg_time_ms:.2f}ms per verification") + + def test_concurrent_password_operations(self): + """Test password operations under concurrent load.""" + password = "TestPassword123" + num_operations = 20 + + def hash_and_verify(): + hashed = hash_password(password) + return verify_password(password, hashed) + + start_time = time.time() + + with ThreadPoolExecutor(max_workers=4) as executor: + futures = [executor.submit(hash_and_verify) for _ in range(num_operations)] + + results = [future.result() for future in as_completed(futures)] + + elapsed_time = time.time() - start_time + + # All operations should succeed + assert all(results) + + # Total time should be less than sequential time due to parallelization + print(f"Concurrent password operations ({num_operations}): {elapsed_time:.2f}s total") + + +class TestTokenPerformance: + """Tests for JWT token performance.""" + + def test_token_creation_performance(self): + """Test that token creation is fast.""" + token_data = TokenData( + user_id="user123", + email="test@example.com", + is_admin=False, + ) + + iterations = 1000 + + start_time = time.time() + for _ in range(iterations): + create_access_token(token_data) + elapsed_time = time.time() - start_time + + avg_time_ms = (elapsed_time / iterations) * 1000 + + # Token creation should be very fast (< 1ms per token) + assert avg_time_ms < 1.0, f"Token creation took {avg_time_ms:.3f}ms per token" + + print(f"\nToken creation performance: {avg_time_ms:.3f}ms per token") + + def test_token_verification_performance(self): + """Test that token verification is fast.""" + token_data = TokenData( + user_id="user123", + email="test@example.com", + is_admin=False, + ) + + token = create_access_token(token_data) + iterations = 1000 + + start_time = time.time() + for _ in range(iterations): + verify_token(token) + elapsed_time = time.time() - start_time + + avg_time_ms = (elapsed_time / iterations) * 1000 + + # Token verification should be very fast (< 1ms per verification) + assert avg_time_ms < 1.0, f"Token verification took {avg_time_ms:.3f}ms per verification" + + print(f"Token verification performance: {avg_time_ms:.3f}ms per verification") + + def test_concurrent_token_operations(self): + """Test token operations under concurrent load.""" + token_data = TokenData( + user_id="user123", + email="test@example.com", + is_admin=False, + ) + + num_operations = 1000 + + def create_and_verify(): + token = create_access_token(token_data) + verified = verify_token(token) + return verified is not None + + start_time = time.time() + + with ThreadPoolExecutor(max_workers=10) as executor: + futures = [executor.submit(create_and_verify) for _ in range(num_operations)] + + results = [future.result() for future in as_completed(futures)] + + elapsed_time = time.time() - start_time + + # All operations should succeed + assert all(results) + + ops_per_second = num_operations / elapsed_time + print(f"Concurrent token operations: {ops_per_second:.0f} ops/second") + + # Should handle at least 1000 operations per second + assert ops_per_second > 1000, f"Only {ops_per_second:.0f} ops/second" + + +class TestAuthenticationOverhead: + """Tests for overall authentication system overhead.""" + + def test_login_flow_performance(self, user_service: UserService): + """Test complete login flow performance.""" + # Create a user + user_data = UserCreateRequest( + email="perf@example.com", + display_name="Performance Test", + password="TestPass123", + is_admin=False, + ) + user_service.create(user_data) + + iterations = 10 + + start_time = time.time() + for _ in range(iterations): + # Simulate login flow + user = user_service.authenticate("perf@example.com", "TestPass123") + assert user is not None + + # Create token + token_data = TokenData( + user_id=user.user_id, + email=user.email, + is_admin=user.is_admin, + ) + token = create_access_token(token_data) + + # Verify token + verified = verify_token(token) + assert verified is not None + + elapsed_time = time.time() - start_time + avg_time_ms = (elapsed_time / iterations) * 1000 + + # Complete login flow should complete in reasonable time + # Most of the time is spent on password verification (50-100ms) + assert avg_time_ms < 500, f"Login flow took {avg_time_ms:.2f}ms" + + print(f"\nComplete login flow performance: {avg_time_ms:.2f}ms per login") + + def test_token_verification_overhead(self): + """Measure overhead of token verification vs no auth.""" + token_data = TokenData( + user_id="user123", + email="test@example.com", + is_admin=False, + ) + + token = create_access_token(token_data) + iterations = 10000 + + # Measure token verification time + start_time = time.time() + for _ in range(iterations): + verify_token(token) + verification_time = time.time() - start_time + + # Measure baseline (minimal operation) + start_time = time.time() + for _ in range(iterations): + # Simulate minimal auth check + _ = token is not None + baseline_time = time.time() - start_time + + overhead_ms = ((verification_time - baseline_time) / iterations) * 1000 + + # Overhead should be minimal (< 0.1ms per request) + assert overhead_ms < 0.1, f"Token verification adds {overhead_ms:.4f}ms overhead per request" + + print(f"Token verification overhead: {overhead_ms:.4f}ms per request") + + +class TestUserServicePerformance: + """Tests for user service performance.""" + + def test_user_creation_performance(self, user_service: UserService): + """Test user creation performance.""" + iterations = 10 + + start_time = time.time() + for i in range(iterations): + user_data = UserCreateRequest( + email=f"user{i}@example.com", + display_name=f"User {i}", + password="TestPass123", + is_admin=False, + ) + user_service.create(user_data) + elapsed_time = time.time() - start_time + + avg_time_ms = (elapsed_time / iterations) * 1000 + + # User creation includes password hashing, so should be ~50-150ms + assert avg_time_ms < 500, f"User creation took {avg_time_ms:.2f}ms per user" + + print(f"\nUser creation performance: {avg_time_ms:.2f}ms per user") + + def test_user_lookup_performance(self, user_service: UserService): + """Test user lookup performance.""" + # Create some users + for i in range(10): + user_data = UserCreateRequest( + email=f"lookup{i}@example.com", + display_name=f"Lookup User {i}", + password="TestPass123", + is_admin=False, + ) + user_service.create(user_data) + + iterations = 1000 + + # Test lookup by email + start_time = time.time() + for _ in range(iterations): + user_service.get_by_email("lookup5@example.com") + elapsed_time = time.time() - start_time + + avg_time_ms = (elapsed_time / iterations) * 1000 + + # Lookup should be fast (< 1ms with proper indexing) + assert avg_time_ms < 5.0, f"User lookup took {avg_time_ms:.3f}ms per lookup" + + print(f"User lookup by email performance: {avg_time_ms:.3f}ms per lookup") + + def test_user_list_performance(self, user_service: UserService): + """Test user list performance with many users.""" + # Create many users + num_users = 100 + + for i in range(num_users): + user_data = UserCreateRequest( + email=f"listuser{i}@example.com", + display_name=f"List User {i}", + password="TestPass123", + is_admin=False, + ) + user_service.create(user_data) + + # Test listing users + iterations = 10 + + start_time = time.time() + for _ in range(iterations): + user_service.list_users(limit=50) + elapsed_time = time.time() - start_time + + avg_time_ms = (elapsed_time / iterations) * 1000 + + # Listing users should be fast (< 10ms for reasonable page size) + assert avg_time_ms < 50.0, f"User listing took {avg_time_ms:.2f}ms" + + print(f"User listing performance (50 users): {avg_time_ms:.2f}ms per query") + + +class TestConcurrentUserSessions: + """Tests for concurrent user session handling.""" + + def test_multiple_concurrent_logins(self, user_service: UserService): + """Test handling multiple concurrent user logins.""" + # Create test users + num_users = 20 + for i in range(num_users): + user_data = UserCreateRequest( + email=f"concurrent{i}@example.com", + display_name=f"Concurrent User {i}", + password="TestPass123", + is_admin=False, + ) + user_service.create(user_data) + + def authenticate_user(user_index: int): + # Authenticate + user = user_service.authenticate(f"concurrent{user_index}@example.com", "TestPass123") + if user is None: + return False + + # Create token + token_data = TokenData( + user_id=user.user_id, + email=user.email, + is_admin=user.is_admin, + ) + token = create_access_token(token_data) + + # Verify token + verified = verify_token(token) + return verified is not None + + start_time = time.time() + + # Simulate concurrent logins + with ThreadPoolExecutor(max_workers=10) as executor: + futures = [executor.submit(authenticate_user, i) for i in range(num_users)] + + results = [future.result() for future in as_completed(futures)] + + elapsed_time = time.time() - start_time + + # All logins should succeed + assert all(results), "Some concurrent logins failed" + + print(f"\nConcurrent logins ({num_users} users): {elapsed_time:.2f}s total") + + # Should complete in reasonable time + assert elapsed_time < 10.0, f"Concurrent logins took {elapsed_time:.2f}s" + + +@pytest.mark.slow +class TestScalabilityBenchmarks: + """Scalability benchmarks (marked as slow tests).""" + + def test_authentication_under_load(self, user_service: UserService): + """Test authentication system under sustained load.""" + # Create test users + num_users = 50 + for i in range(num_users): + user_data = UserCreateRequest( + email=f"load{i}@example.com", + display_name=f"Load User {i}", + password="TestPass123", + is_admin=False, + ) + user_service.create(user_data) + + def simulate_user_activity(user_index: int, num_requests: int): + success_count = 0 + for _ in range(num_requests): + # Authenticate + user = user_service.authenticate(f"load{user_index}@example.com", "TestPass123") + if user is None: + continue + + # Create and verify token + token_data = TokenData(user_id=user.user_id, email=user.email, is_admin=user.is_admin) + token = create_access_token(token_data) + verified = verify_token(token) + + if verified is not None: + success_count += 1 + + return success_count + + # Simulate sustained load + requests_per_user = 5 + total_requests = num_users * requests_per_user + + start_time = time.time() + + with ThreadPoolExecutor(max_workers=10) as executor: + futures = [executor.submit(simulate_user_activity, i, requests_per_user) for i in range(num_users)] + + success_counts = [future.result() for future in as_completed(futures)] + + elapsed_time = time.time() - start_time + + total_success = sum(success_counts) + success_rate = (total_success / total_requests) * 100 + requests_per_second = total_requests / elapsed_time + + print("\nLoad test results:") + print(f" Total requests: {total_requests}") + print(f" Success rate: {success_rate:.1f}%") + print(f" Requests/second: {requests_per_second:.0f}") + print(f" Total time: {elapsed_time:.2f}s") + + # Should maintain high success rate under load + assert success_rate > 95.0, f"Success rate only {success_rate:.1f}%" + + # Should handle reasonable throughput + # Note: This is limited by bcrypt hashing speed + assert requests_per_second > 5.0, f"Only {requests_per_second:.1f} req/s" diff --git a/tests/app/services/auth/test_security.py b/tests/app/services/auth/test_security.py new file mode 100644 index 00000000000..4864352a01a --- /dev/null +++ b/tests/app/services/auth/test_security.py @@ -0,0 +1,459 @@ +"""Security tests for multiuser authentication system. + +This module tests various security aspects including: +- SQL injection prevention +- Authorization bypass attempts +- Session security +- Input validation +""" + +import os +from pathlib import Path +from typing import Any + +import pytest +from fastapi.testclient import TestClient + +from invokeai.app.api.dependencies import ApiDependencies +from invokeai.app.api_app import app +from invokeai.app.services.invoker import Invoker +from invokeai.app.services.users.users_common import UserCreateRequest + + +@pytest.fixture(autouse=True, scope="module") +def client(invokeai_root_dir: Path) -> TestClient: + """Create a test client for the FastAPI app.""" + os.environ["INVOKEAI_ROOT"] = invokeai_root_dir.as_posix() + return TestClient(app) + + +@pytest.fixture(autouse=True) +def enable_multiuser_for_auth_tests(mock_invoker: Invoker) -> None: + """Enable multiuser mode for auth tests. + + Auth tests need multiuser mode enabled since the login/setup endpoints + return 403 when multiuser is disabled. + """ + mock_invoker.services.configuration.multiuser = True + + +class MockApiDependencies(ApiDependencies): + """Mock API dependencies for testing.""" + + invoker: Invoker + + def __init__(self, invoker) -> None: + self.invoker = invoker + + +def setup_test_user(mock_invoker: Invoker, email: str = "test@example.com", password: str = "TestPass123") -> str: + """Helper to create a test user and return user_id.""" + user_service = mock_invoker.services.users + user_data = UserCreateRequest( + email=email, + display_name="Test User", + password=password, + is_admin=False, + ) + user = user_service.create(user_data) + return user.user_id + + +def setup_test_admin(mock_invoker: Invoker, email: str = "admin@example.com", password: str = "AdminPass123") -> str: + """Helper to create a test admin user and return user_id.""" + user_service = mock_invoker.services.users + user_data = UserCreateRequest( + email=email, + display_name="Admin User", + password=password, + is_admin=True, + ) + user = user_service.create(user_data) + return user.user_id + + +class TestSQLInjectionPrevention: + """Tests to ensure SQL injection attacks are prevented.""" + + def test_login_sql_injection_in_email(self, monkeypatch: Any, mock_invoker: Invoker, client: TestClient): + """Test that SQL injection in email field is prevented.""" + monkeypatch.setattr("invokeai.app.api.routers.auth.ApiDependencies", MockApiDependencies(mock_invoker)) + + # Create a legitimate user first + setup_test_user(mock_invoker, "legitimate@example.com", "TestPass123") + + # Try SQL injection in email field + sql_injection_attempts = [ + "' OR '1'='1", + "admin' --", + "' OR 1=1 --", + "'; DROP TABLE users; --", + "' UNION SELECT * FROM users --", + ] + + for injection_attempt in sql_injection_attempts: + response = client.post( + "/api/v1/auth/login", + json={ + "email": injection_attempt, + "password": "TestPass123", + "remember_me": False, + }, + ) + + # Should return 401 (invalid credentials) or 422 (validation error) + # Both are acceptable - the important thing is no SQL injection occurs + assert response.status_code in [401, 422], f"SQL injection attempt should be rejected: {injection_attempt}" + # Should NOT return 200 (success) or 500 (server error) + assert response.status_code != 200, f"SQL injection should not succeed: {injection_attempt}" + assert response.status_code != 500, f"SQL injection should not cause server error: {injection_attempt}" + + def test_login_sql_injection_in_password(self, monkeypatch: Any, mock_invoker: Invoker, client: TestClient): + """Test that SQL injection in password field is prevented.""" + monkeypatch.setattr("invokeai.app.api.routers.auth.ApiDependencies", MockApiDependencies(mock_invoker)) + + # Create a legitimate user + setup_test_user(mock_invoker, "test@example.com", "TestPass123") + + # Try SQL injection in password field + sql_injection_attempts = [ + "' OR '1'='1", + "anything' OR '1'='1' --", + "' OR 1=1; DROP TABLE users; --", + ] + + for injection_attempt in sql_injection_attempts: + response = client.post( + "/api/v1/auth/login", + json={ + "email": "test@example.com", + "password": injection_attempt, + "remember_me": False, + }, + ) + + # Should fail authentication + assert response.status_code == 401, f"SQL injection attempt should be rejected: {injection_attempt}" + + def test_user_service_sql_injection_in_email(self, mock_invoker: Invoker): + """Test that user service prevents SQL injection in email lookups.""" + user_service = mock_invoker.services.users + + # Create a test user + setup_test_user(mock_invoker, "test@example.com", "TestPass123") + + # Try SQL injection in get_by_email + sql_injection_attempts = [ + "test@example.com' OR '1'='1", + "' OR 1=1 --", + "test@example.com'; DROP TABLE users; --", + ] + + for injection_attempt in sql_injection_attempts: + # Should return None (not found), not raise an error or return wrong user + user = user_service.get_by_email(injection_attempt) + assert user is None, f"SQL injection should not return a user: {injection_attempt}" + + +class TestAuthorizationBypass: + """Tests to ensure authorization cannot be bypassed.""" + + def test_cannot_access_protected_endpoint_without_token(self, client: TestClient): + """Test that protected endpoints require authentication.""" + # Try to access protected endpoint without token + response = client.get("/api/v1/auth/me") + + assert response.status_code == 401 + + def test_cannot_access_protected_endpoint_with_invalid_token( + self, monkeypatch: Any, mock_invoker: Invoker, client: TestClient + ): + """Test that invalid tokens are rejected.""" + monkeypatch.setattr("invokeai.app.api.auth_dependencies.ApiDependencies", MockApiDependencies(mock_invoker)) + + invalid_tokens = [ + "invalid_token", + "Bearer invalid_token", + "", + "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.invalid.signature", + ] + + for token in invalid_tokens: + response = client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {token}"}) + + assert response.status_code == 401, f"Invalid token should be rejected: {token}" + + def test_cannot_forge_admin_token(self, monkeypatch: Any, mock_invoker: Invoker, client: TestClient): + """Test that admin privileges cannot be forged by modifying tokens.""" + monkeypatch.setattr("invokeai.app.api.routers.auth.ApiDependencies", MockApiDependencies(mock_invoker)) + monkeypatch.setattr("invokeai.app.api.auth_dependencies.ApiDependencies", MockApiDependencies(mock_invoker)) + + # Create a regular user and login + setup_test_user(mock_invoker, "regular@example.com", "TestPass123") + + login_response = client.post( + "/api/v1/auth/login", + json={ + "email": "regular@example.com", + "password": "TestPass123", + "remember_me": False, + }, + ) + + token = login_response.json()["token"] + + # Try to modify the token to gain admin privileges + # (In practice, this should fail signature verification) + parts = token.split(".") + if len(parts) == 3: + # Decode the payload, modify it, and re-encode + import base64 + import json + + # Add padding if necessary + payload_b64 = parts[1] + padding = 4 - len(payload_b64) % 4 + if padding != 4: + payload_b64 += "=" * padding + + # Decode payload + try: + payload_bytes = base64.urlsafe_b64decode(payload_b64) + payload_data = json.loads(payload_bytes) + + # Modify is_admin to true + payload_data["is_admin"] = True + + # Re-encode + modified_payload_bytes = json.dumps(payload_data).encode() + modified_payload_b64 = base64.urlsafe_b64encode(modified_payload_bytes).decode().rstrip("=") + + # Create forged token with modified payload but original signature + modified_token = f"{parts[0]}.{modified_payload_b64}.{parts[2]}" + + # Attempt to use modified token + response = client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {modified_token}"}) + + # Should be rejected (invalid signature) + assert response.status_code == 401 + except Exception: + # If we can't decode/modify the token, that's fine - just skip this part of the test + pass + + def test_regular_user_cannot_create_admin(self, monkeypatch: Any, mock_invoker: Invoker, client: TestClient): + """Test that regular users cannot create admin users.""" + monkeypatch.setattr("invokeai.app.api.routers.auth.ApiDependencies", MockApiDependencies(mock_invoker)) + monkeypatch.setattr("invokeai.app.api.auth_dependencies.ApiDependencies", MockApiDependencies(mock_invoker)) + + # This test would require user management endpoints to be implemented + # For now, we test at the service level + user_service = mock_invoker.services.users + + # Create a regular user + regular_user_data = UserCreateRequest( + email="regular@example.com", + display_name="Regular User", + password="TestPass123", + is_admin=False, + ) + user_service.create(regular_user_data) + + # Try to create an admin user (should only be possible through setup or by existing admin) + # The create_admin method checks if an admin already exists + admin_data = UserCreateRequest( + email="sneaky@example.com", + display_name="Sneaky Admin", + password="TestPass123", + ) + + # First create an actual admin + setup_test_admin(mock_invoker, "realadmin@example.com", "AdminPass123") + + # Now trying to create another admin should fail + with pytest.raises(ValueError, match="already exists"): + user_service.create_admin(admin_data) + + +class TestSessionSecurity: + """Tests for session and token security.""" + + def test_token_expires_after_time(self, monkeypatch: Any, mock_invoker: Invoker, client: TestClient): + """Test that tokens expire after their validity period.""" + from datetime import timedelta + + from invokeai.app.services.auth.token_service import TokenData, create_access_token + + # Create a token that expires quickly + token_data = TokenData( + user_id="user123", + email="test@example.com", + is_admin=False, + ) + + # Create token with 10 millisecond expiration + expired_token = create_access_token(token_data, expires_delta=timedelta(milliseconds=10)) + + # Wait for expiration (wait longer than expiration time) + import time + + time.sleep(0.02) + + monkeypatch.setattr("invokeai.app.api.auth_dependencies.ApiDependencies", MockApiDependencies(mock_invoker)) + + # Try to use expired token + response = client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {expired_token}"}) + + assert response.status_code == 401 + + def test_logout_invalidates_session(self, monkeypatch: Any, mock_invoker: Invoker, client: TestClient): + """Test that logout invalidates the session. + + Note: Current implementation uses JWT which is stateless. + This test documents expected behavior for future server-side session tracking. + """ + monkeypatch.setattr("invokeai.app.api.routers.auth.ApiDependencies", MockApiDependencies(mock_invoker)) + monkeypatch.setattr("invokeai.app.api.auth_dependencies.ApiDependencies", MockApiDependencies(mock_invoker)) + + # Create user and login + setup_test_user(mock_invoker, "test@example.com", "TestPass123") + + login_response = client.post( + "/api/v1/auth/login", + json={ + "email": "test@example.com", + "password": "TestPass123", + "remember_me": False, + }, + ) + + token = login_response.json()["token"] + + # Logout + logout_response = client.post("/api/v1/auth/logout", headers={"Authorization": f"Bearer {token}"}) + + assert logout_response.status_code == 200 + + # Note: With JWT, the token is still technically valid until expiration + # For true session invalidation, server-side session tracking would be needed + + +class TestInputValidation: + """Tests for input validation and sanitization.""" + + def test_email_validation_on_login(self, monkeypatch: Any, mock_invoker: Invoker, client: TestClient): + """Test that email validation is enforced on login.""" + monkeypatch.setattr("invokeai.app.api.routers.auth.ApiDependencies", MockApiDependencies(mock_invoker)) + + # Invalid email formats should be rejected by pydantic validation + invalid_emails = [ + "not_an_email", + "@example.com", + "user@", + "user @example.com", # space in email + "../../../etc/passwd", # path traversal attempt + ] + + for invalid_email in invalid_emails: + response = client.post( + "/api/v1/auth/login", + json={ + "email": invalid_email, + "password": "TestPass123", + "remember_me": False, + }, + ) + + # Should return 422 (validation error) or 401 (invalid credentials) + assert response.status_code in [401, 422], f"Invalid email should be rejected: {invalid_email}" + + def test_xss_prevention_in_user_data(self, mock_invoker: Invoker): + """Test that XSS attempts in user data are handled safely. + + Note: Database storage uses parameterized queries which prevent XSS. + This test ensures data is stored and retrieved without executing scripts. + """ + user_service = mock_invoker.services.users + + # Try to create user with XSS payload in display name + xss_payloads = [ + "", + "'; alert('xss'); //", + "", + ] + + for payload in xss_payloads: + user_data = UserCreateRequest( + email=f"xss{hash(payload)}@example.com", # unique email + display_name=payload, + password="TestPass123", + is_admin=False, + ) + + # Should not raise an error - data is stored as-is + user = user_service.create(user_data) + + # Verify data is stored exactly as provided (not executed or modified) + assert user.display_name == payload + + # Cleanup + user_service.delete(user.user_id) + + def test_path_traversal_prevention(self, mock_invoker: Invoker): + """Test that path traversal attempts in user input are handled.""" + user_service = mock_invoker.services.users + + # Path traversal attempts + path_traversal_attempts = [ + "../../../etc/passwd", + "..\\..\\..\\windows\\system32", + "user/../../../secret", + ] + + for attempt in path_traversal_attempts: + # These should be stored as literal strings, not interpreted as paths + user_data = UserCreateRequest( + email=f"path{hash(attempt)}@example.com", + display_name=attempt, + password="TestPass123", + is_admin=False, + ) + + user = user_service.create(user_data) + assert user.display_name == attempt + + # Cleanup + user_service.delete(user.user_id) + + +class TestRateLimiting: + """Tests for rate limiting and brute force protection. + + Note: Rate limiting is not currently implemented in the codebase. + These tests document expected behavior for future implementation. + """ + + @pytest.mark.skip(reason="Rate limiting not yet implemented") + def test_login_rate_limiting(self, monkeypatch: Any, mock_invoker: Invoker, client: TestClient): + """Test that excessive login attempts are rate limited.""" + monkeypatch.setattr("invokeai.app.api.routers.auth.ApiDependencies", MockApiDependencies(mock_invoker)) + + setup_test_user(mock_invoker, "test@example.com", "TestPass123") + + # Try many login attempts with wrong password + for i in range(20): + response = client.post( + "/api/v1/auth/login", + json={ + "email": "test@example.com", + "password": "WrongPassword", + "remember_me": False, + }, + ) + + if i < 10: + # First attempts should return 401 + assert response.status_code == 401 + else: + # After many attempts, should be rate limited (429) + # This is expected behavior for future implementation + pass diff --git a/tests/app/services/auth/test_token_service.py b/tests/app/services/auth/test_token_service.py new file mode 100644 index 00000000000..907da1ae7e0 --- /dev/null +++ b/tests/app/services/auth/test_token_service.py @@ -0,0 +1,371 @@ +"""Unit tests for JWT token service.""" + +import time +from datetime import timedelta + +import pytest + +from invokeai.app.services.auth.token_service import TokenData, create_access_token, set_jwt_secret, verify_token + + +@pytest.fixture(scope="module", autouse=True) +def setup_jwt_secret(): + """Set up JWT secret for all tests in this module.""" + # Use a test secret key + set_jwt_secret("test-secret-key-for-unit-tests-only-do-not-use-in-production") + + +# Minimum token length to safely modify middle characters for testing +# JWT tokens have format header.payload.signature and are typically >180 characters +MIN_TOKEN_LENGTH_FOR_MODIFICATION = 50 + +# Minimum signature length to safely modify middle characters for testing +# JWT signatures are typically 43 characters (base64-encoded HMAC-SHA256) +MIN_SIGNATURE_LENGTH_FOR_MODIFICATION = 10 + + +class TestTokenCreation: + """Tests for JWT token creation.""" + + def test_create_access_token_basic(self): + """Test creating a basic access token.""" + token_data = TokenData( + user_id="user123", + email="test@example.com", + is_admin=False, + ) + + token = create_access_token(token_data) + + assert token is not None + assert isinstance(token, str) + assert len(token) > 0 + + def test_create_access_token_with_expiration(self): + """Test creating token with custom expiration.""" + token_data = TokenData( + user_id="user123", + email="test@example.com", + is_admin=False, + ) + + token = create_access_token(token_data, expires_delta=timedelta(hours=1)) + + assert token is not None + # Verify token is valid + verified_data = verify_token(token) + assert verified_data is not None + assert verified_data.user_id == "user123" + + def test_create_access_token_admin_user(self): + """Test creating token for admin user.""" + token_data = TokenData( + user_id="admin123", + email="admin@example.com", + is_admin=True, + ) + + token = create_access_token(token_data) + verified_data = verify_token(token) + + assert verified_data is not None + assert verified_data.is_admin is True + + def test_create_access_token_preserves_all_data(self): + """Test that all token data is preserved.""" + token_data = TokenData( + user_id="user_with_complex_id_12345", + email="complex.email+tag@example.com", + is_admin=False, + ) + + token = create_access_token(token_data) + verified_data = verify_token(token) + + assert verified_data is not None + assert verified_data.user_id == token_data.user_id + assert verified_data.email == token_data.email + assert verified_data.is_admin == token_data.is_admin + + def test_create_access_token_different_each_time(self): + """Test that creating token with same data produces different tokens (due to timestamps).""" + token_data = TokenData( + user_id="user123", + email="test@example.com", + is_admin=False, + ) + + # Create tokens with different expiration times to ensure uniqueness + token1 = create_access_token(token_data, expires_delta=timedelta(hours=1)) + token2 = create_access_token(token_data, expires_delta=timedelta(hours=2)) + + # Tokens should be different due to different exp timestamps + assert token1 != token2 + + +class TestTokenVerification: + """Tests for JWT token verification.""" + + def test_verify_valid_token(self): + """Test verifying a valid token.""" + token_data = TokenData( + user_id="user123", + email="test@example.com", + is_admin=False, + ) + + token = create_access_token(token_data) + verified_data = verify_token(token) + + assert verified_data is not None + assert verified_data.user_id == "user123" + assert verified_data.email == "test@example.com" + assert verified_data.is_admin is False + + def test_verify_invalid_token(self): + """Test verifying an invalid token.""" + verified_data = verify_token("invalid_token_string") + + assert verified_data is None + + def test_verify_malformed_token(self): + """Test verifying malformed tokens.""" + malformed_tokens = [ + "", + "not.a.token", + "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.invalid", + "header.payload", # Missing signature + ] + + for token in malformed_tokens: + verified_data = verify_token(token) + assert verified_data is None, f"Should reject malformed token: {token}" + + def test_verify_expired_token(self): + """Test verifying an expired token.""" + token_data = TokenData( + user_id="user123", + email="test@example.com", + is_admin=False, + ) + + # Create token that expires in 100 milliseconds (0.1 seconds) + token = create_access_token(token_data, expires_delta=timedelta(milliseconds=100)) + + # Wait for token to expire (wait longer than expiration - 200ms to be safe) + time.sleep(0.2) + + # Token should be invalid now + verified_data = verify_token(token) + assert verified_data is None + + def test_verify_token_with_modified_payload(self): + """Test that tokens with modified payloads are rejected.""" + token_data = TokenData( + user_id="user123", + email="test@example.com", + is_admin=False, + ) + + token = create_access_token(token_data) + + # Try to modify the token by changing a character in the middle + # JWT tokens are base64 encoded, so changing any character should invalidate the signature + # Note: We change a character in the middle to avoid Base64 padding issues where + # the last character might not affect the decoded value + if len(token) > MIN_TOKEN_LENGTH_FOR_MODIFICATION: + mid = len(token) // 2 + modified_token = token[:mid] + ("X" if token[mid] != "X" else "Y") + token[mid + 1 :] + verified_data = verify_token(modified_token) + assert verified_data is None + + def test_verify_token_preserves_admin_status(self): + """Test that admin status is correctly preserved through token lifecycle.""" + # Test with regular user + token_data = TokenData( + user_id="user123", + email="user@example.com", + is_admin=False, + ) + token = create_access_token(token_data) + verified = verify_token(token) + assert verified is not None + assert verified.is_admin is False + + # Test with admin user + admin_token_data = TokenData( + user_id="admin123", + email="admin@example.com", + is_admin=True, + ) + admin_token = create_access_token(admin_token_data) + admin_verified = verify_token(admin_token) + assert admin_verified is not None + assert admin_verified.is_admin is True + + +class TestTokenExpiration: + """Tests for token expiration handling.""" + + def test_token_not_expired_immediately(self): + """Test that freshly created token is not expired.""" + token_data = TokenData( + user_id="user123", + email="test@example.com", + is_admin=False, + ) + + token = create_access_token(token_data, expires_delta=timedelta(hours=1)) + verified_data = verify_token(token) + + assert verified_data is not None + + def test_token_with_long_expiration(self): + """Test token with long expiration time.""" + token_data = TokenData( + user_id="user123", + email="test@example.com", + is_admin=False, + ) + + # Create token that expires in 7 days + token = create_access_token(token_data, expires_delta=timedelta(days=7)) + verified_data = verify_token(token) + + assert verified_data is not None + assert verified_data.user_id == "user123" + + def test_token_with_short_expiration_not_expired(self): + """Test token with short but not yet expired time.""" + token_data = TokenData( + user_id="user123", + email="test@example.com", + is_admin=False, + ) + + # Create token that expires in 1 second + token = create_access_token(token_data, expires_delta=timedelta(seconds=1)) + + # Immediately verify - should still be valid + verified_data = verify_token(token) + assert verified_data is not None + + +class TestTokenDataModel: + """Tests for TokenData model.""" + + def test_token_data_creation(self): + """Test creating TokenData instance.""" + token_data = TokenData( + user_id="user123", + email="test@example.com", + is_admin=False, + ) + + assert token_data.user_id == "user123" + assert token_data.email == "test@example.com" + assert token_data.is_admin is False + + def test_token_data_with_admin(self): + """Test TokenData for admin user.""" + token_data = TokenData( + user_id="admin123", + email="admin@example.com", + is_admin=True, + ) + + assert token_data.is_admin is True + + def test_token_data_model_dump(self): + """Test that TokenData can be serialized.""" + token_data = TokenData( + user_id="user123", + email="test@example.com", + is_admin=False, + ) + + data_dict = token_data.model_dump() + + assert isinstance(data_dict, dict) + assert data_dict["user_id"] == "user123" + assert data_dict["email"] == "test@example.com" + assert data_dict["is_admin"] is False + + +class TestTokenSecurity: + """Tests for token security properties.""" + + def test_token_signature_verification(self): + """Test that token signature is verified.""" + token_data = TokenData( + user_id="user123", + email="test@example.com", + is_admin=False, + ) + + token = create_access_token(token_data) + + # Token should verify correctly + assert verify_token(token) is not None + + # Modified token should fail verification + if len(token) > MIN_TOKEN_LENGTH_FOR_MODIFICATION: + # Change a character in the signature part (last part of JWT) + parts = token.split(".") + if len(parts) == 3 and len(parts[2]) > MIN_SIGNATURE_LENGTH_FOR_MODIFICATION: + # Modify a character in the middle of the signature to avoid Base64 padding issues + # where the last few characters might not affect the decoded value + mid = len(parts[2]) // 2 + modified_signature = parts[2][:mid] + ("X" if parts[2][mid] != "X" else "Y") + parts[2][mid + 1 :] + modified_token = f"{parts[0]}.{parts[1]}.{modified_signature}" + assert verify_token(modified_token) is None + + def test_cannot_forge_admin_token(self): + """Test that admin status cannot be forged by modifying token.""" + token_data = TokenData( + user_id="user123", + email="test@example.com", + is_admin=False, + ) + + token = create_access_token(token_data) + + # Any modification to the token should invalidate it + # This prevents attackers from changing is_admin=false to is_admin=true + parts = token.split(".") + if len(parts) == 3: + # Try to modify the payload + modified_payload = parts[1][:-1] + ("X" if parts[1][-1] != "X" else "Y") + modified_token = f"{parts[0]}.{modified_payload}.{parts[2]}" + + verified_data = verify_token(modified_token) + # Modified token should be rejected + assert verified_data is None + + def test_token_uses_strong_algorithm(self): + """Test that token uses secure algorithm (HS256).""" + token_data = TokenData( + user_id="user123", + email="test@example.com", + is_admin=False, + ) + + token = create_access_token(token_data) + + # JWT tokens have format: header.payload.signature + # Header contains algorithm information + import base64 + import json + + parts = token.split(".") + if len(parts) >= 1: + # Decode header (add padding if necessary) + header_b64 = parts[0] + # Add padding if necessary + padding = 4 - len(header_b64) % 4 + if padding != 4: + header_b64 += "=" * padding + + header = json.loads(base64.urlsafe_b64decode(header_b64)) + # Should use HS256 algorithm + assert header.get("alg") == "HS256" diff --git a/tests/app/services/bulk_download/test_bulk_download.py b/tests/app/services/bulk_download/test_bulk_download.py index 223ecc88632..b568c108ef7 100644 --- a/tests/app/services/bulk_download/test_bulk_download.py +++ b/tests/app/services/bulk_download/test_bulk_download.py @@ -127,7 +127,12 @@ def test_generate_id_with_board_id(monkeypatch: Any, mock_invoker: Invoker): def mock_board_get(*args, **kwargs): return BoardRecord( - board_id="12345", board_name="test_board_name", created_at="None", updated_at="None", archived=False + board_id="12345", + board_name="test_board_name", + user_id="test_user", + created_at="None", + updated_at="None", + archived=False, ) monkeypatch.setattr(mock_invoker.services.board_records, "get", mock_board_get) @@ -156,7 +161,12 @@ def test_handler_board_id(tmp_path: Path, monkeypatch: Any, mock_image_dto: Imag def mock_board_get(*args, **kwargs): return BoardRecord( - board_id="12345", board_name="test_board_name", created_at="None", updated_at="None", archived=False + board_id="12345", + board_name="test_board_name", + user_id="test_user", + created_at="None", + updated_at="None", + archived=False, ) monkeypatch.setattr(mock_invoker.services.board_records, "get", mock_board_get) diff --git a/tests/app/services/users/test_password_utils.py b/tests/app/services/users/test_password_utils.py new file mode 100644 index 00000000000..68fd37db231 --- /dev/null +++ b/tests/app/services/users/test_password_utils.py @@ -0,0 +1,56 @@ +"""Tests for password utilities.""" + +from invokeai.app.services.auth.password_utils import hash_password, validate_password_strength, verify_password + + +def test_hash_password(): + """Test password hashing.""" + password = "TestPassword123" + hashed = hash_password(password) + + assert hashed != password + assert len(hashed) > 0 + + +def test_verify_password(): + """Test password verification.""" + password = "TestPassword123" + hashed = hash_password(password) + + assert verify_password(password, hashed) + assert not verify_password("WrongPassword", hashed) + + +def test_validate_password_strength_valid(): + """Test password strength validation with valid passwords.""" + valid, msg = validate_password_strength("ValidPass123") + assert valid + assert msg == "" + + +def test_validate_password_strength_too_short(): + """Test password strength validation with short password.""" + valid, msg = validate_password_strength("Pass1") + assert not valid + assert "at least 8 characters" in msg + + +def test_validate_password_strength_no_uppercase(): + """Test password strength validation without uppercase.""" + valid, msg = validate_password_strength("password123") + assert not valid + assert "uppercase" in msg.lower() + + +def test_validate_password_strength_no_lowercase(): + """Test password strength validation without lowercase.""" + valid, msg = validate_password_strength("PASSWORD123") + assert not valid + assert "lowercase" in msg.lower() + + +def test_validate_password_strength_no_digit(): + """Test password strength validation without digit.""" + valid, msg = validate_password_strength("PasswordTest") + assert not valid + assert "number" in msg.lower() diff --git a/tests/app/services/users/test_token_service.py b/tests/app/services/users/test_token_service.py new file mode 100644 index 00000000000..3dec8000829 --- /dev/null +++ b/tests/app/services/users/test_token_service.py @@ -0,0 +1,43 @@ +"""Tests for token service.""" + +from datetime import timedelta + +from invokeai.app.services.auth.token_service import TokenData, create_access_token, verify_token + + +def test_create_access_token(): + """Test creating an access token.""" + data = TokenData(user_id="test-user", email="test@example.com", is_admin=False) + token = create_access_token(data) + + assert token is not None + assert len(token) > 0 + + +def test_verify_valid_token(): + """Test verifying a valid token.""" + data = TokenData(user_id="test-user", email="test@example.com", is_admin=True) + token = create_access_token(data) + + verified_data = verify_token(token) + + assert verified_data is not None + assert verified_data.user_id == data.user_id + assert verified_data.email == data.email + assert verified_data.is_admin == data.is_admin + + +def test_verify_invalid_token(): + """Test verifying an invalid token.""" + verified_data = verify_token("invalid-token") + assert verified_data is None + + +def test_token_with_custom_expiration(): + """Test creating token with custom expiration.""" + data = TokenData(user_id="test-user", email="test@example.com", is_admin=False) + token = create_access_token(data, expires_delta=timedelta(hours=1)) + + verified_data = verify_token(token) + assert verified_data is not None + assert verified_data.user_id == data.user_id diff --git a/tests/app/services/users/test_user_service.py b/tests/app/services/users/test_user_service.py new file mode 100644 index 00000000000..479c911a0da --- /dev/null +++ b/tests/app/services/users/test_user_service.py @@ -0,0 +1,259 @@ +"""Tests for user service.""" + +from logging import Logger + +import pytest + +from invokeai.app.services.shared.sqlite.sqlite_database import SqliteDatabase +from invokeai.app.services.users.users_common import UserCreateRequest, UserUpdateRequest +from invokeai.app.services.users.users_default import UserService + + +@pytest.fixture +def logger() -> Logger: + """Create a logger for testing.""" + return Logger("test_user_service") + + +@pytest.fixture +def db(logger: Logger) -> SqliteDatabase: + """Create an in-memory database for testing.""" + db = SqliteDatabase(db_path=None, logger=logger, verbose=False) + # Create users table manually for testing + db._conn.execute(""" + CREATE TABLE users ( + user_id TEXT NOT NULL PRIMARY KEY, + email TEXT NOT NULL UNIQUE, + display_name TEXT, + password_hash TEXT NOT NULL, + is_admin BOOLEAN NOT NULL DEFAULT FALSE, + is_active BOOLEAN NOT NULL DEFAULT TRUE, + created_at DATETIME NOT NULL DEFAULT(STRFTIME('%Y-%m-%d %H:%M:%f', 'NOW')), + updated_at DATETIME NOT NULL DEFAULT(STRFTIME('%Y-%m-%d %H:%M:%f', 'NOW')), + last_login_at DATETIME + ); + """) + db._conn.commit() + return db + + +@pytest.fixture +def user_service(db: SqliteDatabase) -> UserService: + """Create a user service for testing.""" + return UserService(db) + + +def test_create_user(user_service: UserService): + """Test creating a user.""" + user_data = UserCreateRequest( + email="test@example.com", + display_name="Test User", + password="TestPassword123", + is_admin=False, + ) + + user = user_service.create(user_data) + + assert user.email == "test@example.com" + assert user.display_name == "Test User" + assert user.is_admin is False + assert user.is_active is True + assert user.user_id is not None + + +def test_create_user_weak_password(user_service: UserService): + """Test creating a user with weak password.""" + user_data = UserCreateRequest( + email="test@example.com", + display_name="Test User", + password="weak", + is_admin=False, + ) + + with pytest.raises(ValueError, match="at least 8 characters"): + user_service.create(user_data) + + +def test_create_duplicate_user(user_service: UserService): + """Test creating a duplicate user.""" + user_data = UserCreateRequest( + email="test@example.com", + display_name="Test User", + password="TestPassword123", + is_admin=False, + ) + + user_service.create(user_data) + + with pytest.raises(ValueError, match="already exists"): + user_service.create(user_data) + + +def test_get_user(user_service: UserService): + """Test getting a user by ID.""" + user_data = UserCreateRequest( + email="test@example.com", + display_name="Test User", + password="TestPassword123", + ) + + created_user = user_service.create(user_data) + retrieved_user = user_service.get(created_user.user_id) + + assert retrieved_user is not None + assert retrieved_user.user_id == created_user.user_id + assert retrieved_user.email == created_user.email + + +def test_get_nonexistent_user(user_service: UserService): + """Test getting a nonexistent user.""" + user = user_service.get("nonexistent-id") + assert user is None + + +def test_get_user_by_email(user_service: UserService): + """Test getting a user by email.""" + user_data = UserCreateRequest( + email="test@example.com", + display_name="Test User", + password="TestPassword123", + ) + + created_user = user_service.create(user_data) + retrieved_user = user_service.get_by_email("test@example.com") + + assert retrieved_user is not None + assert retrieved_user.user_id == created_user.user_id + assert retrieved_user.email == "test@example.com" + + +def test_update_user(user_service: UserService): + """Test updating a user.""" + user_data = UserCreateRequest( + email="test@example.com", + display_name="Test User", + password="TestPassword123", + ) + + user = user_service.create(user_data) + + updates = UserUpdateRequest( + display_name="Updated Name", + is_admin=True, + ) + + updated_user = user_service.update(user.user_id, updates) + + assert updated_user.display_name == "Updated Name" + assert updated_user.is_admin is True + + +def test_delete_user(user_service: UserService): + """Test deleting a user.""" + user_data = UserCreateRequest( + email="test@example.com", + display_name="Test User", + password="TestPassword123", + ) + + user = user_service.create(user_data) + user_service.delete(user.user_id) + + retrieved_user = user_service.get(user.user_id) + assert retrieved_user is None + + +def test_authenticate_valid_credentials(user_service: UserService): + """Test authenticating with valid credentials.""" + user_data = UserCreateRequest( + email="test@example.com", + display_name="Test User", + password="TestPassword123", + ) + + user_service.create(user_data) + authenticated_user = user_service.authenticate("test@example.com", "TestPassword123") + + assert authenticated_user is not None + assert authenticated_user.email == "test@example.com" + assert authenticated_user.last_login_at is not None + + +def test_authenticate_invalid_password(user_service: UserService): + """Test authenticating with invalid password.""" + user_data = UserCreateRequest( + email="test@example.com", + display_name="Test User", + password="TestPassword123", + ) + + user_service.create(user_data) + authenticated_user = user_service.authenticate("test@example.com", "WrongPassword") + + assert authenticated_user is None + + +def test_authenticate_nonexistent_user(user_service: UserService): + """Test authenticating nonexistent user.""" + authenticated_user = user_service.authenticate("nonexistent@example.com", "TestPassword123") + assert authenticated_user is None + + +def test_has_admin(user_service: UserService): + """Test checking if admin exists.""" + assert user_service.has_admin() is False + + user_data = UserCreateRequest( + email="admin@example.com", + display_name="Admin User", + password="AdminPassword123", + is_admin=True, + ) + + user_service.create(user_data) + assert user_service.has_admin() is True + + +def test_create_admin(user_service: UserService): + """Test creating an admin user.""" + user_data = UserCreateRequest( + email="admin@example.com", + display_name="Admin User", + password="AdminPassword123", + ) + + admin = user_service.create_admin(user_data) + + assert admin.is_admin is True + assert admin.email == "admin@example.com" + + +def test_create_admin_when_exists(user_service: UserService): + """Test creating admin when one already exists.""" + user_data = UserCreateRequest( + email="admin@example.com", + display_name="Admin User", + password="AdminPassword123", + ) + + user_service.create_admin(user_data) + + with pytest.raises(ValueError, match="already exists"): + user_service.create_admin(user_data) + + +def test_list_users(user_service: UserService): + """Test listing users.""" + for i in range(5): + user_data = UserCreateRequest( + email=f"test{i}@example.com", + display_name=f"Test User {i}", + password="TestPassword123", + ) + user_service.create(user_data) + + users = user_service.list_users() + assert len(users) == 5 + + limited_users = user_service.list_users(limit=2) + assert len(limited_users) == 2 diff --git a/tests/conftest.py b/tests/conftest.py index d2835120e9e..980a99611ab 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -12,13 +12,17 @@ from invokeai.app.services.board_image_records.board_image_records_sqlite import SqliteBoardImageRecordStorage from invokeai.app.services.board_records.board_records_sqlite import SqliteBoardRecordStorage +from invokeai.app.services.boards.boards_default import BoardService from invokeai.app.services.bulk_download.bulk_download_default import BulkDownloadService +from invokeai.app.services.client_state_persistence.client_state_persistence_sqlite import ClientStatePersistenceSqlite from invokeai.app.services.config.config_default import InvokeAIAppConfig +from invokeai.app.services.image_records.image_records_sqlite import SqliteImageRecordStorage from invokeai.app.services.images.images_default import ImageService from invokeai.app.services.invocation_cache.invocation_cache_memory import MemoryInvocationCache from invokeai.app.services.invocation_services import InvocationServices from invokeai.app.services.invocation_stats.invocation_stats_default import InvocationStatsService from invokeai.app.services.invoker import Invoker +from invokeai.app.services.users.users_default import UserService from invokeai.backend.util.logging import InvokeAILogger from tests.backend.model_manager.model_manager_fixtures import * # noqa: F403 from tests.fixtures.sqlite_database import create_mock_sqlite_database # noqa: F401 @@ -36,12 +40,12 @@ def mock_services() -> InvocationServices: board_image_records=SqliteBoardImageRecordStorage(db=db), board_images=None, # type: ignore board_records=SqliteBoardRecordStorage(db=db), - boards=None, # type: ignore + boards=BoardService(), bulk_download=BulkDownloadService(), configuration=configuration, events=TestEventService(), image_files=None, # type: ignore - image_records=None, # type: ignore + image_records=SqliteImageRecordStorage(db=db), images=ImageService(), invocation_cache=MemoryInvocationCache(max_cache_size=0), logger=logging, # type: ignore @@ -61,7 +65,8 @@ def mock_services() -> InvocationServices: workflow_thumbnails=None, # type: ignore model_relationship_records=None, # type: ignore model_relationships=None, # type: ignore - client_state_persistence=None, # type: ignore + client_state_persistence=ClientStatePersistenceSqlite(db=db), + users=UserService(db), ) diff --git a/tests/test_sqlite_migrator.py b/tests/test_sqlite_migrator.py index f6a3cb2a5a9..42fdb6d798e 100644 --- a/tests/test_sqlite_migrator.py +++ b/tests/test_sqlite_migrator.py @@ -296,3 +296,65 @@ def test_idempotent_migrations(migrator: SqliteMigrator, migration_create_test_t # not throwing is sufficient migrator.run_migrations() assert migrator._get_current_version(cursor) == 1 + + +def test_migration_26_creates_users_table(logger: Logger) -> None: + """Test that migration 26 creates the users table and related tables.""" + from invokeai.app.services.shared.sqlite_migrator.migrations.migration_26 import Migration26Callback + + db = SqliteDatabase(db_path=None, logger=logger, verbose=False) + cursor = db._conn.cursor() + + # Create minimal tables that migration 26 expects to exist + cursor.execute("CREATE TABLE IF NOT EXISTS boards (board_id TEXT PRIMARY KEY);") + cursor.execute("CREATE TABLE IF NOT EXISTS images (image_name TEXT PRIMARY KEY);") + cursor.execute("CREATE TABLE IF NOT EXISTS workflows (workflow_id TEXT PRIMARY KEY);") + cursor.execute("CREATE TABLE IF NOT EXISTS session_queue (item_id INTEGER PRIMARY KEY);") + db._conn.commit() + + # Run migration callback directly (not through migrator to avoid chain validation) + migration_callback = Migration26Callback() + migration_callback(cursor) + db._conn.commit() + + # Verify users table exists + cursor.execute("SELECT name FROM sqlite_master WHERE type='table' AND name='users';") + assert cursor.fetchone() is not None + + # Verify user_sessions table exists + cursor.execute("SELECT name FROM sqlite_master WHERE type='table' AND name='user_sessions';") + assert cursor.fetchone() is not None + + # Verify user_invitations table exists + cursor.execute("SELECT name FROM sqlite_master WHERE type='table' AND name='user_invitations';") + assert cursor.fetchone() is not None + + # Verify shared_boards table exists + cursor.execute("SELECT name FROM sqlite_master WHERE type='table' AND name='shared_boards';") + assert cursor.fetchone() is not None + + # Verify system user was created + cursor.execute("SELECT user_id, email FROM users WHERE user_id='system';") + system_user = cursor.fetchone() + assert system_user is not None + assert system_user[0] == "system" + assert system_user[1] == "system@system.invokeai" + + # Verify boards table has user_id column + cursor.execute("PRAGMA table_info(boards);") + columns = [row[1] for row in cursor.fetchall()] + assert "user_id" in columns + assert "is_public" in columns + + # Verify images table has user_id column + cursor.execute("PRAGMA table_info(images);") + columns = [row[1] for row in cursor.fetchall()] + assert "user_id" in columns + + # Verify workflows table has user_id and is_public columns + cursor.execute("PRAGMA table_info(workflows);") + columns = [row[1] for row in cursor.fetchall()] + assert "user_id" in columns + assert "is_public" in columns + + db._conn.close() diff --git a/uv.lock b/uv.lock index f6841cb6e71..a22015f28ff 100644 --- a/uv.lock +++ b/uv.lock @@ -152,6 +152,27 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/41/ff/392bff89415399a979be4a65357a41d92729ae8580a66073d8ec8d810f98/backrefs-5.9-py39-none-any.whl", hash = "sha256:f48ee18f6252b8f5777a22a00a09a85de0ca931658f1dd96d4406a34f3748c60", size = 380265, upload-time = "2025-06-22T19:34:12.405Z" }, ] +[[package]] +name = "bcrypt" +version = "3.2.2" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "cffi" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/e8/36/edc85ab295ceff724506252b774155eff8a238f13730c8b13badd33ef866/bcrypt-3.2.2.tar.gz", hash = "sha256:433c410c2177057705da2a9f2cd01dd157493b2a7ac14c8593a16b3dab6b6bfb", size = 42455, upload-time = "2022-05-01T17:58:52.348Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/a0/c2/05354b1d4351d2e686a32296cc9dd1e63f9909a580636df0f7b06d774600/bcrypt-3.2.2-cp36-abi3-macosx_10_10_universal2.whl", hash = "sha256:7180d98a96f00b1050e93f5b0f556e658605dd9f524d0b0e68ae7944673f525e", size = 50049, upload-time = "2022-05-01T18:05:47.625Z" }, + { url = "https://files.pythonhosted.org/packages/8c/b3/1257f7d64ee0aa0eb4fb1de5da8c2647a57db7b737da1f2342ac1889d3b8/bcrypt-3.2.2-cp36-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.manylinux_2_24_aarch64.whl", hash = "sha256:61bae49580dce88095d669226d5076d0b9d927754cedbdf76c6c9f5099ad6f26", size = 54914, upload-time = "2022-05-01T18:03:00.752Z" }, + { url = "https://files.pythonhosted.org/packages/61/3d/dce83194830183aa700cab07c89822471d21663a86a0b305d1e5c7b02810/bcrypt-3.2.2-cp36-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:88273d806ab3a50d06bc6a2fc7c87d737dd669b76ad955f449c43095389bc8fb", size = 54403, upload-time = "2022-05-01T18:03:02.483Z" }, + { url = "https://files.pythonhosted.org/packages/86/1b/f4d7425dfc6cd0e405b48ee484df6d80fb39e05f25963dbfcc2c511e8341/bcrypt-3.2.2-cp36-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.manylinux_2_24_x86_64.whl", hash = "sha256:6d2cb9d969bfca5bc08e45864137276e4c3d3d7de2b162171def3d188bf9d34a", size = 62337, upload-time = "2022-05-01T18:05:49.524Z" }, + { url = "https://files.pythonhosted.org/packages/3e/df/289db4f31b303de6addb0897c8b5c01b23bd4b8c511ac80a32b08658847c/bcrypt-3.2.2-cp36-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:2b02d6bfc6336d1094276f3f588aa1225a598e27f8e3388f4db9948cb707b521", size = 61026, upload-time = "2022-05-01T18:05:51.107Z" }, + { url = "https://files.pythonhosted.org/packages/40/8f/b67b42faa2e4d944b145b1a402fc08db0af8fe2dfa92418c674b5a302496/bcrypt-3.2.2-cp36-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:a2c46100e315c3a5b90fdc53e429c006c5f962529bc27e1dfd656292c20ccc40", size = 64672, upload-time = "2022-05-01T18:05:52.748Z" }, + { url = "https://files.pythonhosted.org/packages/fc/9a/e1867f0b27a3f4ce90e21dd7f322f0e15d4aac2434d3b938dcf765e47c6b/bcrypt-3.2.2-cp36-abi3-musllinux_1_1_aarch64.whl", hash = "sha256:7d9ba2e41e330d2af4af6b1b6ec9e6128e91343d0b4afb9282e54e5508f31baa", size = 56795, upload-time = "2022-05-01T18:03:04.028Z" }, + { url = "https://files.pythonhosted.org/packages/18/76/057b0637c880e6cb0abdc8a867d080376ddca6ed7d05b7738f589cc5c1a8/bcrypt-3.2.2-cp36-abi3-musllinux_1_1_x86_64.whl", hash = "sha256:cd43303d6b8a165c29ec6756afd169faba9396a9472cdff753fe9f19b96ce2fa", size = 62075, upload-time = "2022-05-01T18:05:54.412Z" }, + { url = "https://files.pythonhosted.org/packages/f1/64/cd93e2c3e28a5fa8bcf6753d5cc5e858e4da08bf51404a0adb6a412532de/bcrypt-3.2.2-cp36-abi3-win32.whl", hash = "sha256:4e029cef560967fb0cf4a802bcf4d562d3d6b4b1bf81de5ec1abbe0f1adb027e", size = 27916, upload-time = "2022-05-01T18:05:56.45Z" }, + { url = "https://files.pythonhosted.org/packages/f5/37/7cd297ff571c4d86371ff024c0e008b37b59e895b28f69444a9b6f94ca1a/bcrypt-3.2.2-cp36-abi3-win_amd64.whl", hash = "sha256:7ff2069240c6bbe49109fe84ca80508773a904f5a8cb960e02a977f7f519b129", size = 29581, upload-time = "2022-05-01T18:05:57.878Z" }, +] + [[package]] name = "bidict" version = "0.23.1" @@ -499,7 +520,7 @@ name = "cryptography" version = "45.0.5" source = { registry = "https://pypi.org/simple" } dependencies = [ - { name = "cffi", marker = "(platform_python_implementation != 'PyPy' and sys_platform == 'linux') or (platform_python_implementation != 'PyPy' and sys_platform != 'darwin' and extra == 'extra-8-invokeai-cpu') or (platform_python_implementation != 'PyPy' and sys_platform != 'darwin' and extra == 'extra-8-invokeai-cuda') or (platform_python_implementation != 'PyPy' and sys_platform != 'darwin' and extra != 'extra-8-invokeai-rocm') or (platform_python_implementation == 'PyPy' and extra == 'extra-8-invokeai-cpu' and extra == 'extra-8-invokeai-cuda') or (platform_python_implementation == 'PyPy' and extra == 'extra-8-invokeai-cpu' and extra == 'extra-8-invokeai-rocm') or (platform_python_implementation == 'PyPy' and extra == 'extra-8-invokeai-cuda' and extra == 'extra-8-invokeai-rocm') or (sys_platform == 'darwin' and extra == 'extra-8-invokeai-cpu' and extra == 'extra-8-invokeai-cuda') or (sys_platform == 'darwin' and extra == 'extra-8-invokeai-cpu' and extra == 'extra-8-invokeai-rocm') or (sys_platform == 'darwin' and extra == 'extra-8-invokeai-cuda' and extra == 'extra-8-invokeai-rocm')" }, + { name = "cffi", marker = "platform_python_implementation != 'PyPy' or (extra == 'extra-8-invokeai-cpu' and extra == 'extra-8-invokeai-cuda') or (extra == 'extra-8-invokeai-cpu' and extra == 'extra-8-invokeai-rocm') or (extra == 'extra-8-invokeai-cuda' and extra == 'extra-8-invokeai-rocm')" }, ] sdist = { url = "https://files.pythonhosted.org/packages/95/1e/49527ac611af559665f71cbb8f92b332b5ec9c6fbc4e88b0f8e92f5e85df/cryptography-45.0.5.tar.gz", hash = "sha256:72e76caa004ab63accdf26023fccd1d087f6d90ec6048ff33ad0445abf7f605a", size = 744903, upload-time = "2025-07-02T13:06:25.941Z" } wheels = [ @@ -624,6 +645,18 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/64/f0/dbe05efee6a38fb075ba0995e497223d02c6d056303d5e8881e9bb20652a/dynamicprompts-0.31.0-py3-none-any.whl", hash = "sha256:a07f38c295ec2b77905cecba8b0f439bb1a84942bfb6874ff6b55448e2cc950e", size = 53524, upload-time = "2024-03-21T07:58:36.994Z" }, ] +[[package]] +name = "ecdsa" +version = "0.19.1" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "six" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/c0/1f/924e3caae75f471eae4b26bd13b698f6af2c44279f67af317439c2f4c46a/ecdsa-0.19.1.tar.gz", hash = "sha256:478cba7b62555866fcb3bb3fe985e06decbdb68ef55713c4e5ab98c57d508e61", size = 201793, upload-time = "2025-03-13T11:52:43.25Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/cb/a3/460c57f094a4a165c84a1341c373b0a4f5ec6ac244b998d5021aade89b77/ecdsa-0.19.1-py2.py3-none-any.whl", hash = "sha256:30638e27cf77b7e15c4c4cc1973720149e1033827cfd00661ca5c8cc0cdb24c3", size = 150607, upload-time = "2025-03-13T11:52:41.757Z" }, +] + [[package]] name = "einops" version = "0.8.1" @@ -633,6 +666,19 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/87/62/9773de14fe6c45c23649e98b83231fffd7b9892b6cf863251dc2afa73643/einops-0.8.1-py3-none-any.whl", hash = "sha256:919387eb55330f5757c6bea9165c5ff5cfe63a642682ea788a6d472576d81737", size = 64359, upload-time = "2025-02-09T03:17:01.998Z" }, ] +[[package]] +name = "email-validator" +version = "2.3.0" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "dnspython" }, + { name = "idna" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/f5/22/900cb125c76b7aaa450ce02fd727f452243f2e91a61af068b40adba60ea9/email_validator-2.3.0.tar.gz", hash = "sha256:9fc05c37f2f6cf439ff414f8fc46d917929974a82244c20eb10231ba60c54426", size = 51238, upload-time = "2025-08-26T13:09:06.831Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/de/15/545e2b6cf2e3be84bc1ed85613edd75b8aea69807a71c26f4ca6a9258e82/email_validator-2.3.0-py3-none-any.whl", hash = "sha256:80f13f623413e6b197ae73bb10bf4eb0908faf509ad8362c5edeb0be7fd450b4", size = 35604, upload-time = "2025-08-26T13:09:05.858Z" }, +] + [[package]] name = "faker" version = "37.4.0" @@ -961,6 +1007,7 @@ name = "invokeai" source = { editable = "." } dependencies = [ { name = "accelerate" }, + { name = "bcrypt" }, { name = "bitsandbytes", marker = "sys_platform != 'darwin' or (extra == 'extra-8-invokeai-cpu' and extra == 'extra-8-invokeai-cuda') or (extra == 'extra-8-invokeai-cpu' and extra == 'extra-8-invokeai-rocm') or (extra == 'extra-8-invokeai-cuda' and extra == 'extra-8-invokeai-rocm')" }, { name = "blake3" }, { name = "compel" }, @@ -969,6 +1016,7 @@ dependencies = [ { name = "dnspython" }, { name = "dynamicprompts" }, { name = "einops" }, + { name = "email-validator" }, { name = "fastapi" }, { name = "fastapi-events" }, { name = "gguf" }, @@ -978,12 +1026,14 @@ dependencies = [ { name = "onnx" }, { name = "onnxruntime" }, { name = "opencv-contrib-python" }, + { name = "passlib", extra = ["bcrypt"] }, { name = "picklescan" }, { name = "pillow" }, { name = "prompt-toolkit" }, { name = "pydantic" }, { name = "pydantic-settings" }, { name = "pypatchmatch" }, + { name = "python-jose", extra = ["cryptography"] }, { name = "python-multipart" }, { name = "python-socketio" }, { name = "pywavelets" }, @@ -1067,6 +1117,7 @@ xformers = [ [package.metadata] requires-dist = [ { name = "accelerate" }, + { name = "bcrypt", specifier = "<4.0.0" }, { name = "bitsandbytes", marker = "sys_platform != 'darwin'" }, { name = "blake3" }, { name = "compel", specifier = "==2.1.1" }, @@ -1075,6 +1126,7 @@ requires-dist = [ { name = "dnspython" }, { name = "dynamicprompts" }, { name = "einops" }, + { name = "email-validator", specifier = ">=2.0.0" }, { name = "fastapi", specifier = "==0.118.3" }, { name = "fastapi-events" }, { name = "gguf" }, @@ -1096,6 +1148,7 @@ requires-dist = [ { name = "onnxruntime-directml", marker = "extra == 'onnx-directml'" }, { name = "onnxruntime-gpu", marker = "extra == 'onnx-cuda'" }, { name = "opencv-contrib-python" }, + { name = "passlib", extras = ["bcrypt"], specifier = ">=1.7.4" }, { name = "picklescan" }, { name = "pillow" }, { name = "pip-tools", marker = "extra == 'dist'" }, @@ -1111,6 +1164,7 @@ requires-dist = [ { name = "pytest-cov", marker = "extra == 'test'" }, { name = "pytest-datadir", marker = "extra == 'test'" }, { name = "pytest-timeout", marker = "extra == 'test'" }, + { name = "python-jose", extras = ["cryptography"], specifier = ">=3.3.0" }, { name = "python-multipart" }, { name = "python-socketio" }, { name = "pytorch-triton-rocm", marker = "sys_platform == 'linux' and extra == 'rocm'", index = "https://download.pytorch.org/whl/rocm6.3", conflict = { package = "invokeai", extra = "rocm" } }, @@ -2300,6 +2354,20 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/c6/ac/dac4a63f978e4dcb3c6d3a78c4d8e0192a113d288502a1216950c41b1027/parso-0.8.4-py2.py3-none-any.whl", hash = "sha256:a418670a20291dacd2dddc80c377c5c3791378ee1e8d12bffc35420643d43f18", size = 103650, upload-time = "2024-04-05T09:43:53.299Z" }, ] +[[package]] +name = "passlib" +version = "1.7.4" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/b6/06/9da9ee59a67fae7761aab3ccc84fa4f3f33f125b370f1ccdb915bf967c11/passlib-1.7.4.tar.gz", hash = "sha256:defd50f72b65c5402ab2c573830a6978e5f202ad0d984793c8dde2c4152ebe04", size = 689844, upload-time = "2020-10-08T19:00:52.121Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/3b/a4/ab6b7589382ca3df236e03faa71deac88cae040af60c071a78d254a62172/passlib-1.7.4-py2.py3-none-any.whl", hash = "sha256:aa6bca462b8d8bda89c70b382f0c298a20b5560af6cbfa2dce410c0a2fb669f1", size = 525554, upload-time = "2020-10-08T19:00:49.856Z" }, +] + +[package.optional-dependencies] +bcrypt = [ + { name = "bcrypt" }, +] + [[package]] name = "pathspec" version = "0.12.1" @@ -2498,6 +2566,15 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/b1/01/069766294390d3e10c77dfb553171466d67ffb51bf72a437650c0a5db86a/pudb-2025.1-py3-none-any.whl", hash = "sha256:f642d42e6054c992b43c463742650aa879fe290d7d7ffdeb21f7d00dc4587a21", size = 89208, upload-time = "2025-05-06T20:43:17.101Z" }, ] +[[package]] +name = "pyasn1" +version = "0.6.1" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/ba/e9/01f1a64245b89f039897cb0130016d79f77d52669aae6ee7b159a6c4c018/pyasn1-0.6.1.tar.gz", hash = "sha256:6f580d2bdd84365380830acf45550f2511469f673cb4a5ae3857a3170128b034", size = 145322, upload-time = "2024-09-10T22:41:42.55Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/c8/f1/d6a797abb14f6283c0ddff96bbdd46937f64122b8c925cab503dd37f8214/pyasn1-0.6.1-py3-none-any.whl", hash = "sha256:0d632f46f2ba09143da3a8afe9e33fb6f92fa2320ab7e886e2d0f7672af84629", size = 83135, upload-time = "2024-09-11T16:00:36.122Z" }, +] + [[package]] name = "pycparser" version = "2.22" @@ -2747,6 +2824,25 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/0c/fa/df59acedf7bbb937f69174d00f921a7b93aa5a5f5c17d05296c814fff6fc/python_engineio-4.12.2-py3-none-any.whl", hash = "sha256:8218ab66950e179dfec4b4bbb30aecf3f5d86f5e58e6fc1aa7fde2c698b2804f", size = 59536, upload-time = "2025-06-04T19:22:16.916Z" }, ] +[[package]] +name = "python-jose" +version = "3.5.0" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "ecdsa" }, + { name = "pyasn1" }, + { name = "rsa" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/c6/77/3a1c9039db7124eb039772b935f2244fbb73fc8ee65b9acf2375da1c07bf/python_jose-3.5.0.tar.gz", hash = "sha256:fb4eaa44dbeb1c26dcc69e4bd7ec54a1cb8dd64d3b4d81ef08d90ff453f2b01b", size = 92726, upload-time = "2025-05-28T17:31:54.288Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/d9/c3/0bd11992072e6a1c513b16500a5d07f91a24017c5909b02c72c62d7ad024/python_jose-3.5.0-py2.py3-none-any.whl", hash = "sha256:abd1202f23d34dfad2c3d28cb8617b90acf34132c7afd60abd0b0b7d3cb55771", size = 34624, upload-time = "2025-05-28T17:31:52.802Z" }, +] + +[package.optional-dependencies] +cryptography = [ + { name = "cryptography" }, +] + [[package]] name = "python-multipart" version = "0.0.20" @@ -3001,6 +3097,18 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/0d/9b/63f4c7ebc259242c89b3acafdb37b41d1185c07ff0011164674e9076b491/rich-14.0.0-py3-none-any.whl", hash = "sha256:1c9491e1951aac09caffd42f448ee3d04e58923ffe14993f6e83068dc395d7e0", size = 243229, upload-time = "2025-03-30T14:15:12.283Z" }, ] +[[package]] +name = "rsa" +version = "4.9.1" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "pyasn1" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/da/8a/22b7beea3ee0d44b1916c0c1cb0ee3af23b700b6da9f04991899d0c555d4/rsa-4.9.1.tar.gz", hash = "sha256:e7bdbfdb5497da4c07dfd35530e1a902659db6ff241e39d9953cad06ebd0ae75", size = 29034, upload-time = "2025-04-16T09:51:18.218Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/64/8d/0133e4eb4beed9e425d9a98ed6e081a55d195481b7632472be1af08d2f6b/rsa-4.9.1-py3-none-any.whl", hash = "sha256:68635866661c6836b8d39430f97a996acbd61bfa49406748ea243539fe239762", size = 34696, upload-time = "2025-04-16T09:51:17.142Z" }, +] + [[package]] name = "ruff" version = "0.11.13"