#MTLS Authentication in Immich-CLI / SDK

I've been diving into @immich/cli to see if we can specify a mtls client certificate. To do so in nodejs we usually configure the https agent for making api requests.

Unfortunately the https agent seems to be hidden away in the @immich-sdk package (/open-api/ folder)

Of which uses oazapfts package to auto gen openapi requests.

Tracking down this source, it seems we may be able to specify an fetch client
https://github.com/oazapfts/oazapfts/blob/main/packages/runtime/src/runtime.ts

If so, then we can configure immich-sdk to allow the specification of a fetch client.

What do you think?

End goal:

$> immich --help
Usage: immich [options] [command]

Command line interface for Immich

Options:
  -V, --version                       output the version number
  ...
  --client-cert                       Path to Client Certificate for authenticating with servers that are secured by mutual authentication (mTLS) (default: false, env:
                                      IMMICH_MTLS_CLIENT_CERT)

The necessary agent config in nodejs fetch (nodejs fetch uses undici)
Seems to be not yet exposed
https://github.com/nodejs/node/issues/48977

Here's the code for injecting the fetch client with a configured agent.
Been fighting a little with typescript differences between lib.dom.ts and nodejs.fetch

I don't think we really care about supporting this, but if you can make it work without any disruption we're not opposed

make it work. Anyone using mtls with immich? Who doesn't mind being a Guinea pig? 🙂

Also the tooling needed a change

• I'm not too familiar with using vite (a web framework??) for cli applications, ended up using esbuild instead.
• ts-node didn't work (it's quite old now) so I've updated the documentation to use tsx instead for easier dev UX.

it's a slightly larger PR than intended but needed to get it right else the cli might turn into a bit of a mess. I added in config validation via joi - but can look to use class-transformer as well.

Are there any new dependencies ? This seems like a large amount of code for such a small feature but I’m not the judge of that

I'd say the amount of code is a bit. But hey at least the unit tests pass xD

I'll take this pr slow though, so will be writing a few config file unit tests before submitting

If there's no takers for testing I probably won't bother with a pr but will make the code public

It's not clear to me exactly what you're doing but this seems like it should maybe be multiple (unrelated) prs?

Agreed. As bo0tzz already said we really don't care too much about this, so adding any meaningful amount of code (burden you might say) is unlikely to get accepted