Skip to content

Switch configuration storage from .env to SQLite (breaking change) #540

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
timonrieger wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

Switch configuration storage from .env to SQLite (breaking change) #540

timonrieger wants to merge 5 commits into from

Conversation

@timonrieger
Copy link

@timonrieger timonrieger commented Dec 31, 2025

Summary

This PR replaces the current .env-based configuration with a SQLite-backed config store.

SQLite was chosen for simplicity, zero external dependencies, and to enable editing configuration while the container is running via the existing web interface at /admin.

Breaking change

This is an intentional breaking change:

  • Configuration is no longer sourced from .env at runtime
  • Existing deployments will require migration

The goal is to avoid dual config sources and long-term maintenance complexity.

Notes / limitations

  • The current implementation does not support multi-user configuration
  • It may break multi-user or multi-server setups; this has not been fully validated yet
  • The change assumes a single-node / single-config model
  • This PR is considered WIP, to not waste time in case of rejection by the maintainer

Compatibility path

If this approach is considered too disruptive, the implementation can be refactored to:

  • keep .env as a supported backend
  • make SQLite an alternative config provider behind the same interface

That was intentionally deferred to keep this PR focused unless required.

Scope

This PR is limited to configuration storage changes only. No unrelated behavior or features are introduced.

@timonrieger
Add Entity Framework Core support with SQLite for account overrides
f868bd1 
- Added Entity Framework Core packages to project.
- Implemented ConfigDbContext for managing account overrides.
- Created AccountOverrideEntity and corresponding DTO for data representation.
- Developed SqliteAccountOverrideStore for data access and manipulation.
- Introduced AccountOverrideMerger for applying overrides to account settings.
- Updated ConfigController to handle account override retrieval and updates.
- Enhanced Program.cs to configure the SQLite database context.
- Added tests for account override functionality in ConfigController and AccountOverrideMerger.
- Updated Dockerfile and docker-compose files to support SQLite data persistence.
@timonrieger
build fixes
ee439bf
@timonrieger
Add account override change notification and SSE support
2f90643 
- Introduced IAccountOverrideChangeNotifier and its implementation for notifying clients of account override changes.
- Updated ConfigController to handle SSE for account override events and version retrieval.
- Enhanced home-page and admin components to support real-time updates and management of account overrides.
- Added functionality to refresh asset loading upon override changes.
@timonrieger
Add general settings management and SSE support
426d7d4 
- Introduced GeneralSettingsDto for managing general settings.
- Implemented IGeneralSettingsStore and SqliteGeneralSettingsStore for data access.
- Added GeneralSettingsChangeNotifier for real-time updates on general settings changes.
- Enhanced ConfigController to handle retrieval and updates of general settings via API.
- Updated Program.cs to initialize the GeneralSettings table in SQLite.
- Integrated live updates in the home-page and admin components for general settings changes.
@timonrieger
Remove migrated configuration options from example.env file
a9c2e4b
@coderabbitai
Copy link

coderabbitai bot commented Dec 31, 2025

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@JW-CH
Copy link
Collaborator

JW-CH commented Jan 3, 2026

I just skipped through this PR; thank you for making it. Maybe I did not see it, but how would you protect the /admin route? The main reason I had this not configurable was that only 'real' admins could expose images they wanted. The must in this PR would be to make sure that no other users can change configs and display images they should not see. I'd also prefer not to add too much complexity. On the other hand, having a UI to change config values would be a welcome change.

cc @3rob3

@timonrieger
Copy link
Author

timonrieger commented Jan 4, 2026

Thanks for the review and for calling this out - agreed that /admin needs to be protected.

I had multiple points coming up when thinking about your valid questions. To get my thoughts across, I had the LLM summarize them below 😄

What “protect /admin” means today

ImmichFrame currently has a single shared trust boundary:

  • If a user has the Immich API key, they can query anything that key can access.
  • If a user has the ImmichFrame AuthenticationSecret, they can call the protected endpoints we expose.

So: protecting /admin prevents unauthorized config changes, but it doesn’t create per-user image isolation. Anyone who can control config and/or holds the Immich API key (directly or indirectly) can make the frame show “any album in that Immich account”.

Minimal, low-complexity fix

  • Add a separate AdminSecret (env/config only; not stored in DB).
  • Require it for:
    • Serving /admin (server-side check before returning the SPA)
    • GET/PUT /api/Config/account-overrides
    • GET/PUT /api/Config/general-settings
  • Keep slideshow client behavior on the existing AuthenticationSecret.
  • Treat SSE similarly (either keep it unauthenticated but emit only non-sensitive events, or accept a token via query param since EventSource can’t set headers).

This keeps complexity low while ensuring “non-admin viewers” can’t change config to expose albums/people they shouldn’t.

Bigger picture: “real admins” vs multi-user

I think your concern is correct: true per-user access control (each user only sees what they’re allowed to see) isn’t solvable purely by hiding ImmichFrame config. That’s a broader architecture topic:

  • We’d need a multi-user model (users, roles), per-frame config, and likely per-user Immich tokens (or an auth delegation model) so the frame only sees what a given user grants.
  • At that point, it starts to overlap heavily with Immich’s own auth/permissions UX and infra.

That’s why I’m not convinced ImmichFrame should grow into a full multi-user management system. Once we go there, it may make more sense to push the “frame UI / slideshow capabilities” into Immich core, leveraging Immich’s existing user/session/permission model (this aligns with my earlier direction in immich-app/immich#24627).

TL;DR

  • This PR can and should protect /admin and config endpoints via a simple AdminSecret split from AuthenticationSecret.
  • It cannot (and shouldn’t try to) solve “multi-user image isolation” without a bigger redesign; that’s either a larger ImmichFrame roadmap decision or better handled upstream in Immich core.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@timonrieger @JW-CH