|
| 1 | +# User Isolation Implementation Summary |
| 2 | + |
| 3 | +This document describes the implementation of user isolation features in the InvokeAI session queue and processing system to address issues identified in the enhancement request. |
| 4 | + |
| 5 | +## Issues Addressed |
| 6 | + |
| 7 | +### 1. Cross-User Image/Preview Visibility |
| 8 | +**Problem:** When two users are logged in simultaneously and one initiates a generation, the generation preview shows up in both users' browsers and the generated image gets saved to both users' image boards. |
| 9 | + |
| 10 | +**Solution:** Implemented socket-level event filtering based on user authentication: |
| 11 | + |
| 12 | +#### Backend Changes (`invokeai/app/api/sockets.py`): |
| 13 | +- Added socket authentication middleware in `_handle_connect()` method |
| 14 | +- Extracts JWT token from socket auth data or HTTP headers |
| 15 | +- Verifies token using existing `verify_token()` function |
| 16 | +- Stores `user_id` and `is_admin` in socket session for later use |
| 17 | +- Modified `_handle_queue_event()` to filter events by user: |
| 18 | + - For `QueueItemEventBase` events, only emit to: |
| 19 | + - The user who owns the queue item (`user_id` matches) |
| 20 | + - Admin users (`is_admin` is True) |
| 21 | + - For general queue events, emit to all subscribers |
| 22 | + |
| 23 | +#### Event System Changes (`invokeai/app/services/events/events_common.py`): |
| 24 | +- Added `user_id` field to `QueueItemEventBase` class |
| 25 | +- Updated all event builders to include `user_id` from queue items: |
| 26 | + - `InvocationStartedEvent.build()` |
| 27 | + - `InvocationProgressEvent.build()` |
| 28 | + - `InvocationCompleteEvent.build()` |
| 29 | + - `InvocationErrorEvent.build()` |
| 30 | + - `QueueItemStatusChangedEvent.build()` |
| 31 | + |
| 32 | +### 2. Batch Field Values Privacy |
| 33 | +**Problem:** Users can see batch field values from generation processes launched by other users. |
| 34 | + |
| 35 | +**Solution:** Implemented field value sanitization at the API level: |
| 36 | + |
| 37 | +#### API Router Changes (`invokeai/app/api/routers/session_queue.py`): |
| 38 | +- Created `sanitize_queue_item_for_user()` helper function |
| 39 | + - Clears `field_values` for non-admin users viewing other users' items |
| 40 | + - Admins and item owners can see all field values |
| 41 | +- Updated endpoints to require authentication and sanitize responses: |
| 42 | + - `list_all_queue_items()` - Added `CurrentUser` dependency |
| 43 | + - `get_queue_items_by_item_ids()` - Added `CurrentUser` dependency |
| 44 | + - `get_queue_item()` - Added `CurrentUser` dependency |
| 45 | + |
| 46 | +### 3. Queue Updates Across Browser Windows |
| 47 | +**Problem:** When the job queue tab is open in multiple browsers and a generation is begun in one browser window, the queue does not update in the other window. |
| 48 | + |
| 49 | +**Status:** This issue is likely resolved by the socket authentication and event filtering changes. The existing socket subscription mechanism (`subscribe_queue` event) already supports multiple connections per user. Testing is required to confirm this works correctly with the new authentication flow. |
| 50 | + |
| 51 | +### 4. User Information Display |
| 52 | +**Problem:** Queue table lacks user identification, making it difficult to know who launched which job. |
| 53 | + |
| 54 | +**Solution:** Added user information to queue items and UI: |
| 55 | + |
| 56 | +#### Database Layer (`invokeai/app/services/session_queue/session_queue_sqlite.py`): |
| 57 | +- Updated SQL queries to JOIN with `users` table |
| 58 | +- Modified methods to fetch user information: |
| 59 | + - `get_queue_item()` - Now selects `display_name` and `email` from users table |
| 60 | + - `dequeue()` - Includes user info |
| 61 | + - `get_next()` - Includes user info |
| 62 | + - `get_current()` - Includes user info |
| 63 | + - `list_all_queue_items()` - Includes user info |
| 64 | + |
| 65 | +#### Data Model Changes (`invokeai/app/services/session_queue/session_queue_common.py`): |
| 66 | +- Added optional fields to `SessionQueueItem`: |
| 67 | + - `user_display_name: Optional[str]` - Display name from users table |
| 68 | + - `user_email: Optional[str]` - Email from users table |
| 69 | + - Note: `user_id` field already existed from Migration 25 |
| 70 | + |
| 71 | +#### Frontend UI Changes: |
| 72 | +- **Constants** (`constants.ts`): Added `user: '8rem'` column width |
| 73 | +- **Header** (`QueueListHeader.tsx`): Added "User" column header |
| 74 | +- **Item Component** (`QueueItemComponent.tsx`): |
| 75 | + - Added logic to display user information (display_name → email → user_id) |
| 76 | + - Added user column to queue item row |
| 77 | + - Added tooltip with full username on hover |
| 78 | + - Added "Hidden for privacy" message when field_values are null for non-owned items |
| 79 | +- **Localization** (`en.json`): Added translations: |
| 80 | + - `"user": "User"` |
| 81 | + - `"fieldValuesHidden": "Hidden for privacy"` |
| 82 | + |
| 83 | +## Security Considerations |
| 84 | + |
| 85 | +### Token Verification |
| 86 | +- Tokens are verified using the existing `verify_token()` function from `invokeai.app.services.auth.token_service` |
| 87 | +- Invalid or missing tokens default to "system" user with non-admin privileges |
| 88 | +- Socket connections without valid tokens are still accepted for backward compatibility but have limited access |
| 89 | + |
| 90 | +### Data Privacy |
| 91 | +- Field values are only visible to: |
| 92 | + - The user who created the queue item |
| 93 | + - Admin users |
| 94 | +- Non-admin users viewing other users' queue items see "Hidden for privacy" instead of field values |
| 95 | + |
| 96 | +### Admin Privileges |
| 97 | +- Admin users can see all queue events and field values across all users |
| 98 | +- Admin status is determined from the JWT token's `is_admin` field |
| 99 | + |
| 100 | +## Migration Notes |
| 101 | + |
| 102 | +No database migration is required. The changes leverage: |
| 103 | +- Existing `user_id` column in `session_queue` table (added in Migration 25) |
| 104 | +- Existing `users` table (added in Migration 25) |
| 105 | +- SQL LEFT JOINs to fetch user information (gracefully handles missing user records) |
| 106 | + |
| 107 | +## Testing Requirements |
| 108 | + |
| 109 | +### Backend Testing |
| 110 | +1. **Socket Authentication:** |
| 111 | + - Verify valid tokens are accepted and user context is stored |
| 112 | + - Verify invalid tokens default to system user |
| 113 | + - Verify expired tokens are rejected |
| 114 | + |
| 115 | +2. **Event Filtering:** |
| 116 | + - User A should only receive events for their own queue items |
| 117 | + - Admin users should receive all events |
| 118 | + - Non-admin users should not receive events from other users |
| 119 | + |
| 120 | +3. **Field Value Sanitization:** |
| 121 | + - Non-admin users should see null field_values for other users' items |
| 122 | + - Admins should see all field values |
| 123 | + - Users should see their own field values |
| 124 | + |
| 125 | +### Frontend Testing |
| 126 | +1. **UI Display:** |
| 127 | + - User column should display in queue list |
| 128 | + - Display name should be shown when available |
| 129 | + - Email should be shown as fallback when display name is missing |
| 130 | + - User ID should be shown when both display name and email are missing |
| 131 | + - Tooltip should show full username on hover |
| 132 | + |
| 133 | +2. **Field Values Display:** |
| 134 | + - "Hidden for privacy" message should appear when viewing other users' items |
| 135 | + - Own items should show field values normally |
| 136 | + |
| 137 | +3. **Multi-Browser Testing:** |
| 138 | + - Open queue tab in two browsers with different users |
| 139 | + - Start generation in one browser |
| 140 | + - Verify other browser doesn't see the preview/progress |
| 141 | + - Verify admin user can see all generations |
| 142 | + |
| 143 | +### Integration Testing |
| 144 | +1. Multi-user scenarios with simultaneous generations |
| 145 | +2. Queue updates across multiple browser windows |
| 146 | +3. Admin vs. non-admin privilege differentiation |
| 147 | +4. Socket reconnection handling |
| 148 | + |
| 149 | +## Known Limitations |
| 150 | + |
| 151 | +1. **TypeScript Types:** |
| 152 | + - The OpenAPI schema needs to be regenerated to include new fields |
| 153 | + - Run: `cd invokeai/frontend/web && python ../../../scripts/generate_openapi_schema.py | pnpm typegen` |
| 154 | + |
| 155 | +2. **Backward Compatibility:** |
| 156 | + - System user ("system") entries will not have display name or email |
| 157 | + - Existing queue items from before Migration 25 will have user_id="system" |
| 158 | + |
| 159 | +3. **Socket.IO Session Storage:** |
| 160 | + - Socket.IO's in-memory session storage may not persist across server restarts |
| 161 | + - Consider implementing persistent session storage if needed for production |
| 162 | + |
| 163 | +## Future Enhancements |
| 164 | + |
| 165 | +1. Add user filtering to queue list (show only my items vs. all items) |
| 166 | +2. Add permission system for queue management operations (cancel, retry, delete) |
| 167 | +3. Implement queue item ownership transfer for administrative purposes |
| 168 | +4. Add audit logging for queue operations with user attribution |
| 169 | +5. Consider implementing user-specific queue limits or quotas |
0 commit comments