🚀 Release v0.29.8 (#4562)

* fix(migrate-auth-secret): exit cleanly when there are no 2FA records

The empty-records branch of `main()` returned without calling
`process.exit(0)`, leaving the Drizzle Postgres connection pool
holding the event loop open. The `migrate-auth-secret` process
then hangs indefinitely after printing "No 2FA records found,
nothing to migrate." causing the upstream `0.29.3.sh` security
migration script (which calls this via `docker exec`) to never
reach its final `docker service update` step that mounts the new
Docker Secret. Operators end up with the new secret created but
the dokploy service still configured with the hardcoded
`BETTER_AUTH_SECRET`, while believing the migration completed.

Match the success branch a few lines below which already does
`process.exit(0)`, and the pattern used in sibling scripts
`reset-password.ts` and `reset-2fa.ts`.

Closes #4392

* feat(compose): add import from base64 in create service dropdown

Adds an "Import" option to the Create Service dropdown that lets users
paste a base64-encoded compose export, preview the template (compose YAML,
domains, envs, mounts) before confirming, and create the service only on
confirm. Adds a `previewTemplate` tRPC procedure that processes the base64
without touching the DB, with server access validation via session.

* [autofix.ci] apply automated fixes

* Enhance version synchronization workflow to include SDK repository

- Updated the GitHub Actions workflow to sync versioning across MCP, CLI, and SDK repositories.
- Added steps to bump the version in the SDK repository and regenerate tools from the latest OpenAPI spec.
- Improved commit message formatting to include source and release information for all repositories.
- Ensured successful synchronization messages for each repository after the version update.

* feat(deployment): add readLogs procedure to fetch deployment logs

- Introduced a new `readLogs` procedure that allows users to retrieve logs for a specific deployment by providing the deployment ID and an optional tail parameter.
- Implemented permission checks to ensure users have access to the requested logs.
- Enhanced log retrieval for both cloud and non-cloud environments, utilizing appropriate commands based on the server context.

Resolve https://github.com/Dokploy/mcp/issues/14

* feat(deployment): add server access validation for deployment actions

- Implemented server access validation in deployment procedures to ensure users can only access deployments associated with their active organization.
- Added checks to throw an UNAUTHORIZED error if a user attempts to access a deployment linked to a server outside their organization.

This enhancement improves security and access control within the deployment management system.

* feat(organization): prevent inviting users with owner role

- Added validation to prevent users from being invited with the owner role in the organization and user routers.
- Implemented TRPCError responses to ensure proper error handling when attempting to assign the owner role.
This change enhances role management and security within the organization structure.

https://github.com/Dokploy/dokploy/security/advisories/GHSA-fm9p-wmpw-gxjh

* feat(user): implement session cleanup on user update

- Added functionality to delete old sessions when a user updates their password, ensuring that only the current session remains active.
- This change enhances security by preventing unauthorized access from previous sessions after a password change.

Close here https://github.com/Dokploy/dokploy/security/advisories/GHSA-rr9m-w87g-46f3

* feat(settings): add copy button to server IP in web server settings (#4397)

* fix: copy Dokploy server IP when clicking server badge (#4390)

* fix: copy Dokploy server IP when clicking server badge

When a service runs on the local Dokploy server (no remote server),
clicking the server badge did nothing because `data.server` is null.
Now falls back to the server IP from settings so the badge always
copies an IP address.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat(copy-ip): implement IP address copying functionality across database service components

- Added the ability to copy the server IP address to the clipboard when clicking the server badge in various database service components (Libsql, MariaDB, MongoDB, MySQL, PostgreSQL, Redis).
- Integrated the `copy-to-clipboard` library and `sonner` for user feedback upon successful copy action.
- Ensured fallback to the server IP from settings when the service data is not available, enhancing user experience and functionality.

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Mauricio Siu <siumauricio@icloud.com>

* fix: responsive layout (#4391)

Signed-off-by: Nahidujjaman Hridoy <hridoyboss12@gmail.com>

* fix: automatically converting username to lowercase both in creation of register, and build for extra. (#4382)

* fix: allow square brackets in zip path validation for Next.js dynamic routes (#4468)

* fix: allow square brackets in zip drop path validation for Next.js dynamic routes

ZIP uploads containing Next.js dynamic route files (e.g. app/api/[id]/route.ts,
pages/[slug].tsx) were rejected by readValidDirectory because the path regex
did not include square bracket characters.

* [autofix.ci] apply automated fixes

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

* fix: prevent webhook deploy crash when commit data lacks modified files (#4470)

shouldDeploy passed undefined/null entries from commit.modified straight
into micromatch, which throws "Expected input to be a string" and fails
every webhook deployment when watch paths are configured. Filter out
non-string values before matching.

* fix: add type="button" to TooltipTrigger in form components to prevent accidental submission (#4422)

Co-authored-by: Maks Pikov <mixelburg@users.noreply.github.com>

* fix: enable comment toggle shortcut in env variable editor (#4402) (#4473)

* fix: add tls=true label for domains when certificateType is none (#4018) (#4474)

* fix: add tls=true label for compose domains when certificateType is none (#4018)

* test: cover tls=true label for certificateType none, require https

* fix: scope tls fix to compose labels, leave traefik file config unchanged (#4018)

* chore: update version to v0.29.5 in package.json

* chore(deps): upgrade next to 16.2.6 (#4477)

Upgraded next dependency in apps/dokploy to 16.2.6 exactly. Verified typescript typecheck passes successfully.

* feat: add self-hosted enterprise restrictions (remote-servers-only, enforce-sso) (#4511)

* feat: add self-hosted enterprise restrictions (remote-servers-only, enforce-sso)

- Add `remoteServersOnly` field to webServerSettings: prevents creating services
  on the local Dokploy VM, forcing all deployments to remote servers. Validated
  in all 8 service routers (application, compose, postgres, mysql, mongo, redis,
  mariadb, libsql).
- Add `enforceSSO` field to webServerSettings: hides the email/password login
  form and shows only the SSO button on the login page.
- Both settings are enterprise-only (enterpriseProcedure) and self-hosted-only
  (blocked at the API level when IS_CLOUD=true).
- UI toggles added to the SSO settings page under a new "Self-hosted
  Restrictions" card (hidden in cloud). Login page reads enforceSSO from
  getServerSideProps to avoid client-side flash.
- Migrations: 0167_fresh_goliath.sql, 0168_long_justice.sql

* fix: add missing final newlines to migration files

* refactor: improve code formatting for better readability in multiple components

- Adjusted formatting in `add-application.tsx`, `add-compose.tsx`, and `add-database.tsx` to enhance readability by adding line breaks and consistent indentation.
- Updated `toggle-enforce-sso.tsx` to simplify the Switch component's props.
- Reformatted imports in `index.tsx` and `sso.tsx` for consistency.
- Cleaned up conditional statements in various router files for improved clarity.

* fix: add enforceSSO to test mock

* fix: grant create and delete SSH key permissions when canAccessToSSHKeys is enabled for members (#4512)

* fix: use create permission for basic auth delete instead of delete (#4513)

* fix: wrap long server names and keep actions menu visible (#4434)

On settings/servers, a long server name in the card title (h3) did not
wrap and overflowed its container, overlapping nearby content and
squeezing the three-dots actions menu until it disappeared.

Allow the title block to shrink and wrap (min-w-0 + break-words), keep
the server icon and the actions trigger from being crushed (shrink-0),
and add gap between the title and the actions button.

* chore: update version to v0.29.6 in package.json

* fix: preserve HOME in compose deploy so --with-registry-auth can read docker config (#4485)

The compose/stack deploy command runs under `env -i PATH="$PATH"`, which
clears the environment except for PATH. That strips HOME, so when the
generated command is `docker stack deploy --prune --with-registry-auth`
the docker CLI cannot resolve `~/.docker/config.json` (e.g.
`/root/.docker/config.json`) and ships no registry credentials to the
swarm. Private-registry images then fail to pull on the nodes:

  image registry.example.com/... could not be accessed on a registry to
  record its digest. Each node will access ... independently

while the deploy still logs "Docker Compose Deployed: ✅".

Keep PATH isolation but preserve HOME so docker can read its config for
both `stack deploy --with-registry-auth` and `compose up -d --build`.

Add a regression test asserting the generated command preserves
`HOME="$HOME"` for both stack and docker-compose deploys.

Fixes #4401

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix: scope dokploy-server schedules to organization instead of user (#4526)

* fix: scope dokploy-server schedules to organization instead of user

Replaces userId with organizationId on the schedule table so that
global (dokploy-server) schedules are shared across all owners and
admins of the same organization, while remaining isolated between
different organizations.

Includes a data migration that backfills organizationId from the
owner membership record for any existing dokploy-server schedules.

Closes #4300

* [autofix.ci] apply automated fixes

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

* feat: implement forward authentication settings and UI components

- Added a new `forward_auth_settings` table to manage authentication domains and their configurations.
- Introduced UI components for handling forward authentication, including enabling/disabling SSO for domains and selecting SSO providers.
- Updated existing tests to include validation for the new `forwardAuthProviderId` field in domain configurations.
- Enhanced the dashboard to integrate forward authentication management, allowing users to configure SSO settings directly from the application interface.

This update improves the flexibility and security of application authentication by allowing integration with various identity providers.

* refactor: simplify forward authentication handling in UI and API

- Removed the selection of SSO providers from the UI, streamlining the process to enable/disable SSO for domains.
- Updated the API to eliminate the need for a provider ID when enabling forward authentication, relying on the configured settings instead.
- Enhanced user feedback by updating toast messages to reflect the current state of SSO authentication.
- Improved the UI layout for better clarity on SSO status and actions.

This refactor enhances the user experience by simplifying the SSO configuration process and ensuring clearer communication of actions taken.

* refactor: unify branch validation imports across provider components

- Added the `VALID_BRANCH_REGEX` import to all Git provider components to ensure consistent branch validation.
- Removed duplicate imports of `VALID_BRANCH_REGEX` to streamline the code and improve readability.

This change enhances maintainability by centralizing branch validation logic across the application.

* refactor: remove obsolete SQL migration files and snapshots

- Deleted several SQL migration files related to the `webServerSettings` and `schedule` tables, which included adding and dropping columns and constraints.
- Removed snapshots corresponding to the deleted migrations to maintain consistency in the database schema history.

This cleanup enhances the maintainability of the migration history by removing outdated and unused files.

* refactor: update forward authentication handling in domain schema and tests

- Replaced `forwardAuthProviderId` with `forwardAuthEnabled` in the domain schema to simplify the configuration of forward authentication.
- Updated related tests to reflect this change, ensuring consistency across the application.
- Introduced a new SQL migration to create the `forward_auth_settings` table for managing authentication domains and their configurations.

This refactor enhances the clarity and maintainability of the forward authentication logic within the application.

* chore: remove PR quality workflow configuration

Deleted the `.github/workflows/pr-quality.yml` file, which contained the configuration for the PR Quality workflow. This removal streamlines the repository by eliminating unused workflow files.

* Delete .github/workflows/pr-quality.yml

* refactor: enhance forward authentication UI and API integration

- Updated the alert block in the HandleForwardAuth component to provide clearer requirements for deploying the authentication proxy.
- Added a DnsHelperModal to assist with DNS configuration in the ForwardAuthServers component.
- Refined API input schemas for forward authentication operations to improve type safety and clarity.
- Removed the obsolete forward-auth SSO design document to streamline documentation.

These changes improve the user experience and maintainability of the forward authentication feature across the application.

* feat: add SQL migration for lucky echo and update foreign key constraints

- Introduced a new SQL migration file `0171_lucky_echo.sql` to modify the foreign key constraint on the `sso_provider` table, changing the `ON DELETE` behavior from `cascade` to `set null`.
- Updated the journal to include the new migration version and its associated tag.
- Added a snapshot file for version 7 of the database schema, reflecting the current state of the `sso_provider` and other related tables.

These changes enhance the integrity of the database by ensuring that user references are set to null instead of being deleted when the referenced user is removed.

* refactor: improve path validation in Traefik configuration schema

- Enhanced the `apiReadTraefikConfig` schema by reintroducing path validation logic to prevent directory traversal attacks and unauthorized access.
- The validation now includes checks for null bytes and ensures paths start with a defined main Traefik path, improving security and robustness.

These changes strengthen the integrity of the configuration handling by ensuring only valid paths are accepted.

* fix: swarm health check fields not resetting to default values (#4558)

Fixes #4553

- Replace z.coerce.number() with a custom transform that converts empty strings to undefined instead of 0
- Add value={field.value ?? ""} to numeric inputs so they visually clear when reset to undefined

* fix: add docker cleanup toggle to remote server creation (#4559)

* fix: add docker cleanup toggle to remote server creation and update forms

* [autofix.ci] apply automated fixes

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

* fix: use stop-first update order for all database services (#4560)

Docker Swarm's default start-first update order causes new database
containers to fail with 'DBPathInUse' because two containers compete
for the same data volume simultaneously. Docker then rolls back the
update, silently reverting any env var or config changes.

Using stop-first ensures the old container is stopped before the new
one starts, preventing volume lock conflicts across all database types.

Fixes #4550

* fix: respect gitProviders permissions in git provider UI (#4561)

* chore: bump dokploy version to v0.29.8

* fix: strip credentials from service-level API responses (#4564)

* fix: strip credentials from service-level API responses

Registry passwords and S3 destination credentials were being returned
in service `.one` tRPC endpoints to any user with service-level read
access. Reported by Nihon Kohden Corporation security team.

- Strip registry `password` from `findApplicationById` via Drizzle `columns: { password: false }`
- Strip destination `accessKey`/`secretAccessKey` from all DB service finders (postgres, mysql, mariadb, mongo, libsql, compose, backup, volume-backups)
- Add `findRegistryByIdWithCredentials` for internal use only
- Builders and upload utils now load registry credentials by ID at execution time
- `createRollback` enriches `fullContext` with registry credentials before persisting to DB so rollback execution has what it needs
- Remove `findApplicationByIdWithCredentials` and `ApplicationNestedWithCredentials` — no longer needed
- Backup execution utils load full destination via `findDestinationById` at runtime instead of reading from the joined relation

* [autofix.ci] apply automated fixes

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

* refactor: improve restore logging for database backups (#4566)

* refactor: improve restore logging for database backups

- Updated restore functions across various database types (Postgres, MySQL, MongoDB, MariaDB, LibSQL, and Compose) to provide clearer logging messages.
- Replaced generic command execution logs with specific messages indicating the database being restored and the source backup file.
- This change enhances the clarity of restore operations and aids in troubleshooting by providing more context in the logs.

* [autofix.ci] apply automated fixes

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

* fix: use swarm advertise address in docker swarm join command (#4567)

* fix: enforce docker:read on container start/stop/kill/restart mutations (#4568)

* refactor: replace BETTER_AUTH_SECRET with betterAuthSecret in forward-auth setup

* fix: update deriveCookieSecret to meet oauth2-proxy requirements

* fix: correct deriveCookieSecret test to validate 16-byte hex secret as per oauth2-proxy requirements

* fix: strip credentials from gitProvider.getAll API response (#4569)

* fix: strip credentials from gitProvider.getAll API response

* [autofix.ci] apply automated fixes

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

* fix: correct git provider access check for existing deploys (#4570)

* fix: use canEditDeployGitSource for git provider access on existing deploys

Replaces the simple userId ownership check with a new canEditDeployGitSource
function that correctly handles all role/sharing scenarios. Owner always has
access; admin and member only if they own the provider or it is shared with
the org — being assigned via accessedGitProviders (enterprise) only grants
permission to connect new deploys, not to edit the git source of existing ones.

Adds 26 unit tests covering owner, admin, member (with/without enterprise
license), shared providers, and the key regression case from issue #4469.

* [autofix.ci] apply automated fixes

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

* fix: prevent registry password from appearing in error messages and shell commands (#4579)

---------

Signed-off-by: Nahidujjaman Hridoy <hridoyboss12@gmail.com>
Co-authored-by: ngenohkevin <ngenohkevin19@gmail.com>
Co-authored-by: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com>
Co-authored-by: Mauricio Siu <siumauricio@icloud.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Volodymyr Kravchuk <volodymyr.kravch@gmail.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Nahidujjaman Hridoy <75487507+nhridoy@users.noreply.github.com>
Co-authored-by: Francis <9560564+Baker@users.noreply.github.com>
Co-authored-by: mixelburg <52622705+mixelburg@users.noreply.github.com>
Co-authored-by: Maks Pikov <mixelburg@users.noreply.github.com>
Co-authored-by: Jasael <67719321+jasael@users.noreply.github.com>
Co-authored-by: Philippe Parage <69145356+pparage@users.noreply.github.com>
Co-authored-by: youcef zr <93142224+youcefzemmar@users.noreply.github.com>

.github/workflows/pr-quality.yml

@@ -1,21 +0,0 @@
-
-name: PR Quality
-
-permissions:
-  contents: read
-  issues: read
-  pull-requests: write
-
-on:
-  pull_request_target:
-    types: [opened, reopened]
-
-jobs:
-  anti-slop:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: peakoss/anti-slop@v0
-        with:
-          blocked-commit-authors: "claude,copilot"
-          require-description: true
-          min-account-age: 5

apps/dokploy/__test__/compose/domain/host-rule-format.test.ts

@@ -34,6 +34,7 @@ describe("Host rule format regression tests", () => {
 		stripPath: false,
 		customEntrypoint: null,
 		middlewares: null,
+		forwardAuthEnabled: false,
 	};
 
 	describe("Host rule format validation", () => {

apps/dokploy/__test__/compose/domain/labels.test.ts

@@ -23,6 +23,7 @@ describe("createDomainLabels", () => {
 		internalPath: "/",
 		stripPath: false,
 		middlewares: null,
+		forwardAuthEnabled: false,
 	};
 
 	it("should create basic labels for web entrypoint", async () => {

apps/dokploy/__test__/git-provider/git-provider-access.test.ts

@@ -0,0 +1,369 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import {
+	canEditDeployGitSource,
+	getAccessibleGitProviderIds,
+} from "@dokploy/server/services/git-provider";
+
+const mockDb = vi.hoisted(() => ({
+	query: {
+		gitProvider: {
+			findMany: vi.fn(),
+			findFirst: vi.fn(),
+		},
+		member: {
+			findFirst: vi.fn(),
+		},
+	},
+}));
+
+vi.mock("@dokploy/server/db", () => ({ db: mockDb }));
+
+const mockHasValidLicense = vi.hoisted(() => vi.fn());
+vi.mock("@dokploy/server/services/proprietary/license-key", () => ({
+	hasValidLicense: mockHasValidLicense,
+}));
+
+const ORG_ID = "org-1";
+const USER_OWNER = "user-owner";
+const USER_ADMIN = "user-admin";
+const USER_MEMBER = "user-member";
+const USER_MEMBER_2 = "user-member-2";
+
+const providerOwned = {
+	gitProviderId: "gp-owned",
+	userId: USER_MEMBER,
+	sharedWithOrganization: false,
+};
+const providerShared = {
+	gitProviderId: "gp-shared",
+	userId: USER_OWNER,
+	sharedWithOrganization: true,
+};
+const providerPrivate = {
+	gitProviderId: "gp-private",
+	userId: USER_OWNER,
+	sharedWithOrganization: false,
+};
+const providerOtherMember = {
+	gitProviderId: "gp-other",
+	userId: USER_MEMBER_2,
+	sharedWithOrganization: false,
+};
+
+const allProviders = [
+	providerOwned,
+	providerShared,
+	providerPrivate,
+	providerOtherMember,
+];
+
+function session(userId: string) {
+	return { userId, activeOrganizationId: ORG_ID };
+}
+
+beforeEach(() => {
+	vi.clearAllMocks();
+	mockDb.query.gitProvider.findMany.mockResolvedValue(allProviders);
+	mockHasValidLicense.mockResolvedValue(false);
+});
+
+describe("getAccessibleGitProviderIds", () => {
+	describe("owner", () => {
+		beforeEach(() => {
+			mockDb.query.member.findFirst.mockResolvedValue({
+				role: "owner",
+				accessedGitProviders: [],
+			});
+		});
+
+		it("returns all org providers", async () => {
+			const ids = await getAccessibleGitProviderIds(session(USER_OWNER));
+			expect(ids).toEqual(new Set(allProviders.map((p) => p.gitProviderId)));
+		});
+
+		it("includes providers owned by other members", async () => {
+			const ids = await getAccessibleGitProviderIds(session(USER_OWNER));
+			expect(ids.has(providerOwned.gitProviderId)).toBe(true);
+			expect(ids.has(providerOtherMember.gitProviderId)).toBe(true);
+		});
+	});
+
+	describe("admin", () => {
+		beforeEach(() => {
+			mockDb.query.member.findFirst.mockResolvedValue({
+				role: "admin",
+				accessedGitProviders: [],
+			});
+		});
+
+		it("returns all org providers", async () => {
+			const ids = await getAccessibleGitProviderIds(session(USER_ADMIN));
+			expect(ids).toEqual(new Set(allProviders.map((p) => p.gitProviderId)));
+		});
+
+		it("includes providers owned by other members — fixes issue #4469", async () => {
+			const ids = await getAccessibleGitProviderIds(session(USER_ADMIN));
+			expect(ids.has(providerPrivate.gitProviderId)).toBe(true);
+			expect(ids.has(providerOtherMember.gitProviderId)).toBe(true);
+		});
+	});
+
+	describe("member without enterprise license", () => {
+		beforeEach(() => {
+			mockDb.query.member.findFirst.mockResolvedValue({
+				role: "member",
+				accessedGitProviders: [providerPrivate.gitProviderId],
+			});
+			mockHasValidLicense.mockResolvedValue(false);
+		});
+
+		it("can access their own provider", async () => {
+			const ids = await getAccessibleGitProviderIds(session(USER_MEMBER));
+			expect(ids.has(providerOwned.gitProviderId)).toBe(true);
+		});
+
+		it("can access shared providers", async () => {
+			const ids = await getAccessibleGitProviderIds(session(USER_MEMBER));
+			expect(ids.has(providerShared.gitProviderId)).toBe(true);
+		});
+
+		it("cannot access private providers of other users even if assigned (no license)", async () => {
+			const ids = await getAccessibleGitProviderIds(session(USER_MEMBER));
+			expect(ids.has(providerPrivate.gitProviderId)).toBe(false);
+		});
+
+		it("cannot access providers of other members", async () => {
+			const ids = await getAccessibleGitProviderIds(session(USER_MEMBER));
+			expect(ids.has(providerOtherMember.gitProviderId)).toBe(false);
+		});
+	});
+
+	describe("member with enterprise license", () => {
+		beforeEach(() => {
+			mockHasValidLicense.mockResolvedValue(true);
+		});
+
+		it("can access provider explicitly assigned to them", async () => {
+			mockDb.query.member.findFirst.mockResolvedValue({
+				role: "member",
+				accessedGitProviders: [providerPrivate.gitProviderId],
+			});
+			const ids = await getAccessibleGitProviderIds(session(USER_MEMBER));
+			expect(ids.has(providerPrivate.gitProviderId)).toBe(true);
+		});
+
+		it("cannot access provider not assigned and not shared", async () => {
+			mockDb.query.member.findFirst.mockResolvedValue({
+				role: "member",
+				accessedGitProviders: [],
+			});
+			const ids = await getAccessibleGitProviderIds(session(USER_MEMBER));
+			expect(ids.has(providerPrivate.gitProviderId)).toBe(false);
+			expect(ids.has(providerOtherMember.gitProviderId)).toBe(false);
+		});
+
+		it("can access shared provider even without explicit assignment", async () => {
+			mockDb.query.member.findFirst.mockResolvedValue({
+				role: "member",
+				accessedGitProviders: [],
+			});
+			const ids = await getAccessibleGitProviderIds(session(USER_MEMBER));
+			expect(ids.has(providerShared.gitProviderId)).toBe(true);
+		});
+
+		it("can access own provider regardless of assignments", async () => {
+			mockDb.query.member.findFirst.mockResolvedValue({
+				role: "member",
+				accessedGitProviders: [],
+			});
+			const ids = await getAccessibleGitProviderIds(session(USER_MEMBER));
+			expect(ids.has(providerOwned.gitProviderId)).toBe(true);
+		});
+
+		it("cannot access provider of other member even with license but no assignment", async () => {
+			mockDb.query.member.findFirst.mockResolvedValue({
+				role: "member",
+				accessedGitProviders: [],
+			});
+			const ids = await getAccessibleGitProviderIds(session(USER_MEMBER));
+			expect(ids.has(providerOtherMember.gitProviderId)).toBe(false);
+		});
+	});
+
+	describe("member with no member record", () => {
+		beforeEach(() => {
+			mockDb.query.member.findFirst.mockResolvedValue(null);
+			mockHasValidLicense.mockResolvedValue(true);
+		});
+
+		it("only returns own providers and shared ones", async () => {
+			const ids = await getAccessibleGitProviderIds(session(USER_MEMBER));
+			expect(ids.has(providerOwned.gitProviderId)).toBe(true);
+			expect(ids.has(providerShared.gitProviderId)).toBe(true);
+			expect(ids.has(providerPrivate.gitProviderId)).toBe(false);
+		});
+	});
+
+	describe("enterprise license — member assigned to a provider they do not own", () => {
+		// getAccessibleGitProviderIds still returns the provider (member can connect NEW deploys)
+		it("member assigned to owner's private provider can USE the provider for new deploys", async () => {
+			mockHasValidLicense.mockResolvedValue(true);
+			mockDb.query.member.findFirst.mockResolvedValue({
+				role: "member",
+				accessedGitProviders: [providerPrivate.gitProviderId],
+			});
+			const ids = await getAccessibleGitProviderIds(session(USER_MEMBER));
+			expect(ids.has(providerPrivate.gitProviderId)).toBe(true);
+		});
+
+		it("member NOT assigned to owner's private provider cannot use it at all", async () => {
+			mockHasValidLicense.mockResolvedValue(true);
+			mockDb.query.member.findFirst.mockResolvedValue({
+				role: "member",
+				accessedGitProviders: [],
+			});
+			const ids = await getAccessibleGitProviderIds(session(USER_MEMBER));
+			expect(ids.has(providerPrivate.gitProviderId)).toBe(false);
+		});
+	});
+
+	describe("empty org", () => {
+		beforeEach(() => {
+			mockDb.query.gitProvider.findMany.mockResolvedValue([]);
+			mockDb.query.member.findFirst.mockResolvedValue({
+				role: "admin",
+				accessedGitProviders: [],
+			});
+		});
+
+		it("returns empty set when org has no providers", async () => {
+			const ids = await getAccessibleGitProviderIds(session(USER_ADMIN));
+			expect(ids.size).toBe(0);
+		});
+	});
+});
+
+describe("canEditDeployGitSource", () => {
+	beforeEach(() => {
+		vi.clearAllMocks();
+		mockHasValidLicense.mockResolvedValue(true);
+	});
+
+	describe("owner", () => {
+		it("can edit deploy using any provider", async () => {
+			mockDb.query.member.findFirst.mockResolvedValue({ role: "owner" });
+			const result = await canEditDeployGitSource(
+				providerPrivate.gitProviderId,
+				session(USER_OWNER),
+			);
+			expect(result).toBe(true);
+		});
+	});
+
+	describe("admin", () => {
+		beforeEach(() => {
+			mockDb.query.member.findFirst.mockResolvedValue({ role: "admin" });
+		});
+
+		it("cannot edit deploy using owner's private provider (not shared)", async () => {
+			mockDb.query.gitProvider.findFirst.mockResolvedValue({
+				userId: USER_OWNER,
+				sharedWithOrganization: false,
+			});
+			const result = await canEditDeployGitSource(
+				providerPrivate.gitProviderId,
+				session(USER_ADMIN),
+			);
+			expect(result).toBe(false);
+		});
+
+		it("can edit deploy using a provider shared with the org", async () => {
+			mockDb.query.gitProvider.findFirst.mockResolvedValue({
+				userId: USER_OWNER,
+				sharedWithOrganization: true,
+			});
+			const result = await canEditDeployGitSource(
+				providerShared.gitProviderId,
+				session(USER_ADMIN),
+			);
+			expect(result).toBe(true);
+		});
+
+		it("can edit deploy using their own provider", async () => {
+			mockDb.query.gitProvider.findFirst.mockResolvedValue({
+				userId: USER_ADMIN,
+				sharedWithOrganization: false,
+			});
+			const result = await canEditDeployGitSource(
+				"gp-admin-owned",
+				session(USER_ADMIN),
+			);
+			expect(result).toBe(true);
+		});
+	});
+
+	describe("member", () => {
+		beforeEach(() => {
+			mockDb.query.member.findFirst.mockResolvedValue({ role: "member" });
+		});
+
+		it("can edit deploy using their own provider", async () => {
+			mockDb.query.gitProvider.findFirst.mockResolvedValue({
+				userId: USER_MEMBER,
+				sharedWithOrganization: false,
+			});
+			const result = await canEditDeployGitSource(
+				providerOwned.gitProviderId,
+				session(USER_MEMBER),
+			);
+			expect(result).toBe(true);
+		});
+
+		it("can edit deploy using a provider shared with the org", async () => {
+			mockDb.query.gitProvider.findFirst.mockResolvedValue({
+				userId: USER_OWNER,
+				sharedWithOrganization: true,
+			});
+			const result = await canEditDeployGitSource(
+				providerShared.gitProviderId,
+				session(USER_MEMBER),
+			);
+			expect(result).toBe(true);
+		});
+
+		it("cannot edit deploy using owner's private provider even with enterprise license and assignment", async () => {
+			// This is the key case: enterprise, provider del owner, no compartido,
+			// member tiene accessedGitProviders asignado — pero NO puede cambiar la branch del deploy del owner
+			mockDb.query.gitProvider.findFirst.mockResolvedValue({
+				userId: USER_OWNER,
+				sharedWithOrganization: false,
+			});
+			const result = await canEditDeployGitSource(
+				providerPrivate.gitProviderId,
+				session(USER_MEMBER),
+			);
+			expect(result).toBe(false);
+		});
+
+		it("cannot edit deploy using another member's private provider", async () => {
+			mockDb.query.gitProvider.findFirst.mockResolvedValue({
+				userId: USER_MEMBER_2,
+				sharedWithOrganization: false,
+			});
+			const result = await canEditDeployGitSource(
+				providerOtherMember.gitProviderId,
+				session(USER_MEMBER),
+			);
+			expect(result).toBe(false);
+		});
+
+		it("returns false if provider does not exist", async () => {
+			mockDb.query.gitProvider.findFirst.mockResolvedValue(null);
+			const result = await canEditDeployGitSource(
+				"nonexistent-id",
+				session(USER_MEMBER),
+			);
+			expect(result).toBe(false);
+		});
+	});
+});

apps/dokploy/__test__/traefik/forward-auth.test.ts

@@ -0,0 +1,233 @@
+import type { ApplicationNested, Domain } from "@dokploy/server";
+import {
+	buildForwardAuthEnv,
+	createRouterConfig,
+	deriveBaseDomain,
+	deriveCookieSecret,
+	forwardAuthCallbackUrl,
+	forwardAuthMiddlewareName,
+} from "@dokploy/server";
+import { beforeAll, describe, expect, test } from "vitest";
+
+const app = {
+	appName: "my-app",
+	redirects: [],
+	security: [],
+} as unknown as ApplicationNested;
+
+const baseDomain: Domain = {
+	applicationId: "app-1",
+	certificateType: "none",
+	createdAt: "",
+	domainId: "domain-1",
+	host: "app.example.com",
+	https: false,
+	path: null,
+	port: 3000,
+	customEntrypoint: null,
+	serviceName: "",
+	composeId: "",
+	customCertResolver: null,
+	domainType: "application",
+	uniqueConfigKey: 7,
+	previewDeploymentId: "",
+	internalPath: "/",
+	stripPath: false,
+	middlewares: null,
+	forwardAuthEnabled: false,
+};
+
+describe("forwardAuthMiddlewareName", () => {
+	test("is stable and unique per app + uniqueConfigKey", () => {
+		expect(forwardAuthMiddlewareName("my-app", 7)).toBe(
+			"forward-auth-my-app-7",
+		);
+		expect(forwardAuthMiddlewareName("my-app", 7)).toBe(
+			forwardAuthMiddlewareName("my-app", 7),
+		);
+		expect(forwardAuthMiddlewareName("my-app", 7)).not.toBe(
+			forwardAuthMiddlewareName("my-app", 8),
+		);
+	});
+});
+
+describe("createRouterConfig forward-auth wiring", () => {
+	test("does NOT add forward-auth middleware when no provider is linked", async () => {
+		const config = await createRouterConfig(app, baseDomain, "websecure");
+		expect(config.middlewares).not.toContain(
+			forwardAuthMiddlewareName("my-app", 7),
+		);
+	});
+
+	test("adds forward-auth middleware when a provider is linked", async () => {
+		const domain: Domain = {
+			...baseDomain,
+			forwardAuthEnabled: true,
+		};
+		const config = await createRouterConfig(app, domain, "websecure");
+		expect(config.middlewares).toContain(
+			forwardAuthMiddlewareName("my-app", 7),
+		);
+	});
+
+	test("forward-auth runs before custom domain middlewares", async () => {
+		const domain: Domain = {
+			...baseDomain,
+			forwardAuthEnabled: true,
+			middlewares: ["rate-limit@file"],
+		};
+		const config = await createRouterConfig(app, domain, "websecure");
+		const forwardAuthIdx = config.middlewares?.indexOf(
+			forwardAuthMiddlewareName("my-app", 7),
+		);
+		const customIdx = config.middlewares?.indexOf("rate-limit@file");
+		expect(forwardAuthIdx).toBeGreaterThanOrEqual(0);
+		expect(customIdx).toBeGreaterThan(forwardAuthIdx as number);
+	});
+
+	test("redirect-only web router does not get the forward-auth middleware", async () => {
+		const domain: Domain = {
+			...baseDomain,
+			https: true,
+			forwardAuthEnabled: true,
+		};
+		const config = await createRouterConfig(app, domain, "web");
+		expect(config.middlewares).toContain("redirect-to-https");
+		expect(config.middlewares).not.toContain(
+			forwardAuthMiddlewareName("my-app", 7),
+		);
+	});
+});
+
+describe("buildForwardAuthEnv", () => {
+	const baseOptions = {
+		oidc: {
+			clientId: "client-123",
+			clientSecret: "secret-xyz",
+			issuer: "https://idp.example.com",
+		},
+		cookieSecret: "cookie-secret-value",
+		authDomain: "auth.acme.com",
+		baseDomain: ".acme.com",
+		authDomainHttps: true,
+	};
+
+	test("emits the required oauth2-proxy OIDC env vars", () => {
+		const env = buildForwardAuthEnv(baseOptions);
+		expect(env).toContain("OAUTH2_PROXY_PROVIDER=oidc");
+		expect(env).toContain(
+			"OAUTH2_PROXY_OIDC_ISSUER_URL=https://idp.example.com",
+		);
+		expect(env).toContain("OAUTH2_PROXY_CLIENT_ID=client-123");
+		expect(env).toContain("OAUTH2_PROXY_CLIENT_SECRET=secret-xyz");
+		expect(env).toContain("OAUTH2_PROXY_COOKIE_SECRET=cookie-secret-value");
+		expect(env).toContain("OAUTH2_PROXY_REVERSE_PROXY=true");
+		expect(env).toContain("OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180");
+	});
+
+	test("uses the central auth domain for the single fixed callback", () => {
+		const env = buildForwardAuthEnv(baseOptions);
+		expect(env).toContain(
+			"OAUTH2_PROXY_REDIRECT_URL=https://auth.acme.com/oauth2/callback",
+		);
+	});
+
+	test("shares cookie + whitelist on the base domain (no per-app redeploy)", () => {
+		const env = buildForwardAuthEnv(baseOptions);
+		expect(env).toContain("OAUTH2_PROXY_COOKIE_DOMAINS=.acme.com");
+		expect(env).toContain("OAUTH2_PROXY_WHITELIST_DOMAINS=.acme.com");
+	});
+
+	test("matches cookie Secure flag and callback scheme to https setting", () => {
+		const https = buildForwardAuthEnv(baseOptions);
+		expect(https).toContain("OAUTH2_PROXY_COOKIE_SECURE=true");
+
+		const http = buildForwardAuthEnv({
+			...baseOptions,
+			authDomainHttps: false,
+		});
+		expect(http).toContain("OAUTH2_PROXY_COOKIE_SECURE=false");
+		expect(http).toContain(
+			"OAUTH2_PROXY_REDIRECT_URL=http://auth.acme.com/oauth2/callback",
+		);
+	});
+
+	test("allows unverified emails so OIDC providers don't 500 the callback", () => {
+		const env = buildForwardAuthEnv(baseOptions);
+		expect(env).toContain(
+			"OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL=true",
+		);
+	});
+
+	test("defaults to any authenticated user and standard scopes", () => {
+		const env = buildForwardAuthEnv(baseOptions);
+		expect(env).toContain("OAUTH2_PROXY_EMAIL_DOMAINS=*");
+		expect(env).toContain("OAUTH2_PROXY_SCOPE=openid email profile");
+	});
+
+	test("honors custom scopes and email domains", () => {
+		const env = buildForwardAuthEnv({
+			...baseOptions,
+			oidc: { ...baseOptions.oidc, scopes: ["openid", "groups"] },
+			emailDomains: ["acme.com", "corp.com"],
+		});
+		expect(env).toContain("OAUTH2_PROXY_SCOPE=openid groups");
+		expect(env).toContain("OAUTH2_PROXY_EMAIL_DOMAINS=acme.com,corp.com");
+	});
+
+	test("sets skip-discovery flag only when requested", () => {
+		const withoutSkip = buildForwardAuthEnv(baseOptions);
+		expect(withoutSkip).not.toContain("OAUTH2_PROXY_SKIP_OIDC_DISCOVERY=true");
+
+		const withSkip = buildForwardAuthEnv({
+			...baseOptions,
+			oidc: { ...baseOptions.oidc, skipDiscovery: true },
+		});
+		expect(withSkip).toContain("OAUTH2_PROXY_SKIP_OIDC_DISCOVERY=true");
+	});
+});
+
+describe("deriveBaseDomain", () => {
+	test("strips the auth subdomain to the shared base", () => {
+		expect(deriveBaseDomain("auth.acme.com")).toBe(".acme.com");
+		expect(deriveBaseDomain("sso.apps.acme.com")).toBe(".apps.acme.com");
+	});
+
+	test("keeps a two-label apex as the base", () => {
+		expect(deriveBaseDomain("acme.com")).toBe(".acme.com");
+	});
+});
+
+describe("forwardAuthCallbackUrl", () => {
+	test("builds the single IdP callback per scheme", () => {
+		expect(forwardAuthCallbackUrl("auth.acme.com", true)).toBe(
+			"https://auth.acme.com/oauth2/callback",
+		);
+		expect(forwardAuthCallbackUrl("auth.acme.com", false)).toBe(
+			"http://auth.acme.com/oauth2/callback",
+		);
+	});
+});
+
+describe("deriveCookieSecret", () => {
+	beforeAll(() => {
+		process.env.BETTER_AUTH_SECRET = "test-root-secret";
+	});
+
+	test("is deterministic for the same salt (survives service updates)", () => {
+		expect(deriveCookieSecret(".acme.com")).toBe(
+			deriveCookieSecret(".acme.com"),
+		);
+	});
+
+	test("differs per salt", () => {
+		expect(deriveCookieSecret(".acme.com")).not.toBe(
+			deriveCookieSecret(".other.com"),
+		);
+	});
+
+	test("produces a 16-byte hex secret (oauth2-proxy requirement)", () => {
+		const secret = deriveCookieSecret(".acme.com");
+		expect(Buffer.from(secret, "hex")).toHaveLength(16);
+	});
+});

apps/dokploy/__test__/traefik/traefik.test.ts

@@ -148,6 +148,7 @@ const baseDomain: Domain = {
 	internalPath: "/",
 	stripPath: false,
 	middlewares: null,
+	forwardAuthEnabled: false,
 };
 
 const baseRedirect: Redirect = {

apps/dokploy/components/dashboard/application/advanced/cluster/swarm-forms/health-check-form.tsx

@@ -16,12 +16,17 @@ import {
 import { Input } from "@/components/ui/input";
 import { api } from "@/utils/api";
 
+const optionalNumber = z
+	.union([z.string(), z.number()])
+	.transform((val) => (val === "" ? undefined : Number(val)))
+	.optional();
+
 export const healthCheckFormSchema = z.object({
 	Test: z.array(z.string()).optional(),
-	Interval: z.coerce.number().optional(),
-	Timeout: z.coerce.number().optional(),
-	StartPeriod: z.coerce.number().optional(),
-	Retries: z.coerce.number().optional(),
+	Interval: optionalNumber,
+	Timeout: optionalNumber,
+	StartPeriod: optionalNumber,
+	Retries: optionalNumber,
 });
 
 interface HealthCheckFormProps {
@@ -195,7 +200,12 @@ export const HealthCheckForm = ({ id, type }: HealthCheckFormProps) => {
 								Time between health checks (e.g., 10000000000 for 10 seconds)
 							</FormDescription>
 							<FormControl>
-								<Input type="number" placeholder="10000000000" {...field} />
+								<Input
+									type="number"
+									placeholder="10000000000"
+									{...field}
+									value={field.value ?? ""}
+								/>
 							</FormControl>
 							<FormMessage />
 						</FormItem>
@@ -212,7 +222,12 @@ export const HealthCheckForm = ({ id, type }: HealthCheckFormProps) => {
 								Maximum time to wait for health check response
 							</FormDescription>
 							<FormControl>
-								<Input type="number" placeholder="10000000000" {...field} />
+								<Input
+									type="number"
+									placeholder="10000000000"
+									{...field}
+									value={field.value ?? ""}
+								/>
 							</FormControl>
 							<FormMessage />
 						</FormItem>
@@ -229,7 +244,12 @@ export const HealthCheckForm = ({ id, type }: HealthCheckFormProps) => {
 								Initial grace period before health checks begin
 							</FormDescription>
 							<FormControl>
-								<Input type="number" placeholder="10000000000" {...field} />
+								<Input
+									type="number"
+									placeholder="10000000000"
+									{...field}
+									value={field.value ?? ""}
+								/>
 							</FormControl>
 							<FormMessage />
 						</FormItem>
@@ -247,7 +267,12 @@ export const HealthCheckForm = ({ id, type }: HealthCheckFormProps) => {
 								unhealthy
 							</FormDescription>
 							<FormControl>
-								<Input type="number" placeholder="3" {...field} />
+								<Input
+									type="number"
+									placeholder="3"
+									{...field}
+									value={field.value ?? ""}
+								/>
 							</FormControl>
 							<FormMessage />
 						</FormItem>

apps/dokploy/components/dashboard/application/domains/handle-forward-auth.tsx

@@ -0,0 +1,147 @@
+import { ShieldCheck } from "lucide-react";
+import { useState } from "react";
+import { toast } from "sonner";
+import { AlertBlock } from "@/components/shared/alert-block";
+import { Button } from "@/components/ui/button";
+import {
+	Dialog,
+	DialogContent,
+	DialogDescription,
+	DialogFooter,
+	DialogHeader,
+	DialogTitle,
+	DialogTrigger,
+} from "@/components/ui/dialog";
+import { Switch } from "@/components/ui/switch";
+import { api } from "@/utils/api";
+
+interface Props {
+	domainId: string;
+	applicationId: string;
+}
+
+export const HandleForwardAuth = ({ domainId, applicationId }: Props) => {
+	const [isOpen, setIsOpen] = useState(false);
+
+	const { data: haveValidLicense } =
+		api.licenseKey.haveValidLicenseKey.useQuery();
+
+	const utils = api.useUtils();
+
+	const { data: status } = api.forwardAuth.status.useQuery(
+		{ domainId },
+		{ enabled: isOpen },
+	);
+
+	const { mutateAsync: enable, isPending: isEnabling } =
+		api.forwardAuth.enable.useMutation();
+	const { mutateAsync: disable, isPending: isDisabling } =
+		api.forwardAuth.disable.useMutation();
+
+	if (!haveValidLicense) {
+		return null;
+	}
+
+	const isEnabled = !!status?.enabled;
+	const isPending = isEnabling || isDisabling;
+
+	const refresh = async () => {
+		await utils.forwardAuth.status.invalidate({ domainId });
+		await utils.domain.byApplicationId.invalidate({ applicationId });
+		await utils.application.readTraefikConfig.invalidate({ applicationId });
+	};
+
+	const handleToggle = async (next: boolean) => {
+		try {
+			if (next) {
+				await enable({ domainId });
+				toast.success("SSO authentication enabled for this domain");
+			} else {
+				await disable({ domainId });
+				toast.success("SSO authentication disabled for this domain");
+			}
+			await refresh();
+		} catch (error) {
+			toast.error(
+				error instanceof Error
+					? error.message
+					: "Error updating SSO authentication",
+			);
+		}
+	};
+
+	return (
+		<Dialog open={isOpen} onOpenChange={setIsOpen}>
+			<DialogTrigger asChild>
+				<Button
+					variant="ghost"
+					size="icon"
+					className="group hover:bg-emerald-500/10"
+					title="SSO authentication"
+				>
+					<ShieldCheck
+						className={`size-4 ${
+							isEnabled
+								? "text-emerald-500"
+								: "text-primary group-hover:text-emerald-500"
+						}`}
+					/>
+				</Button>
+			</DialogTrigger>
+			<DialogContent>
+				<DialogHeader>
+					<DialogTitle>SSO Authentication</DialogTitle>
+					<DialogDescription>
+						Require visitors to authenticate against your identity provider
+						before reaching this application.
+					</DialogDescription>
+				</DialogHeader>
+
+				<AlertBlock type="warning">
+					<div className="flex flex-col gap-1">
+						<span className="font-medium">Requirements</span>
+						<ol className="list-decimal pl-4 text-sm">
+							<li>
+								The authentication proxy container must be deployed and running
+								on this app's server. Configure it under{" "}
+								<span className="font-medium">
+									Settings → SSO → Application Authentication
+								</span>
+								.
+							</li>
+							<li>
+								This domain must share the same base domain as the
+								authentication domain (e.g. <code>app.acme.com</code> and{" "}
+								<code>auth.acme.com</code>).
+							</li>
+						</ol>
+					</div>
+				</AlertBlock>
+
+				<div className="flex items-center justify-between rounded-lg border p-4 mt-2">
+					<div className="flex flex-col">
+						<span className="text-sm font-medium">
+							Protect this domain with SSO
+						</span>
+						<span className="text-xs text-muted-foreground">
+							{isEnabled
+								? "Visitors must log in via your identity provider."
+								: "The domain is publicly accessible."}
+						</span>
+					</div>
+					<Switch
+						checked={isEnabled}
+						disabled={isPending}
+						onCheckedChange={handleToggle}
+					/>
+				</div>
+
+				<DialogFooter>
+					<Button variant="outline" onClick={() => setIsOpen(false)}>
+						Close
+					</Button>
+				</DialogFooter>
+			</DialogContent>
+		</Dialog>
+	);
+};

apps/dokploy/components/dashboard/application/domains/show-domains.tsx

@@ -62,6 +62,7 @@ import { api } from "@/utils/api";
 import { createColumns } from "./columns";
 import { DnsHelperModal } from "./dns-helper-modal";
 import { AddDomain } from "./handle-domain";
+import { HandleForwardAuth } from "./handle-forward-auth";
 
 export type ValidationState = {
 	isLoading: boolean;
@@ -453,6 +454,12 @@ export const ShowDomains = ({ id, type }: Props) => {
 																</Button>
 															</AddDomain>
 														)}
+														{canCreateDomain && type === "application" && (
+															<HandleForwardAuth
+																domainId={item.domainId}
+																applicationId={id}
+															/>
+														)}
 														{canDeleteDomain && (
 															<DialogAction
 																title="Delete Domain"

apps/dokploy/components/dashboard/settings/git/show-git-providers.tsx

@@ -49,7 +49,11 @@ export const ShowGitProviders = () => {
 		api.gitProvider.remove.useMutation();
 	const { mutateAsync: toggleShare, isPending: isToggling } =
 		api.gitProvider.toggleShare.useMutation();
+	const { data: currentMember } = api.user.get.useQuery();
+	const { data: permissions } = api.user.getPermissions.useQuery();
 	const url = useUrl();
+	const isOrgAdmin =
+		currentMember?.role === "owner" || currentMember?.role === "admin";
 
 	const getGitlabUrl = (
 		clientId: string,
@@ -87,18 +91,20 @@ export const ShowGitProviders = () => {
 									<div className="flex flex-col items-center gap-3 min-h-[25vh] justify-center">
 										<GitBranch className="size-8 self-center text-muted-foreground" />
 										<span className="text-base text-muted-foreground text-center">
-											Create your first Git Provider
+											No Git Providers configured
 										</span>
-										<div>
-											<div className="flex items-center bg-sidebar p-1 w-full rounded-lg">
-												<div className="flex flex-wrap items-center gap-4 p-3.5 rounded-lg bg-background border w-full [&>button]:grow">
-													<AddGithubProvider />
-													<AddGitlabProvider />
-													<AddBitbucketProvider />
-													<AddGiteaProvider />
+										{permissions?.gitProviders.create && (
+											<div>
+												<div className="flex items-center bg-sidebar p-1 w-full rounded-lg">
+													<div className="flex flex-wrap items-center gap-4 p-3.5 rounded-lg bg-background border w-full [&>button]:grow">
+														<AddGithubProvider />
+														<AddGitlabProvider />
+														<AddBitbucketProvider />
+														<AddGiteaProvider />
+													</div>
 												</div>
 											</div>
-										</div>
+										)}
 									</div>
 								) : (
 									<div className="flex flex-col gap-4 min-h-[25vh]">
@@ -106,14 +112,16 @@ export const ShowGitProviders = () => {
 											<span className="text-base font-medium">
 												Available Providers
 											</span>
-											<div className="flex items-center bg-sidebar p-1 w-full rounded-lg">
-												<div className="flex flex-wrap items-center gap-4 p-3.5 rounded-lg bg-background border w-full [&>button]:grow">
-													<AddGithubProvider />
-													<AddGitlabProvider />
-													<AddBitbucketProvider />
-													<AddGiteaProvider />
+											{permissions?.gitProviders.create && (
+												<div className="flex items-center bg-sidebar p-1 w-full rounded-lg">
+													<div className="flex flex-wrap items-center gap-4 p-3.5 rounded-lg bg-background border w-full [&>button]:grow">
+														<AddGithubProvider />
+														<AddGitlabProvider />
+														<AddBitbucketProvider />
+														<AddGiteaProvider />
+													</div>
 												</div>
-											</div>
+											)}
 										</div>
 
 										<div className="flex flex-col gap-4 rounded-lg ">
@@ -123,17 +131,13 @@ export const ShowGitProviders = () => {
 												const isBitbucket =
 													gitProvider.providerType === "bitbucket";
 												const isGitea = gitProvider.providerType === "gitea";
+												const canManage = gitProvider.isOwner || isOrgAdmin;
 
 												const haveGithubRequirements =
-													isGithub &&
-													gitProvider.github?.githubPrivateKey &&
-													gitProvider.github?.githubAppId &&
-													gitProvider.github?.githubInstallationId;
+													isGithub && gitProvider.github?.isConfigured;
 
 												const haveGitlabRequirements =
-													isGitlab &&
-													gitProvider.gitlab?.accessToken &&
-													gitProvider.gitlab?.refreshToken;
+													isGitlab && gitProvider.gitlab?.isConfigured;
 
 												return (
 													<div
@@ -221,8 +225,7 @@ export const ShowGitProviders = () => {
 																)}
 
 																{isBitbucket &&
-																gitProvider.bitbucket?.appPassword &&
-																!gitProvider.bitbucket?.apiToken ? (
+																gitProvider.bitbucket?.isDeprecated ? (
 																	<Badge variant="yellow">Deprecated</Badge>
 																) : null}
 
@@ -235,7 +238,7 @@ export const ShowGitProviders = () => {
 																			Action Required
 																		</Badge>
 																		<Link
-																			href={`${gitProvider?.github?.githubAppName}/installations/new?state=gh_setup:${gitProvider?.github.githubId}`}
+																			href={`${gitProvider?.github?.githubAppName}/installations/new?state=gh_setup:${gitProvider?.github?.githubId}`}
 																			className={buttonVariants({
 																				size: "icon",
 																				variant: "ghost",
@@ -271,7 +274,7 @@ export const ShowGitProviders = () => {
 																			href={getGitlabUrl(
 																				gitProvider.gitlab?.applicationId || "",
 																				gitProvider.gitlab?.gitlabId || "",
-																				gitProvider.gitlab?.gitlabUrl,
+																				gitProvider.gitlab?.gitlabUrl || "",
 																			)}
 																			target="_blank"
 																			className={buttonVariants({
@@ -284,31 +287,35 @@ export const ShowGitProviders = () => {
 																	</div>
 																)}
 
-																{gitProvider.isOwner && (
+																{canManage && (
 																	<>
-																		{isGithub && haveGithubRequirements && (
-																			<EditGithubProvider
-																				githubId={gitProvider.github?.githubId}
-																			/>
-																		)}
+																		{isGithub &&
+																			haveGithubRequirements &&
+																			gitProvider.github?.githubId && (
+																				<EditGithubProvider
+																					githubId={gitProvider.github.githubId}
+																				/>
+																			)}
 
-																		{isGitlab && (
-																			<EditGitlabProvider
-																				gitlabId={gitProvider.gitlab?.gitlabId}
-																			/>
-																		)}
+																		{isGitlab &&
+																			gitProvider.gitlab?.gitlabId && (
+																				<EditGitlabProvider
+																					gitlabId={gitProvider.gitlab.gitlabId}
+																				/>
+																			)}
 
-																		{isBitbucket && (
-																			<EditBitbucketProvider
-																				bitbucketId={
-																					gitProvider.bitbucket?.bitbucketId
-																				}
-																			/>
-																		)}
+																		{isBitbucket &&
+																			gitProvider.bitbucket?.bitbucketId && (
+																				<EditBitbucketProvider
+																					bitbucketId={
+																						gitProvider.bitbucket.bitbucketId
+																					}
+																				/>
+																			)}
 
-																		{isGitea && (
+																		{isGitea && gitProvider.gitea?.giteaId && (
 																			<EditGiteaProvider
-																				giteaId={gitProvider.gitea?.giteaId}
+																				giteaId={gitProvider.gitea.giteaId}
 																			/>
 																		)}
 

apps/dokploy/components/dashboard/settings/servers/handle-servers.tsx

@@ -36,6 +36,7 @@ import {
 	SelectTrigger,
 	SelectValue,
 } from "@/components/ui/select";
+import { Switch } from "@/components/ui/switch";
 import { Textarea } from "@/components/ui/textarea";
 import { api } from "@/utils/api";
 
@@ -53,6 +54,7 @@ const Schema = z.object({
 		message: "SSH Key is required",
 	}),
 	serverType: z.enum(["deploy", "build"]).default("deploy"),
+	enableDockerCleanup: z.boolean().default(true),
 });
 
 type Schema = z.infer<typeof Schema>;
@@ -90,6 +92,7 @@ export const HandleServers = ({ serverId, asButton = false }: Props) => {
 			username: "root",
 			sshKeyId: "",
 			serverType: "deploy",
+			enableDockerCleanup: true,
 		},
 		resolver: zodResolver(Schema),
 	});
@@ -103,6 +106,7 @@ export const HandleServers = ({ serverId, asButton = false }: Props) => {
 			username: data?.username || "root",
 			sshKeyId: data?.sshKeyId || "",
 			serverType: data?.serverType || "deploy",
+			enableDockerCleanup: data?.enableDockerCleanup ?? true,
 		});
 	}, [form, form.reset, form.formState.isSubmitSuccessful, data]);
 
@@ -119,6 +123,7 @@ export const HandleServers = ({ serverId, asButton = false }: Props) => {
 			username: data.username || "root",
 			sshKeyId: data.sshKeyId || "",
 			serverType: data.serverType || "deploy",
+			enableDockerCleanup: data.enableDockerCleanup,
 			serverId: serverId || "",
 		})
 			.then(async (_data) => {
@@ -418,6 +423,27 @@ export const HandleServers = ({ serverId, asButton = false }: Props) => {
 								</FormItem>
 							)}
 						/>
+						<FormField
+							control={form.control}
+							name="enableDockerCleanup"
+							render={({ field }) => (
+								<FormItem className="flex flex-row items-center justify-between rounded-lg border p-3">
+									<div className="space-y-0.5">
+										<FormLabel>Enable Docker Cleanup</FormLabel>
+										<FormDescription>
+											Automatically prune unused Docker images daily. Keeps disk
+											usage in check on this remote server.
+										</FormDescription>
+									</div>
+									<FormControl>
+										<Switch
+											checked={field.value}
+											onCheckedChange={field.onChange}
+										/>
+									</FormControl>
+								</FormItem>
+							)}
+						/>
 					</form>
 
 					<DialogFooter>

apps/dokploy/components/proprietary/sso/forward-auth-servers.tsx

@@ -0,0 +1,482 @@
+"use client";
+
+import {
+	Copy,
+	Dices,
+	HelpCircle,
+	Loader2,
+	ShieldCheck,
+	ShieldOff,
+} from "lucide-react";
+import { useEffect, useState } from "react";
+import { toast } from "sonner";
+import { DnsHelperModal } from "@/components/dashboard/application/domains/dns-helper-modal";
+import { AlertBlock } from "@/components/shared/alert-block";
+import { DialogAction } from "@/components/shared/dialog-action";
+import { Badge } from "@/components/ui/badge";
+import { Button } from "@/components/ui/button";
+import {
+	Card,
+	CardContent,
+	CardDescription,
+	CardHeader,
+	CardTitle,
+} from "@/components/ui/card";
+import {
+	Dialog,
+	DialogContent,
+	DialogDescription,
+	DialogFooter,
+	DialogHeader,
+	DialogTitle,
+} from "@/components/ui/dialog";
+import { Input } from "@/components/ui/input";
+import {
+	Select,
+	SelectContent,
+	SelectItem,
+	SelectTrigger,
+	SelectValue,
+} from "@/components/ui/select";
+import { api } from "@/utils/api";
+
+type ServerStatus = "running" | "stopped" | "unknown";
+type Target = { serverId: string | null; name: string };
+type CertType = "none" | "letsencrypt" | "custom";
+type DomainForm = {
+	host: string;
+	https: boolean;
+	certificateType: CertType;
+	customCertResolver: string;
+};
+
+export const ForwardAuthServers = () => {
+	const utils = api.useUtils();
+	const [enabled, setEnabled] = useState(false);
+	const [deployTarget, setDeployTarget] = useState<Target | null>(null);
+	const [selectedProviderId, setSelectedProviderId] = useState("");
+	const [forms, setForms] = useState<Record<string, DomainForm>>({});
+
+	useEffect(() => {
+		const id = setTimeout(() => setEnabled(true), 0);
+		return () => clearTimeout(id);
+	}, []);
+
+	const { data: hostIp } = api.settings.getIp.useQuery();
+	const { data: servers, isPending } = api.forwardAuth.serverStatus.useQuery(
+		undefined,
+		{ enabled, refetchOnWindowFocus: false, staleTime: 30_000 },
+	);
+	const { data: providers } = api.forwardAuth.listProviders.useQuery(
+		undefined,
+		{
+			enabled: !!deployTarget,
+		},
+	);
+
+	const { mutateAsync: saveAuthDomain, isPending: isSaving } =
+		api.forwardAuth.setAuthDomain.useMutation();
+	const { mutateAsync: deployOnServer, isPending: isDeploying } =
+		api.forwardAuth.deployOnServer.useMutation();
+	const { mutateAsync: removeOnServer, isPending: isRemoving } =
+		api.forwardAuth.removeOnServer.useMutation();
+	const { mutateAsync: generateDomain, isPending: isGenerating } =
+		api.domain.generateDomain.useMutation();
+
+	const keyOf = (serverId: string | null) => serverId ?? "local";
+
+	useEffect(() => {
+		if (!servers) return;
+		setForms((prev) => {
+			const next = { ...prev };
+			for (const srv of servers) {
+				const key = srv.serverId ?? "local";
+				if (next[key] === undefined) {
+					next[key] = {
+						host: srv.authDomain ?? "",
+						https: srv.https ?? true,
+						certificateType: (srv.certificateType ?? "letsencrypt") as CertType,
+						customCertResolver: srv.customCertResolver ?? "",
+					};
+				}
+			}
+			return next;
+		});
+	}, [servers]);
+
+	const hasProviders = (providers?.length ?? 0) > 0;
+
+	const patchForm = (serverId: string | null, patch: Partial<DomainForm>) =>
+		setForms((p) => {
+			const key = keyOf(serverId);
+			const current: DomainForm = p[key] ?? {
+				host: "",
+				https: true,
+				certificateType: "letsencrypt",
+				customCertResolver: "",
+			};
+			return { ...p, [key]: { ...current, ...patch } };
+		});
+
+	const handleSaveDomain = async (serverId: string | null) => {
+		const f = forms[keyOf(serverId)];
+		if (!f?.host.trim()) {
+			toast.error("Enter an auth domain first");
+			return false;
+		}
+		if (f.certificateType === "custom" && !f.customCertResolver.trim()) {
+			toast.error("Enter the custom certificate resolver");
+			return false;
+		}
+		try {
+			await saveAuthDomain({
+				serverId,
+				authDomain: f.host.trim(),
+				https: f.https,
+				certificateType: f.certificateType,
+				customCertResolver: f.customCertResolver.trim() || undefined,
+			});
+			return true;
+		} catch (error) {
+			toast.error(
+				error instanceof Error ? error.message : "Error saving auth domain",
+			);
+			return false;
+		}
+	};
+
+	const handleDeploy = async () => {
+		if (!deployTarget || !selectedProviderId) {
+			toast.error("Select an SSO provider first");
+			return;
+		}
+		try {
+			const saved = await handleSaveDomain(deployTarget.serverId);
+			if (!saved) return;
+			await deployOnServer({
+				serverId: deployTarget.serverId,
+				providerId: selectedProviderId,
+			});
+			await utils.forwardAuth.serverStatus.invalidate();
+			toast.success("Authentication proxy deployed");
+			setDeployTarget(null);
+			setSelectedProviderId("");
+		} catch (error) {
+			toast.error(
+				error instanceof Error ? error.message : "Error deploying proxy",
+			);
+		}
+	};
+
+	const handleRemove = async (serverId: string | null) => {
+		try {
+			await removeOnServer({ serverId });
+			await utils.forwardAuth.serverStatus.invalidate();
+			toast.success("Authentication proxy removed");
+		} catch (error) {
+			toast.error(
+				error instanceof Error ? error.message : "Error removing proxy",
+			);
+		}
+	};
+
+	const handleGenerateDomain = async (serverId: string | null) => {
+		try {
+			const host = await generateDomain({
+				appName: "auth",
+				serverId: serverId ?? undefined,
+			});
+			patchForm(serverId, { host, https: false, certificateType: "none" });
+		} catch (error) {
+			toast.error(
+				error instanceof Error ? error.message : "Error generating domain",
+			);
+		}
+	};
+
+	const statusBadge = (status: ServerStatus) => {
+		if (status === "running") {
+			return (
+				<Badge
+					variant="outline"
+					className="border-emerald-500/40 text-emerald-500"
+				>
+					<ShieldCheck className="mr-1 size-3" />
+					Running
+				</Badge>
+			);
+		}
+		if (status === "stopped") {
+			return (
+				<Badge variant="secondary">
+					<ShieldOff className="mr-1 size-3" />
+					Not deployed
+				</Badge>
+			);
+		}
+		return (
+			<Badge
+				variant="outline"
+				className="border-amber-500/40 text-amber-500"
+				title="Could not reach this server in time"
+			>
+				<HelpCircle className="mr-1 size-3" />
+				Unknown
+			</Badge>
+		);
+	};
+
+	return (
+		<Card className="bg-transparent">
+			<CardHeader>
+				<CardTitle className="flex items-center gap-2 text-xl">
+					<ShieldCheck className="size-5" />
+					Application Authentication
+				</CardTitle>
+				<CardDescription>
+					Each server has its own authentication domain and proxy. Set an auth
+					domain (e.g. auth.acme.com) per server, register its callback URL once
+					in your identity provider, then deploy the proxy. Apps on that server
+					under the same base domain are then one click to protect.
+					<span className="mt-2 block font-medium">
+						Only OIDC providers are supported — SAML is not compatible with the
+						forward-auth proxy.
+					</span>
+				</CardDescription>
+			</CardHeader>
+			<CardContent>
+				{isPending || !enabled ? (
+					<div className="flex items-center gap-2 justify-center py-6 text-muted-foreground">
+						<Loader2 className="size-5 animate-spin" />
+						<span className="text-sm">Checking servers...</span>
+					</div>
+				) : (
+					<div className="flex flex-col gap-4">
+						{servers?.map((srv) => {
+							const key = keyOf(srv.serverId);
+							const f = forms[key];
+							return (
+								<div
+									key={key}
+									className="flex flex-col gap-3 rounded-lg border p-4"
+								>
+									<div className="flex items-center justify-between">
+										<span className="text-sm font-medium">{srv.name}</span>
+										<div className="flex items-center gap-2">
+											{statusBadge(srv.status)}
+											{srv.status === "running" && (
+												<DialogAction
+													title="Remove authentication proxy"
+													description="Domains on this server protected with SSO will stop requiring authentication until re-enabled. Continue?"
+													type="destructive"
+													onClick={() => handleRemove(srv.serverId)}
+												>
+													<Button
+														variant="ghost"
+														size="sm"
+														isLoading={isRemoving}
+													>
+														Remove
+													</Button>
+												</DialogAction>
+											)}
+										</div>
+									</div>
+
+									<div className="grid gap-3 sm:grid-cols-2">
+										<div className="flex flex-col gap-1">
+											<span className="text-xs font-medium">Auth domain</span>
+											<div className="flex gap-2">
+												<Input
+													placeholder="auth.acme.com"
+													value={f?.host ?? ""}
+													onChange={(e) =>
+														patchForm(srv.serverId, { host: e.target.value })
+													}
+													className="font-mono text-sm"
+												/>
+												{f?.host && !f.host.includes("sslip.io") && (
+													<DnsHelperModal
+														domain={{
+															host: f.host,
+															https: f.https,
+														}}
+														serverIp={
+															srv.ipAddress ?? hostIp?.toString() ?? undefined
+														}
+													/>
+												)}
+												<Button
+													type="button"
+													variant="secondary"
+													size="icon"
+													isLoading={isGenerating}
+													title="Generate sslip.io domain"
+													onClick={() => handleGenerateDomain(srv.serverId)}
+												>
+													<Dices className="size-4 text-muted-foreground" />
+												</Button>
+											</div>
+										</div>
+										<div className="flex flex-col gap-1">
+											<span className="text-xs font-medium">
+												Certificate provider
+											</span>
+											<Select
+												value={f?.https ? f.certificateType : "none"}
+												onValueChange={(v) =>
+													patchForm(srv.serverId, {
+														certificateType: v as CertType,
+														https: v !== "none",
+													})
+												}
+											>
+												<SelectTrigger>
+													<SelectValue placeholder="Select a certificate provider" />
+												</SelectTrigger>
+												<SelectContent>
+													<SelectItem value="none">None (HTTP)</SelectItem>
+													<SelectItem value="letsencrypt">
+														Let's Encrypt
+													</SelectItem>
+													<SelectItem value="custom">Custom</SelectItem>
+												</SelectContent>
+											</Select>
+										</div>
+									</div>
+
+									{f?.certificateType === "custom" && f?.https && (
+										<div className="flex flex-col gap-1">
+											<span className="text-xs font-medium">
+												Custom certificate resolver
+											</span>
+											<Input
+												placeholder="Enter your custom certificate resolver"
+												value={f?.customCertResolver ?? ""}
+												onChange={(e) =>
+													patchForm(srv.serverId, {
+														customCertResolver: e.target.value,
+													})
+												}
+											/>
+										</div>
+									)}
+
+									<div className="flex justify-end">
+										<Button
+											size="sm"
+											disabled={!f?.host?.trim()}
+											onClick={() =>
+												setDeployTarget({
+													serverId: srv.serverId,
+													name: srv.name,
+												})
+											}
+										>
+											Deploy
+										</Button>
+									</div>
+
+									{srv.callbackUrl && (
+										<div className="flex flex-col gap-1">
+											<span className="text-xs font-medium">
+												Callback URL (register once in your IdP)
+											</span>
+											<div className="flex gap-2">
+												<Input
+													readOnly
+													value={srv.callbackUrl}
+													className="font-mono text-xs"
+												/>
+												<Button
+													type="button"
+													variant="outline"
+													size="icon"
+													onClick={() => {
+														navigator.clipboard.writeText(
+															srv.callbackUrl as string,
+														);
+														toast.success("Callback URL copied");
+													}}
+												>
+													<Copy className="size-4" />
+												</Button>
+											</div>
+										</div>
+									)}
+								</div>
+							);
+						})}
+					</div>
+				)}
+			</CardContent>
+
+			<Dialog
+				open={!!deployTarget}
+				onOpenChange={(open) => {
+					if (!open) {
+						setDeployTarget(null);
+						setSelectedProviderId("");
+					}
+				}}
+			>
+				<DialogContent>
+					<DialogHeader>
+						<DialogTitle>Deploy authentication proxy</DialogTitle>
+						<DialogDescription>
+							Deploy the SSO proxy on{" "}
+							<span className="font-medium">{deployTarget?.name}</span> using an
+							OIDC provider.
+						</DialogDescription>
+					</DialogHeader>
+
+					{!hasProviders && (
+						<AlertBlock type="warning">
+							No SSO providers configured. Add an OIDC provider above first.
+						</AlertBlock>
+					)}
+
+					<div className="flex flex-col gap-2 py-2">
+						<span className="text-sm font-medium">Identity provider</span>
+						<Select
+							value={selectedProviderId}
+							onValueChange={setSelectedProviderId}
+							disabled={!hasProviders}
+						>
+							<SelectTrigger>
+								<SelectValue placeholder="Select an SSO provider">
+									{selectedProviderId || ""}
+								</SelectValue>
+							</SelectTrigger>
+							<SelectContent>
+								{providers?.map((provider) => (
+									<SelectItem
+										key={provider.providerId}
+										value={provider.providerId}
+									>
+										<div className="flex flex-col">
+											<span className="font-medium">{provider.providerId}</span>
+											<span className="text-xs text-muted-foreground">
+												{provider.issuer}
+											</span>
+										</div>
+									</SelectItem>
+								))}
+							</SelectContent>
+						</Select>
+					</div>
+
+					<DialogFooter>
+						<Button
+							isLoading={isSaving || isDeploying}
+							disabled={!hasProviders || !selectedProviderId}
+							onClick={handleDeploy}
+						>
+							Deploy
+						</Button>
+					</DialogFooter>
+				</DialogContent>
+			</Dialog>
+		</Card>
+	);
+};

apps/dokploy/drizzle/0170_amusing_spot.sql

@@ -0,0 +1,16 @@
+CREATE TABLE "forward_auth_settings" (
+	"forwardAuthSettingsId" text PRIMARY KEY NOT NULL,
+	"authDomain" text NOT NULL,
+	"baseDomain" text NOT NULL,
+	"https" boolean DEFAULT true NOT NULL,
+	"certificateType" "certificateType" DEFAULT 'letsencrypt' NOT NULL,
+	"customCertResolver" text,
+	"providerId" text,
+	"serverId" text,
+	"createdAt" text NOT NULL,
+	CONSTRAINT "forward_auth_settings_serverId_unique" UNIQUE("serverId")
+);
+--> statement-breakpoint
+ALTER TABLE "domain" ADD COLUMN "forwardAuthEnabled" boolean DEFAULT false NOT NULL;--> statement-breakpoint
+ALTER TABLE "forward_auth_settings" ADD CONSTRAINT "forward_auth_settings_providerId_sso_provider_provider_id_fk" FOREIGN KEY ("providerId") REFERENCES "public"."sso_provider"("provider_id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "forward_auth_settings" ADD CONSTRAINT "forward_auth_settings_serverId_server_serverId_fk" FOREIGN KEY ("serverId") REFERENCES "public"."server"("serverId") ON DELETE cascade ON UPDATE no action;

apps/dokploy/drizzle/0171_lucky_echo.sql

@@ -0,0 +1,3 @@
+ALTER TABLE "sso_provider" DROP CONSTRAINT "sso_provider_user_id_user_id_fk";
+--> statement-breakpoint
+ALTER TABLE "sso_provider" ADD CONSTRAINT "sso_provider_user_id_user_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."user"("id") ON DELETE set null ON UPDATE no action;

apps/dokploy/drizzle/meta/0169_snapshot.json

@@ -8329,4 +8329,4 @@
     "schemas": {},
     "tables": {}
   }
-}
+}

apps/dokploy/drizzle/meta/_journal.json

@@ -1191,6 +1191,20 @@
       "when": 1780127552074,
       "tag": "0169_parched_johnny_storm",
       "breakpoints": true
+    },
+    {
+      "idx": 170,
+      "version": "7",
+      "when": 1780739532982,
+      "tag": "0170_amusing_spot",
+      "breakpoints": true
+    },
+    {
+      "idx": 171,
+      "version": "7",
+      "when": 1780775037209,
+      "tag": "0171_lucky_echo",
+      "breakpoints": true
     }
   ]
 }

apps/dokploy/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "dokploy",
-	"version": "v0.29.7",
+	"version": "v0.29.8",
 	"private": true,
 	"license": "Apache-2.0",
 	"type": "module",

apps/dokploy/pages/dashboard/settings/sso.tsx

@@ -7,6 +7,7 @@ import { ToggleEnforceSSO } from "@/components/dashboard/settings/servers/action
 import { ToggleRemoteServersOnly } from "@/components/dashboard/settings/servers/actions/toggle-remote-servers-only";
 import { DashboardLayout } from "@/components/layouts/dashboard-layout";
 import { EnterpriseFeatureGate } from "@/components/proprietary/enterprise-feature-gate";
+import { ForwardAuthServers } from "@/components/proprietary/sso/forward-auth-servers";
 import { SSOSettings } from "@/components/proprietary/sso/sso-settings";
 import {
 	Card,
@@ -41,6 +42,20 @@ const Page = ({ isCloud }: Props) => {
 						</div>
 					</div>
 				</Card>
+				<Card className="h-full bg-sidebar p-2.5 rounded-xl mx-auto w-full">
+					<div className="rounded-xl bg-background shadow-md">
+						<EnterpriseFeatureGate
+							lockedProps={{
+								title: "Application Authentication",
+								description:
+									"Protect deployed applications behind an OIDC SSO gate (oauth2-proxy). Part of Dokploy Enterprise.",
+								ctaLabel: "Go to License",
+							}}
+						>
+							<ForwardAuthServers />
+						</EnterpriseFeatureGate>
+					</div>
+				</Card>
 				{!isCloud && (
 					<Card className="h-full bg-sidebar p-2.5 rounded-xl mx-auto w-full">
 						<div className="rounded-xl bg-background shadow-md">

apps/dokploy/server/api/root.ts

@@ -30,6 +30,7 @@ import { previewDeploymentRouter } from "./routers/preview-deployment";
 import { projectRouter } from "./routers/project";
 import { auditLogRouter } from "./routers/proprietary/audit-log";
 import { customRoleRouter } from "./routers/proprietary/custom-role";
+import { forwardAuthRouter } from "./routers/proprietary/forward-auth";
 import { licenseKeyRouter } from "./routers/proprietary/license-key";
 import { ssoRouter } from "./routers/proprietary/sso";
 import { whitelabelingRouter } from "./routers/proprietary/whitelabeling";
@@ -93,6 +94,7 @@ export const appRouter = createTRPCRouter({
 	organization: organizationRouter,
 	licenseKey: licenseKeyRouter,
 	sso: ssoRouter,
+	forwardAuth: forwardAuthRouter,
 	whitelabeling: whitelabelingRouter,
 	customRole: customRoleRouter,
 	auditLog: auditLogRouter,

apps/dokploy/server/api/routers/application.ts

@@ -4,7 +4,6 @@ import {
 	deleteAllMiddlewares,
 	findApplicationById,
 	findEnvironmentById,
-	findGitProviderById,
 	findProjectById,
 	getAccessibleServerIds,
 	getApplicationStats,
@@ -31,6 +30,7 @@ import {
 	writeConfigRemote,
 } from "@dokploy/server";
 import { db } from "@dokploy/server/db";
+import { canEditDeployGitSource } from "@dokploy/server/services/git-provider";
 import {
 	addNewService,
 	checkServiceAccess,
@@ -174,13 +174,11 @@ export const applicationRouter = createTRPCRouter({
 			const gitProviderId = getGitProviderId();
 
 			if (gitProviderId) {
-				try {
-					const gitProvider = await findGitProviderById(gitProviderId);
-					if (gitProvider.userId !== ctx.session.userId) {
-						hasGitProviderAccess = false;
-						unauthorizedProvider = application.sourceType;
-					}
-				} catch {
+				const canEdit = await canEditDeployGitSource(
+					gitProviderId,
+					ctx.session,
+				);
+				if (!canEdit) {
 					hasGitProviderAccess = false;
 					unauthorizedProvider = application.sourceType;
 				}

apps/dokploy/server/api/routers/cluster.ts

@@ -96,9 +96,11 @@ export const clusterRouter = createTRPCRouter({
 			const docker = await getRemoteDocker(input.serverId);
 			const result = await docker.swarmInspect();
 			const docker_version = await docker.version();
+			const info = await docker.info();
 
-			let ip = await getLocalServerIp();
-			if (input.serverId) {
+			const swarmNodeAddr = info?.Swarm?.NodeAddr;
+			let ip = swarmNodeAddr || (await getLocalServerIp());
+			if (!swarmNodeAddr && input.serverId) {
 				const server = await findServerById(input.serverId);
 				ip = server?.ipAddress;
 			}
@@ -128,9 +130,11 @@ export const clusterRouter = createTRPCRouter({
 			const docker = await getRemoteDocker(input.serverId);
 			const result = await docker.swarmInspect();
 			const docker_version = await docker.version();
+			const info = await docker.info();
 
-			let ip = await getLocalServerIp();
-			if (input.serverId) {
+			const swarmNodeAddr = info?.Swarm?.NodeAddr;
+			let ip = swarmNodeAddr || (await getLocalServerIp());
+			if (!swarmNodeAddr && input.serverId) {
 				const server = await findServerById(input.serverId);
 				ip = server?.ipAddress;
 			}

apps/dokploy/server/api/routers/compose.ts

@@ -13,7 +13,6 @@ import {
 	findComposeById,
 	findDomainsByComposeId,
 	findEnvironmentById,
-	findGitProviderById,
 	findProjectById,
 	findServerById,
 	getAccessibleServerIds,
@@ -34,6 +33,7 @@ import {
 	updateDeploymentStatus,
 } from "@dokploy/server";
 import { db } from "@dokploy/server/db";
+import { canEditDeployGitSource } from "@dokploy/server/services/git-provider";
 import {
 	addNewService,
 	checkServiceAccess,
@@ -173,13 +173,11 @@ export const composeRouter = createTRPCRouter({
 			const gitProviderId = getGitProviderId();
 
 			if (gitProviderId) {
-				try {
-					const gitProvider = await findGitProviderById(gitProviderId);
-					if (gitProvider.userId !== ctx.session.userId) {
-						hasGitProviderAccess = false;
-						unauthorizedProvider = compose.sourceType;
-					}
-				} catch {
+				const canEdit = await canEditDeployGitSource(
+					gitProviderId,
+					ctx.session,
+				);
+				if (!canEdit) {
 					hasGitProviderAccess = false;
 					unauthorizedProvider = compose.sourceType;
 				}

apps/dokploy/server/api/routers/docker.ts

@@ -38,7 +38,7 @@ export const dockerRouter = createTRPCRouter({
 			return await getContainers(input.serverId);
 		}),
 
-	restartContainer: withPermission("service", "read")
+	restartContainer: withPermission("docker", "read")
 		.input(
 			z.object({
 				containerId: z
@@ -64,7 +64,7 @@ export const dockerRouter = createTRPCRouter({
 			});
 		}),
 
-	startContainer: withPermission("service", "read")
+	startContainer: withPermission("docker", "read")
 		.input(
 			z.object({
 				containerId: z
@@ -90,7 +90,7 @@ export const dockerRouter = createTRPCRouter({
 			});
 		}),
 
-	stopContainer: withPermission("service", "read")
+	stopContainer: withPermission("docker", "read")
 		.input(
 			z.object({
 				containerId: z
@@ -116,7 +116,7 @@ export const dockerRouter = createTRPCRouter({
 			});
 		}),
 
-	killContainer: withPermission("service", "read")
+	killContainer: withPermission("docker", "read")
 		.input(
 			z.object({
 				containerId: z

apps/dokploy/server/api/routers/git-provider.ts

@@ -42,6 +42,43 @@ export const gitProviderRouter = createTRPCRouter({
 		return results.map((r) => ({
 			...r,
 			isOwner: r.userId === ctx.session.userId,
+			github: r.github
+				? {
+						githubId: r.github.githubId,
+						githubAppName: r.github.githubAppName,
+						githubAppId: r.github.githubAppId,
+						githubInstallationId: r.github.githubInstallationId,
+						isConfigured: !!(
+							r.github.githubPrivateKey &&
+							r.github.githubAppId &&
+							r.github.githubInstallationId
+						),
+					}
+				: null,
+			gitlab: r.gitlab
+				? {
+						gitlabId: r.gitlab.gitlabId,
+						applicationId: r.gitlab.applicationId,
+						gitlabUrl: r.gitlab.gitlabUrl,
+						isConfigured: !!(r.gitlab.accessToken && r.gitlab.refreshToken),
+					}
+				: null,
+			bitbucket: r.bitbucket
+				? {
+						bitbucketId: r.bitbucket.bitbucketId,
+						bitbucketUsername: r.bitbucket.bitbucketUsername,
+						isConfigured: false,
+						isDeprecated: !!(r.bitbucket.appPassword && !r.bitbucket.apiToken),
+					}
+				: null,
+			gitea: r.gitea
+				? {
+						giteaId: r.gitea.giteaId,
+						giteaUrl: r.gitea.giteaUrl,
+						clientId: r.gitea.clientId,
+						isConfigured: !!(r.gitea.accessToken && r.gitea.refreshToken),
+					}
+				: null,
 		}));
 	}),
 

apps/dokploy/server/api/routers/proprietary/forward-auth.ts

@@ -0,0 +1,207 @@
+import {
+	assertApplicationDomainAccess,
+	deployForwardAuthOnServer,
+	disableForwardAuthOnDomain,
+	enableForwardAuthOnDomain,
+	findServerById,
+	forwardAuthCallbackUrl,
+	getDomainSsoStatus,
+	getForwardAuthServerStatus,
+	getForwardAuthSettings,
+	listSsoProvidersForOrg,
+	removeForwardAuthProxy,
+	removeForwardAuthSettings,
+	setForwardAuthSettings,
+} from "@dokploy/server";
+import {
+	apiDeployForwardAuthOnServer,
+	apiForwardAuthDomainTarget,
+	apiForwardAuthServerTarget,
+	apiSetForwardAuthSettings,
+} from "@dokploy/server/db/schema";
+import { TRPCError } from "@trpc/server";
+import {
+	createTRPCRouter,
+	enterpriseProcedure,
+	withPermission,
+} from "@/server/api/trpc";
+import { audit } from "@/server/api/utils/audit";
+
+export const forwardAuthRouter = createTRPCRouter({
+	getAuthDomain: enterpriseProcedure
+		.input(apiForwardAuthServerTarget)
+		.query(async ({ ctx, input }) => {
+			if (input.serverId) {
+				const server = await findServerById(input.serverId);
+				if (server.organizationId !== ctx.session?.activeOrganizationId) {
+					throw new TRPCError({
+						code: "UNAUTHORIZED",
+						message: "You are not authorized to access this server",
+					});
+				}
+			}
+			const settings = await getForwardAuthSettings(input.serverId);
+			if (!settings) return null;
+			return {
+				host: settings.authDomain,
+				https: settings.https,
+				certificateType: settings.certificateType,
+				customCertResolver: settings.customCertResolver,
+				callbackUrl: forwardAuthCallbackUrl(
+					settings.authDomain,
+					settings.https,
+				),
+			};
+		}),
+
+	setAuthDomain: enterpriseProcedure
+		.input(apiSetForwardAuthSettings)
+		.mutation(async ({ ctx, input }) => {
+			if (input.serverId) {
+				const server = await findServerById(input.serverId);
+				if (server.organizationId !== ctx.session?.activeOrganizationId) {
+					throw new TRPCError({
+						code: "UNAUTHORIZED",
+						message: "You are not authorized to access this server",
+					});
+				}
+			}
+			const result = await setForwardAuthSettings({
+				organizationId: ctx.session.activeOrganizationId,
+				serverId: input.serverId,
+				authDomain: input.authDomain,
+				https: input.https,
+				certificateType: input.certificateType,
+				customCertResolver: input.customCertResolver,
+			});
+			await audit(ctx, {
+				action: "update",
+				resourceType: "server",
+				resourceId: input.serverId ?? "local",
+				resourceName: "forward-auth-domain",
+			});
+			return result;
+		}),
+
+	removeAuthDomain: enterpriseProcedure
+		.input(apiForwardAuthServerTarget)
+		.mutation(async ({ ctx, input }) => {
+			if (input.serverId) {
+				const server = await findServerById(input.serverId);
+				if (server.organizationId !== ctx.session?.activeOrganizationId) {
+					throw new TRPCError({
+						code: "UNAUTHORIZED",
+						message: "You are not authorized to access this server",
+					});
+				}
+			}
+			const result = await removeForwardAuthSettings(input.serverId);
+			await audit(ctx, {
+				action: "delete",
+				resourceType: "server",
+				resourceId: input.serverId ?? "local",
+				resourceName: "forward-auth-domain",
+			});
+			return result;
+		}),
+
+	listProviders: enterpriseProcedure.query(({ ctx }) =>
+		listSsoProvidersForOrg(ctx.session.activeOrganizationId),
+	),
+
+	serverStatus: enterpriseProcedure.query(({ ctx }) =>
+		getForwardAuthServerStatus(ctx.session.activeOrganizationId),
+	),
+
+	deployOnServer: enterpriseProcedure
+		.input(apiDeployForwardAuthOnServer)
+		.mutation(async ({ ctx, input }) => {
+			if (input.serverId) {
+				const server = await findServerById(input.serverId);
+				if (server.organizationId !== ctx.session?.activeOrganizationId) {
+					throw new TRPCError({
+						code: "UNAUTHORIZED",
+						message: "You are not authorized to access this server",
+					});
+				}
+			}
+			const result = await deployForwardAuthOnServer({
+				serverId: input.serverId ?? undefined,
+				providerId: input.providerId,
+				organizationId: ctx.session.activeOrganizationId,
+			});
+			await audit(ctx, {
+				action: "create",
+				resourceType: "server",
+				resourceId: input.serverId ?? "local",
+				resourceName: "forward-auth",
+			});
+			return result;
+		}),
+
+	removeOnServer: enterpriseProcedure
+		.input(apiForwardAuthServerTarget)
+		.mutation(async ({ ctx, input }) => {
+			if (input.serverId) {
+				const server = await findServerById(input.serverId);
+				if (server.organizationId !== ctx.session?.activeOrganizationId) {
+					throw new TRPCError({
+						code: "UNAUTHORIZED",
+						message: "You are not authorized to access this server",
+					});
+				}
+			}
+			const result = await removeForwardAuthProxy(input.serverId);
+			await audit(ctx, {
+				action: "delete",
+				resourceType: "server",
+				resourceId: input.serverId ?? "local",
+				resourceName: "forward-auth",
+			});
+			return result;
+		}),
+
+	status: withPermission("domain", "read")
+		.input(apiForwardAuthDomainTarget)
+		.query(({ ctx, input }) => getDomainSsoStatus(ctx, input.domainId)),
+
+	enable: withPermission("domain", "create")
+		.input(apiForwardAuthDomainTarget)
+		.mutation(async ({ ctx, input }) => {
+			const domain = await assertApplicationDomainAccess(
+				ctx,
+				input.domainId,
+				"create",
+			);
+			const result = await enableForwardAuthOnDomain({
+				domainId: input.domainId,
+			});
+			await audit(ctx, {
+				action: "update",
+				resourceType: "domain",
+				resourceId: domain.domainId,
+				resourceName: domain.host,
+			});
+			return result;
+		}),
+
+	disable: withPermission("domain", "create")
+		.input(apiForwardAuthDomainTarget)
+		.mutation(async ({ ctx, input }) => {
+			const domain = await assertApplicationDomainAccess(
+				ctx,
+				input.domainId,
+				"create",
+			);
+			const result = await disableForwardAuthOnDomain({
+				domainId: input.domainId,
+			});
+			await audit(ctx, {
+				action: "update",
+				resourceType: "domain",
+				resourceId: domain.domainId,
+				resourceName: domain.host,
+			});
+			return result;
+		}),
+});

apps/dokploy/server/api/routers/proprietary/sso.ts

@@ -53,10 +53,7 @@ export const ssoRouter = createTRPCRouter({
 	}),
 	listProviders: enterpriseProcedure.query(async ({ ctx }) => {
 		const providers = await db.query.ssoProvider.findMany({
-			where: and(
-				eq(ssoProvider.organizationId, ctx.session.activeOrganizationId),
-				eq(ssoProvider.userId, ctx.session.userId),
-			),
+			where: eq(ssoProvider.organizationId, ctx.session.activeOrganizationId),
 			columns: {
 				id: true,
 				providerId: true,
@@ -88,7 +85,6 @@ export const ssoRouter = createTRPCRouter({
 				where: and(
 					eq(ssoProvider.providerId, input.providerId),
 					eq(ssoProvider.organizationId, ctx.session.activeOrganizationId),
-					eq(ssoProvider.userId, ctx.session.userId),
 				),
 				columns: {
 					id: true,
@@ -116,12 +112,12 @@ export const ssoRouter = createTRPCRouter({
 				where: and(
 					eq(ssoProvider.providerId, input.providerId),
 					eq(ssoProvider.organizationId, ctx.session.activeOrganizationId),
-					eq(ssoProvider.userId, ctx.session.userId),
 				),
 				columns: {
 					id: true,
 					issuer: true,
 					domain: true,
+					userId: true,
 				},
 			});
 
@@ -133,6 +129,13 @@ export const ssoRouter = createTRPCRouter({
 				});
 			}
 
+			if (existing.userId !== ctx.session.userId) {
+				await db
+					.update(ssoProvider)
+					.set({ userId: ctx.session.userId })
+					.where(eq(ssoProvider.id, existing.id));
+			}
+
 			const providers = await db.query.ssoProvider.findMany({
 				where: eq(ssoProvider.organizationId, ctx.session.activeOrganizationId),
 				columns: { providerId: true, domain: true },
@@ -218,7 +221,6 @@ export const ssoRouter = createTRPCRouter({
 				where: and(
 					eq(ssoProvider.providerId, input.providerId),
 					eq(ssoProvider.organizationId, ctx.session.activeOrganizationId),
-					eq(ssoProvider.userId, ctx.session.userId),
 				),
 				columns: {
 					id: true,
@@ -241,7 +243,6 @@ export const ssoRouter = createTRPCRouter({
 					and(
 						eq(ssoProvider.providerId, input.providerId),
 						eq(ssoProvider.organizationId, ctx.session.activeOrganizationId),
-						eq(ssoProvider.userId, ctx.session.userId),
 					),
 				)
 				.returning({ id: ssoProvider.id });

apps/dokploy/server/api/routers/server.ts

@@ -45,6 +45,7 @@ import {
 	redis,
 	server,
 } from "@/server/db/schema";
+import { applyDockerCleanupSchedule } from "@/server/utils/docker-cleanup";
 
 export const serverRouter = createTRPCRouter({
 	create: withPermission("server", "create")
@@ -63,6 +64,11 @@ export const serverRouter = createTRPCRouter({
 					input,
 					ctx.session.activeOrganizationId,
 				);
+				await applyDockerCleanupSchedule(
+					project.serverId,
+					ctx.session.activeOrganizationId,
+					input.enableDockerCleanup,
+				);
 				await audit(ctx, {
 					action: "create",
 					resourceType: "server",
@@ -456,6 +462,12 @@ export const serverRouter = createTRPCRouter({
 					...input,
 				});
 
+				await applyDockerCleanupSchedule(
+					input.serverId,
+					ctx.session.activeOrganizationId,
+					input.enableDockerCleanup,
+				);
+
 				await audit(ctx, {
 					action: "update",
 					resourceType: "server",

apps/dokploy/server/utils/docker-cleanup.ts

@@ -0,0 +1,39 @@
+import {
+	CLEANUP_CRON_JOB,
+	cleanupAll,
+	IS_CLOUD,
+	sendDockerCleanupNotifications,
+} from "@dokploy/server";
+import { scheduledJobs, scheduleJob } from "node-schedule";
+import { removeJob, schedule } from "./backup";
+
+export const applyDockerCleanupSchedule = async (
+	serverId: string,
+	organizationId: string,
+	enable: boolean,
+) => {
+	if (enable) {
+		if (IS_CLOUD) {
+			await schedule({
+				cronSchedule: CLEANUP_CRON_JOB,
+				serverId,
+				type: "server",
+			});
+		} else {
+			scheduleJob(serverId, CLEANUP_CRON_JOB, async () => {
+				await cleanupAll(serverId);
+				await sendDockerCleanupNotifications(organizationId);
+			});
+		}
+	} else {
+		if (IS_CLOUD) {
+			await removeJob({
+				cronSchedule: CLEANUP_CRON_JOB,
+				serverId,
+				type: "server",
+			});
+		} else {
+			scheduledJobs[serverId]?.cancel();
+		}
+	}
+};

packages/server/src/db/schema/domain.ts

@@ -55,6 +55,7 @@ export const domains = pgTable("domain", {
 	internalPath: text("internalPath").default("/"),
 	stripPath: boolean("stripPath").notNull().default(false),
 	middlewares: text("middlewares").array().default(sql`ARRAY[]::text[]`),
+	forwardAuthEnabled: boolean("forwardAuthEnabled").notNull().default(false),
 });
 
 export const domainsRelations = relations(domains, ({ one }) => ({
@@ -94,6 +95,7 @@ export const apiCreateDomain = createSchema.pick({
 	internalPath: true,
 	stripPath: true,
 	middlewares: true,
+	forwardAuthEnabled: true,
 });
 
 export const apiFindDomain = z.object({
@@ -126,5 +128,6 @@ export const apiUpdateDomain = createSchema
 		internalPath: true,
 		stripPath: true,
 		middlewares: true,
+		forwardAuthEnabled: true,
 	})
 	.merge(createSchema.pick({ domainId: true }).required());

packages/server/src/db/schema/forward-auth.ts

@@ -0,0 +1,75 @@
+import { relations } from "drizzle-orm";
+import { boolean, pgTable, text } from "drizzle-orm/pg-core";
+import { nanoid } from "nanoid";
+import { z } from "zod";
+import { server } from "./server";
+import { certificateType } from "./shared";
+import { ssoProvider } from "./sso";
+
+export const forwardAuthSettings = pgTable("forward_auth_settings", {
+	forwardAuthSettingsId: text("forwardAuthSettingsId")
+		.notNull()
+		.primaryKey()
+		.$defaultFn(() => nanoid()),
+	authDomain: text("authDomain").notNull(),
+	baseDomain: text("baseDomain").notNull(),
+	https: boolean("https").notNull().default(true),
+	certificateType: certificateType("certificateType")
+		.notNull()
+		.default("letsencrypt"),
+	customCertResolver: text("customCertResolver"),
+	providerId: text("providerId").references(() => ssoProvider.providerId, {
+		onDelete: "set null",
+	}),
+	serverId: text("serverId")
+		.unique()
+		.references(() => server.serverId, {
+			onDelete: "cascade",
+		}),
+	createdAt: text("createdAt")
+		.notNull()
+		.$defaultFn(() => new Date().toISOString()),
+});
+
+export const forwardAuthSettingsRelations = relations(
+	forwardAuthSettings,
+	({ one }) => ({
+		server: one(server, {
+			fields: [forwardAuthSettings.serverId],
+			references: [server.serverId],
+		}),
+		provider: one(ssoProvider, {
+			fields: [forwardAuthSettings.providerId],
+			references: [ssoProvider.providerId],
+		}),
+	}),
+);
+
+const domainRegex = /^(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,}$/;
+
+export const apiForwardAuthServerTarget = z.object({
+	serverId: z.string().nullable(),
+});
+
+export const apiForwardAuthDomainTarget = z.object({
+	domainId: z.string().min(1),
+});
+
+export const apiSetForwardAuthSettings = z.object({
+	serverId: z.string().nullable(),
+	authDomain: z
+		.string()
+		.trim()
+		.toLowerCase()
+		.refine((v) => domainRegex.test(v), { message: "Invalid auth domain" }),
+	https: z.boolean().default(true),
+	certificateType: z
+		.enum(["none", "letsencrypt", "custom"])
+		.default("letsencrypt"),
+	customCertResolver: z.string().optional(),
+});
+
+export const apiDeployForwardAuthOnServer = z.object({
+	serverId: z.string().nullable(),
+	providerId: z.string().min(1),
+});

packages/server/src/db/schema/index.ts

@@ -10,6 +10,7 @@ export * from "./deployment";
 export * from "./destination";
 export * from "./domain";
 export * from "./environment";
+export * from "./forward-auth";
 export * from "./git-provider";
 export * from "./gitea";
 export * from "./github";

packages/server/src/db/schema/server.ts

@@ -147,8 +147,12 @@ export const apiCreateServer = createSchema
 		username: true,
 		sshKeyId: true,
 		serverType: true,
+		enableDockerCleanup: true,
 	})
-	.required();
+	.required()
+	.extend({
+		enableDockerCleanup: z.boolean().default(true),
+	});
 
 export const apiFindOneServer = z.object({
 	serverId: z.string().min(1),
@@ -170,10 +174,12 @@ export const apiUpdateServer = createSchema
 		username: true,
 		sshKeyId: true,
 		serverType: true,
+		enableDockerCleanup: true,
 	})
 	.required()
 	.extend({
 		command: z.string().optional(),
+		enableDockerCleanup: z.boolean().default(true),
 	});
 
 export const apiUpdateServerMonitoring = createSchema

packages/server/src/db/schema/sso.ts

@@ -10,7 +10,7 @@ export const ssoProvider = pgTable("sso_provider", {
 	oidcConfig: text("oidc_config"),
 	samlConfig: text("saml_config"),
 	providerId: text("provider_id").notNull().unique(),
-	userId: text("user_id").references(() => user.id, { onDelete: "cascade" }),
+	userId: text("user_id").references(() => user.id, { onDelete: "set null" }),
 	organizationId: text("organization_id").references(() => organization.id, {
 		onDelete: "cascade",
 	}),

packages/server/src/index.ts

@@ -35,6 +35,7 @@ export * from "./services/port";
 export * from "./services/postgres";
 export * from "./services/preview-deployment";
 export * from "./services/project";
+export * from "./services/proprietary/forward-auth";
 export * from "./services/proprietary/license-key";
 export * from "./services/proprietary/sso";
 export * from "./services/redirect";
@@ -50,6 +51,7 @@ export * from "./services/user";
 export * from "./services/volume-backups";
 export * from "./services/web-server-settings";
 export * from "./setup/config-paths";
+export * from "./setup/forward-auth-setup";
 export * from "./setup/monitoring-setup";
 export * from "./setup/postgres-setup";
 export * from "./setup/redis-setup";
@@ -127,6 +129,7 @@ export * from "./utils/tracking/hubspot";
 export * from "./utils/traefik/application";
 export * from "./utils/traefik/domain";
 export * from "./utils/traefik/file-types";
+export * from "./utils/traefik/forward-auth";
 export * from "./utils/traefik/middleware";
 export * from "./utils/traefik/redirect";
 export * from "./utils/traefik/security";

packages/server/src/services/application.ts

@@ -95,26 +95,22 @@ export const findApplicationById = async (applicationId: string) => {
 	const application = await db.query.applications.findFirst({
 		where: eq(applications.applicationId, applicationId),
 		with: {
-			environment: {
-				with: {
-					project: true,
-				},
-			},
+			environment: { with: { project: true } },
 			domains: true,
 			deployments: true,
 			mounts: true,
 			redirects: true,
 			security: true,
 			ports: true,
-			registry: true,
 			gitlab: true,
 			github: true,
 			bitbucket: true,
 			gitea: true,
 			server: true,
 			previewDeployments: true,
-			buildRegistry: true,
-			rollbackRegistry: true,
+			registry: { columns: { password: false } },
+			buildRegistry: { columns: { password: false } },
+			rollbackRegistry: { columns: { password: false } },
 		},
 	});
 	if (!application) {

packages/server/src/services/backup.ts

@@ -34,7 +34,12 @@ export const findBackupById = async (backupId: string) => {
 			mariadb: true,
 			mongo: true,
 			libsql: true,
-			destination: true,
+			destination: {
+				columns: {
+					accessKey: false,
+					secretAccessKey: false,
+				},
+			},
 			compose: true,
 		},
 	});
@@ -83,7 +88,12 @@ export const findBackupsByDbId = async (
 			mariadb: true,
 			mongo: true,
 			libsql: true,
-			destination: true,
+			destination: {
+				columns: {
+					accessKey: false,
+					secretAccessKey: false,
+				},
+			},
 		},
 	});
 	return result || [];

packages/server/src/services/compose.ts

@@ -131,7 +131,12 @@ export const findComposeById = async (composeId: string) => {
 			server: true,
 			backups: {
 				with: {
-					destination: true,
+					destination: {
+						columns: {
+							accessKey: false,
+							secretAccessKey: false,
+						},
+					},
 					deployments: true,
 				},
 			},

packages/server/src/services/git-provider.ts

@@ -43,6 +43,38 @@ export const updateGitProvider = async (
 		.then((response) => response[0]);
 };
 
+// Returns true if the user can edit the git source configuration of an existing
+// deploy that is connected to the given provider.
+// Owner/admin: always yes.
+// Member: only if they own the provider or it's shared with the org.
+// Being in accessedGitProviders only grants permission to connect NEW deploys,
+// not to modify the git config of an existing deploy owned by someone else.
+export const canEditDeployGitSource = async (
+	gitProviderId: string,
+	session: { userId: string; activeOrganizationId: string },
+): Promise<boolean> => {
+	const { userId, activeOrganizationId } = session;
+
+	const memberRecord = await db.query.member.findFirst({
+		where: and(
+			eq(member.userId, userId),
+			eq(member.organizationId, activeOrganizationId),
+		),
+		columns: { role: true },
+	});
+
+	if (memberRecord?.role === "owner") return true;
+
+	const provider = await db.query.gitProvider.findFirst({
+		where: eq(gitProvider.gitProviderId, gitProviderId),
+		columns: { userId: true, sharedWithOrganization: true },
+	});
+
+	if (!provider) return false;
+
+	return provider.userId === userId || provider.sharedWithOrganization;
+};
+
 export const getAccessibleGitProviderIds = async (session: {
 	userId: string;
 	activeOrganizationId: string;

packages/server/src/services/libsql.ts

@@ -63,7 +63,12 @@ export const findLibsqlById = async (libsqlId: string) => {
 			server: true,
 			backups: {
 				with: {
-					destination: true,
+					destination: {
+						columns: {
+							accessKey: false,
+							secretAccessKey: false,
+						},
+					},
 					deployments: true,
 				},
 			},

packages/server/src/services/mariadb.ts

@@ -68,7 +68,12 @@ export const findMariadbById = async (mariadbId: string) => {
 			server: true,
 			backups: {
 				with: {
-					destination: true,
+					destination: {
+						columns: {
+							accessKey: false,
+							secretAccessKey: false,
+						},
+					},
 					deployments: true,
 				},
 			},

packages/server/src/services/mongo.ts

@@ -63,7 +63,12 @@ export const findMongoById = async (mongoId: string) => {
 			server: true,
 			backups: {
 				with: {
-					destination: true,
+					destination: {
+						columns: {
+							accessKey: false,
+							secretAccessKey: false,
+						},
+					},
 					deployments: true,
 				},
 			},

packages/server/src/services/mysql.ts

@@ -66,7 +66,12 @@ export const findMySqlById = async (mysqlId: string) => {
 			server: true,
 			backups: {
 				with: {
-					destination: true,
+					destination: {
+						columns: {
+							accessKey: false,
+							secretAccessKey: false,
+						},
+					},
 					deployments: true,
 				},
 			},

packages/server/src/services/postgres.ts

@@ -76,7 +76,12 @@ export const findPostgresById = async (postgresId: string) => {
 			server: true,
 			backups: {
 				with: {
-					destination: true,
+					destination: {
+						columns: {
+							accessKey: false,
+							secretAccessKey: false,
+						},
+					},
 					deployments: true,
 				},
 			},

packages/server/src/services/proprietary/forward-auth.ts

@@ -0,0 +1,382 @@
+import { IS_CLOUD } from "@dokploy/server/constants";
+import { db } from "@dokploy/server/db";
+import {
+	forwardAuthSettings,
+	server,
+	ssoProvider,
+} from "@dokploy/server/db/schema";
+import { checkServicePermissionAndAccess } from "@dokploy/server/services/permission";
+import {
+	deriveBaseDomain,
+	deriveCookieSecret,
+	type ForwardAuthOidcConfig,
+	forwardAuthCallbackUrl,
+	isForwardAuthRunning,
+	removeForwardAuth,
+	setupForwardAuth,
+} from "@dokploy/server/setup/forward-auth-setup";
+import { manageDomain } from "@dokploy/server/utils/traefik/domain";
+import {
+	manageForwardAuthDomain,
+	removeForwardAuthDomain,
+	removeForwardAuthMiddleware,
+} from "@dokploy/server/utils/traefik/forward-auth";
+import { TRPCError } from "@trpc/server";
+import { and, asc, desc, eq, isNotNull, isNull } from "drizzle-orm";
+import { findApplicationById } from "../application";
+import { findDomainById, updateDomainById } from "../domain";
+
+const resolveOidcConfig = (provider: {
+	issuer: string;
+	oidcConfig: string | null;
+}): ForwardAuthOidcConfig => {
+	if (!provider.oidcConfig) {
+		throw new TRPCError({
+			code: "BAD_REQUEST",
+			message:
+				"Forward-auth requires an OIDC provider — SAML is not supported.",
+		});
+	}
+
+	let parsed: any;
+	try {
+		parsed = JSON.parse(provider.oidcConfig);
+	} catch {
+		throw new TRPCError({
+			code: "INTERNAL_SERVER_ERROR",
+			message: "Failed to parse the SSO provider OIDC configuration",
+		});
+	}
+
+	if (!parsed?.clientId || !parsed?.clientSecret) {
+		throw new TRPCError({
+			code: "BAD_REQUEST",
+			message: "SSO provider OIDC config is missing clientId/clientSecret",
+		});
+	}
+
+	return {
+		clientId: parsed.clientId,
+		clientSecret: parsed.clientSecret,
+		issuer: provider.issuer,
+		scopes: parsed.scopes,
+		skipDiscovery: parsed.skipDiscovery,
+	};
+};
+
+const findProviderForOrg = async (
+	providerId: string,
+	organizationId: string,
+) => {
+	const provider = await db.query.ssoProvider.findFirst({
+		where: and(
+			eq(ssoProvider.providerId, providerId),
+			eq(ssoProvider.organizationId, organizationId),
+		),
+		columns: { providerId: true, issuer: true, oidcConfig: true },
+	});
+	if (!provider) {
+		throw new TRPCError({
+			code: "NOT_FOUND",
+			message: "SSO provider not found",
+		});
+	}
+	return provider;
+};
+
+export const listSsoProvidersForOrg = async (organizationId: string) => {
+	return db.query.ssoProvider.findMany({
+		where: and(
+			eq(ssoProvider.organizationId, organizationId),
+			isNotNull(ssoProvider.oidcConfig),
+		),
+		columns: { providerId: true, issuer: true, domain: true },
+		orderBy: [asc(ssoProvider.createdAt)],
+	});
+};
+
+export const getDomainSsoStatus = async (
+	ctx: { session: { activeOrganizationId: string } },
+	domainId: string,
+) => {
+	const domain = await findDomainById(domainId);
+	if (domain.applicationId) {
+		await checkServicePermissionAndAccess(ctx as any, domain.applicationId, {
+			domain: ["read"],
+		});
+	}
+	return { enabled: !!domain.forwardAuthEnabled };
+};
+
+const settingsWhere = (serverId: string | null) =>
+	serverId
+		? eq(forwardAuthSettings.serverId, serverId)
+		: isNull(forwardAuthSettings.serverId);
+
+export const getForwardAuthSettings = async (serverId: string | null) => {
+	return db.query.forwardAuthSettings.findFirst({
+		where: settingsWhere(serverId),
+	});
+};
+
+export const setForwardAuthSettings = async (input: {
+	organizationId: string;
+	serverId: string | null;
+	authDomain: string;
+	https: boolean;
+	certificateType: "none" | "letsencrypt" | "custom";
+	customCertResolver?: string | null;
+}) => {
+	const baseDomain = deriveBaseDomain(input.authDomain);
+	const existing = await getForwardAuthSettings(input.serverId);
+
+	const values = {
+		authDomain: input.authDomain,
+		baseDomain,
+		https: input.https,
+		certificateType: input.certificateType,
+		customCertResolver: input.customCertResolver ?? null,
+	};
+
+	if (existing) {
+		await db
+			.update(forwardAuthSettings)
+			.set(values)
+			.where(settingsWhere(input.serverId));
+	} else {
+		await db.insert(forwardAuthSettings).values({
+			...values,
+			serverId: input.serverId,
+		});
+	}
+
+	await manageForwardAuthDomain(input.serverId, {
+		authDomain: input.authDomain,
+		https: input.https,
+		certificateType: input.certificateType,
+		customCertResolver: input.customCertResolver,
+	});
+
+	if (existing?.providerId) {
+		const proxyRunning = await isForwardAuthRunning(
+			input.serverId ?? undefined,
+		);
+		if (proxyRunning) {
+			await deployForwardAuthOnServer({
+				serverId: input.serverId ?? undefined,
+				providerId: existing.providerId,
+				organizationId: input.organizationId,
+			});
+		}
+	}
+
+	return { callbackUrl: forwardAuthCallbackUrl(input.authDomain, input.https) };
+};
+
+export const removeForwardAuthSettings = async (serverId: string | null) => {
+	const existing = await getForwardAuthSettings(serverId);
+	if (!existing) return { ok: true } as const;
+	await removeForwardAuthDomain(serverId);
+	await db.delete(forwardAuthSettings).where(settingsWhere(serverId));
+	return { ok: true } as const;
+};
+
+export const deployForwardAuthOnServer = async (input: {
+	serverId?: string;
+	providerId: string;
+	organizationId: string;
+}) => {
+	const settings = await getForwardAuthSettings(input.serverId ?? null);
+	if (!settings) {
+		throw new TRPCError({
+			code: "PRECONDITION_FAILED",
+			message:
+				"Set the authentication domain for this server before deploying the proxy.",
+		});
+	}
+
+	const provider = await findProviderForOrg(
+		input.providerId,
+		input.organizationId,
+	);
+	const oidc = resolveOidcConfig(provider);
+
+	await setupForwardAuth({
+		serverId: input.serverId,
+		oidc,
+		cookieSecret: deriveCookieSecret(
+			`${input.serverId ?? "host"}:${settings.baseDomain}`,
+		),
+		authDomain: settings.authDomain,
+		baseDomain: settings.baseDomain,
+		authDomainHttps: settings.https,
+	});
+
+	if (settings.providerId !== input.providerId) {
+		await db
+			.update(forwardAuthSettings)
+			.set({ providerId: input.providerId })
+			.where(settingsWhere(input.serverId ?? null));
+	}
+
+	return { ok: true } as const;
+};
+
+const FORWARD_AUTH_CHECK_TIMEOUT_MS = 4000;
+
+const proxyStatus = async (
+	serverId: string | null,
+): Promise<"running" | "stopped" | "unknown"> => {
+	try {
+		const running = await Promise.race([
+			isForwardAuthRunning(serverId ?? undefined),
+			new Promise<never>((_, reject) =>
+				setTimeout(
+					() => reject(new Error("timeout")),
+					FORWARD_AUTH_CHECK_TIMEOUT_MS,
+				),
+			),
+		]);
+		return running ? "running" : "stopped";
+	} catch {
+		return "unknown";
+	}
+};
+
+export const getForwardAuthServerStatus = async (organizationId: string) => {
+	const servers = await db.query.server.findMany({
+		where: and(
+			eq(server.organizationId, organizationId),
+			isNotNull(server.sshKeyId),
+			eq(server.serverType, "deploy"),
+		),
+		columns: { serverId: true, name: true, ipAddress: true },
+		orderBy: [desc(server.createdAt)],
+	});
+
+	const targets: {
+		serverId: string | null;
+		name: string;
+		ipAddress: string | null;
+	}[] = [
+		...(IS_CLOUD
+			? []
+			: [
+					{
+						serverId: null,
+						name: "Dokploy Server (local)",
+						ipAddress: null,
+					},
+				]),
+		...servers.map((s) => ({
+			serverId: s.serverId,
+			name: s.name,
+			ipAddress: s.ipAddress,
+		})),
+	];
+
+	return Promise.all(
+		targets.map(async (t) => {
+			const settings = await getForwardAuthSettings(t.serverId);
+			return {
+				...t,
+				status: await proxyStatus(t.serverId),
+				authDomain: settings?.authDomain ?? null,
+				https: settings?.https ?? true,
+				certificateType: settings?.certificateType ?? "none",
+				customCertResolver: settings?.customCertResolver ?? null,
+				callbackUrl: settings
+					? forwardAuthCallbackUrl(settings.authDomain, settings.https)
+					: null,
+			};
+		}),
+	);
+};
+
+export const removeForwardAuthProxy = async (serverId: string | null) => {
+	await removeForwardAuth(serverId ?? undefined);
+	await db
+		.update(forwardAuthSettings)
+		.set({ providerId: null })
+		.where(settingsWhere(serverId));
+	return { ok: true } as const;
+};
+
+const resolveApplicationDomain = async (domainId: string) => {
+	const domain = await findDomainById(domainId);
+	if (!domain.applicationId) {
+		throw new TRPCError({
+			code: "BAD_REQUEST",
+			message:
+				"SSO forward-auth is currently only supported on application domains",
+		});
+	}
+	const application = await findApplicationById(domain.applicationId);
+	return { domain, application };
+};
+
+export const assertApplicationDomainAccess = async (
+	ctx: { session: { activeOrganizationId: string } },
+	domainId: string,
+	action: "create" | "delete",
+) => {
+	const domain = await findDomainById(domainId);
+	if (!domain.applicationId) {
+		throw new TRPCError({
+			code: "BAD_REQUEST",
+			message:
+				"SSO forward-auth is currently only supported on application domains",
+		});
+	}
+	await checkServicePermissionAndAccess(ctx as any, domain.applicationId, {
+		domain: [action],
+	});
+	return domain;
+};
+
+export const enableForwardAuthOnDomain = async (input: {
+	domainId: string;
+}) => {
+	const { application } = await resolveApplicationDomain(input.domainId);
+	const serverId = application.serverId ?? undefined;
+
+	const settings = await getForwardAuthSettings(serverId ?? null);
+	if (!settings?.providerId) {
+		throw new TRPCError({
+			code: "PRECONDITION_FAILED",
+			message:
+				"Deploy the authentication proxy for this server in SSO settings first.",
+		});
+	}
+
+	const proxyRunning = await isForwardAuthRunning(serverId);
+	if (!proxyRunning) {
+		throw new TRPCError({
+			code: "PRECONDITION_FAILED",
+			message:
+				"The authentication proxy is not deployed on this server. Deploy it in SSO settings first.",
+		});
+	}
+
+	await updateDomainById(input.domainId, { forwardAuthEnabled: true });
+	const domain = await findDomainById(input.domainId);
+	await manageDomain(application, domain);
+
+	return { ok: true } as const;
+};
+
+export const disableForwardAuthOnDomain = async (input: {
+	domainId: string;
+}) => {
+	const { application, domain } = await resolveApplicationDomain(
+		input.domainId,
+	);
+	const uniqueConfigKey = domain.uniqueConfigKey;
+
+	await updateDomainById(input.domainId, { forwardAuthEnabled: false });
+	const updated = await findDomainById(input.domainId);
+	await manageDomain(application, updated);
+	await removeForwardAuthMiddleware(application, uniqueConfigKey);
+
+	return { ok: true } as const;
+};

packages/server/src/services/registry.ts

@@ -27,6 +27,16 @@ export function safeDockerLoginCommand(
 	return `printf %s ${escapedPassword} | docker login ${escapedRegistry} -u ${escapedUser} --password-stdin`;
 }
 
+function sanitizeRegistryError(
+	error: unknown,
+	password: string | null | undefined,
+): string {
+	const message =
+		error instanceof Error ? error.message : "Error with registry login";
+	if (!password) return message;
+	return message.split(password).join("***");
+}
+
 export const createRegistry = async (
 	input: z.infer<typeof apiCreateRegistry>,
 	organizationId: string,
@@ -59,10 +69,15 @@ export const createRegistry = async (
 			input.username,
 			input.password,
 		);
-		if (input.serverId && input.serverId !== "none") {
-			await execAsyncRemote(input.serverId, loginCommand);
-		} else if (newRegistry.registryType === "cloud") {
-			await execAsync(loginCommand);
+		try {
+			if (input.serverId && input.serverId !== "none") {
+				await execAsyncRemote(input.serverId, loginCommand);
+			} else if (newRegistry.registryType === "cloud") {
+				await execAsync(loginCommand);
+			}
+		} catch (error) {
+			const sanitized = sanitizeRegistryError(error, input.password);
+			throw new TRPCError({ code: "BAD_REQUEST", message: sanitized });
 		}
 
 		return newRegistry;
@@ -129,16 +144,24 @@ export const updateRegistry = async (
 			});
 		}
 
-		if (registryData?.serverId && registryData?.serverId !== "none") {
-			await execAsyncRemote(registryData.serverId, loginCommand);
-		} else if (response?.registryType === "cloud") {
-			await execAsync(loginCommand);
+		try {
+			if (registryData?.serverId && registryData?.serverId !== "none") {
+				await execAsyncRemote(registryData.serverId, loginCommand);
+			} else if (response?.registryType === "cloud") {
+				await execAsync(loginCommand);
+			}
+		} catch (execError) {
+			throw new Error(sanitizeRegistryError(execError, response?.password));
 		}
 
 		return response;
 	} catch (error) {
 		const message =
-			error instanceof Error ? error.message : "Error updating this registry";
+			error instanceof TRPCError
+				? error.message
+				: error instanceof Error
+					? error.message
+					: "Error updating this registry";
 		throw new TRPCError({
 			code: "BAD_REQUEST",
 			message,
@@ -162,6 +185,19 @@ export const findRegistryById = async (registryId: string) => {
 	return registryResponse;
 };
 
+export const findRegistryByIdWithCredentials = async (registryId: string) => {
+	const registryResponse = await db.query.registry.findFirst({
+		where: eq(registry.registryId, registryId),
+	});
+	if (!registryResponse) {
+		throw new TRPCError({
+			code: "NOT_FOUND",
+			message: "Registry not found",
+		});
+	}
+	return registryResponse;
+};
+
 export const findAllRegistryByOrganizationId = async (
 	organizationId: string,
 ) => {

packages/server/src/services/rollbacks.ts

@@ -7,7 +7,6 @@ import {
 	deployments as deploymentsSchema,
 	rollbacks,
 } from "../db/schema";
-import type { ApplicationNested } from "../utils/builders";
 import { getRegistryTag } from "../utils/cluster/upload";
 import {
 	calculateResources,
@@ -23,7 +22,11 @@ import { findDeploymentById } from "./deployment";
 import type { Mount } from "./mount";
 import type { Port } from "./port";
 import type { Project } from "./project";
-import { type Registry, safeDockerLoginCommand } from "./registry";
+import {
+	findRegistryByIdWithCredentials,
+	type Registry,
+	safeDockerLoginCommand,
+} from "./registry";
 
 export const createRollback = async (
 	input: z.infer<typeof createRollbackSchema>,
@@ -56,11 +59,29 @@ export const createRollback = async (
 			...rest
 		} = await findApplicationById(deployment.applicationId);
 
+		const registry = rest.registryId
+			? await findRegistryByIdWithCredentials(rest.registryId)
+			: rest.registry;
+		const buildRegistry = rest.buildRegistryId
+			? await findRegistryByIdWithCredentials(rest.buildRegistryId)
+			: rest.buildRegistry;
+		const rollbackRegistry = rest.rollbackRegistryId
+			? await findRegistryByIdWithCredentials(rest.rollbackRegistryId)
+			: rest.rollbackRegistry;
+
+		const fullContextWithCredentials = {
+			...rest,
+			registry,
+			buildRegistry,
+			rollbackRegistry,
+		};
+
 		await tx
 			.update(rollbacks)
 			.set({
 				image: tagImage,
-				fullContext: rest,
+				// eslint-disable-next-line @typescript-eslint/no-explicit-any
+				fullContext: fullContextWithCredentials as any,
 			})
 			.where(eq(rollbacks.rollbackId, rollback.rollbackId));
 
@@ -162,7 +183,6 @@ export const rollback = async (rollbackId: string) => {
 	if (!result.fullContext) {
 		throw new Error("Rollback context not found");
 	}
-	// Use the full context for rollback
 	await rollbackApplication(
 		application.appName,
 		result.image || "",
@@ -198,24 +218,25 @@ const rollbackApplication = async (
 		};
 		mounts: Mount[];
 		ports: Port[];
-		rollbackRegistry?: Registry;
+		rollbackRegistry?: Registry | null;
 	},
 ) => {
 	if (!fullContext) {
 		throw new Error("Full context is required for rollback");
 	}
 
+	const rollbackRegistry = fullContext.rollbackRegistry ?? undefined;
+
 	// Ensure Docker daemon is authenticated with the rollback registry
 	// before updating the swarm service. The authconfig in CreateServiceOptions
 	// alone is not sufficient — Docker Swarm also relies on the daemon's
 	// cached credentials (~/.docker/config.json) to distribute auth to nodes.
-	if (fullContext.rollbackRegistry) {
-		await dockerLoginForRegistry(fullContext.rollbackRegistry, serverId);
+	if (rollbackRegistry) {
+		await dockerLoginForRegistry(rollbackRegistry, serverId);
 	}
 
 	const docker = await getRemoteDocker(serverId);
 
-	// Use the same configuration as mechanizeDockerContainer
 	const {
 		env,
 		mounts,
@@ -246,7 +267,9 @@ const rollbackApplication = async (
 		UpdateConfig,
 		Networks,
 		Ulimits,
-	} = generateConfigContainer(fullContext as ApplicationNested);
+	} = generateConfigContainer(
+		fullContext as Parameters<typeof generateConfigContainer>[0],
+	);
 
 	const bindsMount = generateBindMounts(mounts);
 	const envVariables = prepareEnvironmentVariables(
@@ -254,18 +277,16 @@ const rollbackApplication = async (
 		fullContext.environment.project.env,
 	);
 
-	// Build the full registry image path if rollbackRegistry is available
-	// e.g., "appName:v5" -> "siumauricio/appName:v5" or "registry.com/prefix/appName:v5"
 	let rollbackImage = image;
-	if (fullContext.rollbackRegistry) {
-		rollbackImage = getRegistryTag(fullContext.rollbackRegistry, image);
+	if (rollbackRegistry) {
+		rollbackImage = getRegistryTag(rollbackRegistry, image);
 	}
 
 	const settings: CreateServiceOptions = {
 		authconfig: {
-			password: fullContext.rollbackRegistry?.password || "",
-			username: fullContext.rollbackRegistry?.username || "",
-			serveraddress: fullContext.rollbackRegistry?.registryUrl || "",
+			password: rollbackRegistry?.password || "",
+			username: rollbackRegistry?.username || "",
+			serveraddress: rollbackRegistry?.registryUrl || "",
 		},
 		Name: appName,
 		TaskTemplate: {

packages/server/src/services/volume-backups.ts

@@ -84,7 +84,12 @@ export const findVolumeBackupById = async (volumeBackupId: string) => {
 					},
 				},
 			},
-			destination: true,
+			destination: {
+				columns: {
+					accessKey: false,
+					secretAccessKey: false,
+				},
+			},
 		},
 	});
 

packages/server/src/setup/forward-auth-setup.ts

@@ -0,0 +1,158 @@
+import { createHmac } from "node:crypto";
+import type { CreateServiceOptions } from "dockerode";
+import { betterAuthSecret } from "../lib/auth-secret";
+import { getRemoteDocker } from "../utils/servers/remote-docker";
+
+export const FORWARD_AUTH_SERVICE_NAME = "dokploy-forward-auth";
+const FORWARD_AUTH_IMAGE = "quay.io/oauth2-proxy/oauth2-proxy:v7.6.0";
+
+export const FORWARD_AUTH_PORT = 4180;
+
+export interface ForwardAuthOidcConfig {
+	clientId: string;
+	clientSecret: string;
+	issuer: string;
+	scopes?: string[];
+	skipDiscovery?: boolean;
+}
+
+export interface SetupForwardAuthOptions {
+	serverId?: string;
+	oidc: ForwardAuthOidcConfig;
+	cookieSecret: string;
+	authDomain: string;
+	baseDomain: string;
+	authDomainHttps?: boolean;
+	emailDomains?: string[];
+}
+
+export const deriveBaseDomain = (authDomain: string): string => {
+	const labels = authDomain.trim().toLowerCase().split(".").filter(Boolean);
+	const base = labels.length > 2 ? labels.slice(1) : labels;
+	return `.${base.join(".")}`;
+};
+
+export const forwardAuthCallbackUrl = (
+	authDomain: string,
+	https: boolean,
+): string => `${https ? "https" : "http"}://${authDomain}/oauth2/callback`;
+
+export const deriveCookieSecret = (salt: string): string => {
+	// oauth2-proxy requires cookie_secret to be exactly 16, 24, or 32 bytes.
+	// Take the first 32 hex chars (= 16 bytes) to satisfy that constraint.
+	return createHmac("sha256", betterAuthSecret)
+		.update(`forward-auth:${salt}`)
+		.digest("hex")
+		.slice(0, 32);
+};
+
+export const buildForwardAuthEnv = (
+	options: SetupForwardAuthOptions,
+): string[] => {
+	const { oidc, cookieSecret, authDomain, baseDomain, authDomainHttps } =
+		options;
+	const scheme = authDomainHttps ? "https" : "http";
+	const emailDomains =
+		options.emailDomains && options.emailDomains.length > 0
+			? options.emailDomains
+			: ["*"];
+
+	const env: string[] = [
+		"OAUTH2_PROXY_PROVIDER=oidc",
+		`OAUTH2_PROXY_OIDC_ISSUER_URL=${oidc.issuer}`,
+		`OAUTH2_PROXY_CLIENT_ID=${oidc.clientId}`,
+		`OAUTH2_PROXY_CLIENT_SECRET=${oidc.clientSecret}`,
+		`OAUTH2_PROXY_COOKIE_SECRET=${cookieSecret}`,
+		`OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:${FORWARD_AUTH_PORT}`,
+		"OAUTH2_PROXY_REVERSE_PROXY=true",
+		"OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true",
+		"OAUTH2_PROXY_SET_XAUTHREQUEST=true",
+		"OAUTH2_PROXY_UPSTREAMS=static://202",
+		`OAUTH2_PROXY_REDIRECT_URL=${scheme}://${authDomain}/oauth2/callback`,
+		`OAUTH2_PROXY_COOKIE_DOMAINS=${baseDomain}`,
+		`OAUTH2_PROXY_WHITELIST_DOMAINS=${baseDomain}`,
+		`OAUTH2_PROXY_COOKIE_SECURE=${authDomainHttps ? "true" : "false"}`,
+		"OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL=true",
+		`OAUTH2_PROXY_EMAIL_DOMAINS=${emailDomains.join(",")}`,
+	];
+
+	const scopes = oidc.scopes?.length
+		? oidc.scopes
+		: ["openid", "email", "profile"];
+	env.push(`OAUTH2_PROXY_SCOPE=${scopes.join(" ")}`);
+
+	if (oidc.skipDiscovery) {
+		env.push("OAUTH2_PROXY_SKIP_OIDC_DISCOVERY=true");
+	}
+
+	return env;
+};
+
+export const setupForwardAuth = async (options: SetupForwardAuthOptions) => {
+	const { serverId } = options;
+	const docker = await getRemoteDocker(serverId);
+
+	const settings: CreateServiceOptions = {
+		Name: FORWARD_AUTH_SERVICE_NAME,
+		TaskTemplate: {
+			ContainerSpec: {
+				Image: FORWARD_AUTH_IMAGE,
+				Env: buildForwardAuthEnv(options),
+			},
+			Networks: [{ Target: "dokploy-network" }],
+			Placement: {
+				Constraints: ["node.role==manager"],
+			},
+		},
+		Mode: {
+			Replicated: {
+				Replicas: 1,
+			},
+		},
+	};
+
+	try {
+		const service = docker.getService(FORWARD_AUTH_SERVICE_NAME);
+		const inspect = await service.inspect();
+		await service.update({
+			version: Number.parseInt(inspect.Version.Index),
+			...settings,
+			TaskTemplate: {
+				...settings.TaskTemplate,
+				ForceUpdate: inspect.Spec.TaskTemplate.ForceUpdate + 1,
+			},
+		});
+		console.log("Forward Auth Updated ✅");
+	} catch (_) {
+		try {
+			await docker.createService(settings);
+			console.log("Forward Auth Started ✅");
+		} catch (error: any) {
+			if (error?.statusCode !== 409) {
+				throw error;
+			}
+			console.log("Forward Auth service already exists, continuing...");
+		}
+	}
+};
+
+export const removeForwardAuth = async (serverId?: string) => {
+	const docker = await getRemoteDocker(serverId);
+	try {
+		const service = docker.getService(FORWARD_AUTH_SERVICE_NAME);
+		await service.remove();
+		console.log("Forward Auth Removed ✅");
+	} catch {}
+};
+
+export const isForwardAuthRunning = async (
+	serverId?: string,
+): Promise<boolean> => {
+	const docker = await getRemoteDocker(serverId);
+	try {
+		await docker.getService(FORWARD_AUTH_SERVICE_NAME).inspect();
+		return true;
+	} catch {
+		return false;
+	}
+};

packages/server/src/utils/backups/compose.ts

@@ -4,6 +4,7 @@ import {
 	createDeploymentBackup,
 	updateDeploymentStatus,
 } from "@dokploy/server/services/deployment";
+import { findDestinationById } from "@dokploy/server/services/destination";
 import { findEnvironmentById } from "@dokploy/server/services/environment";
 import { findProjectById } from "@dokploy/server/services/project";
 import { sendDatabaseBackupNotifications } from "../notifications/database-backup";
@@ -23,7 +24,7 @@ export const runComposeBackup = async (
 	const environment = await findEnvironmentById(environmentId);
 	const project = await findProjectById(environment.projectId);
 	const { prefix, databaseType, serviceName } = backup;
-	const destination = backup.destination;
+	const destination = await findDestinationById(backup.destinationId);
 	const backupFileName = `${getBackupTimestamp()}.${databaseType === "mongo" ? "bson" : "sql"}.gz`;
 	const s3AppName = serviceName ? `${appName}_${serviceName}` : appName;
 	const bucketDestination = `${s3AppName}/${normalizeS3Path(prefix)}${backupFileName}`;

packages/server/src/utils/backups/index.ts

@@ -1,6 +1,7 @@
 import { CLEANUP_CRON_JOB } from "@dokploy/server/constants";
 import { member } from "@dokploy/server/db/schema";
 import type { BackupSchedule } from "@dokploy/server/services/backup";
+import { findDestinationById } from "@dokploy/server/services/destination";
 import { getAllServers } from "@dokploy/server/services/server";
 import { getWebServerSettings } from "@dokploy/server/services/web-server-settings";
 import { eq } from "drizzle-orm";
@@ -131,9 +132,10 @@ export const keepLatestNBackups = async (
 	if (!backup.keepLatestCount) return;
 
 	try {
-		const rcloneFlags = getS3Credentials(backup.destination);
+		const destination = await findDestinationById(backup.destinationId);
+		const rcloneFlags = getS3Credentials(destination);
 		const appName = getServiceAppName(backup);
-		const backupFilesPath = `:s3:${backup.destination.bucket}/${appName}/${normalizeS3Path(backup.prefix)}`;
+		const backupFilesPath = `:s3:${destination.bucket}/${appName}/${normalizeS3Path(backup.prefix)}`;
 
 		// --include "*.bson.gz" or "*.sql.gz" or "*.zip" ensures nothing else other than the dokploy backup files are touched by rclone
 		const rcloneList = `rclone lsf ${rcloneFlags.join(" ")} --include "*${backup.databaseType === "web-server" ? ".zip" : ".{sql.gz,bson.gz}"}" ${backupFilesPath}`;

packages/server/src/utils/backups/libsql.ts

@@ -3,6 +3,7 @@ import {
 	createDeploymentBackup,
 	updateDeploymentStatus,
 } from "@dokploy/server/services/deployment";
+import { findDestinationById } from "@dokploy/server/services/destination";
 import { findEnvironmentById } from "@dokploy/server/services/environment";
 import type { Libsql } from "@dokploy/server/services/libsql";
 import { findProjectById } from "@dokploy/server/services/project";
@@ -29,7 +30,7 @@ export const runLibsqlBackup = async (
 		description: "Initializing Backup",
 	});
 	const { prefix } = backup;
-	const destination = backup.destination;
+	const destination = await findDestinationById(backup.destinationId);
 	const backupFileName = `${getBackupTimestamp()}.sql.gz`;
 	const bucketDestination = `${appName}/${normalizeS3Path(prefix)}${backupFileName}`;
 	try {

packages/server/src/utils/backups/mariadb.ts

@@ -3,6 +3,7 @@ import {
 	createDeploymentBackup,
 	updateDeploymentStatus,
 } from "@dokploy/server/services/deployment";
+import { findDestinationById } from "@dokploy/server/services/destination";
 import { findEnvironmentById } from "@dokploy/server/services/environment";
 import type { Mariadb } from "@dokploy/server/services/mariadb";
 import { findProjectById } from "@dokploy/server/services/project";
@@ -23,7 +24,7 @@ export const runMariadbBackup = async (
 	const environment = await findEnvironmentById(environmentId);
 	const project = await findProjectById(environment.projectId);
 	const { prefix } = backup;
-	const destination = backup.destination;
+	const destination = await findDestinationById(backup.destinationId);
 	const backupFileName = `${getBackupTimestamp()}.sql.gz`;
 	const bucketDestination = `${appName}/${normalizeS3Path(prefix)}${backupFileName}`;
 	const deployment = await createDeploymentBackup({

packages/server/src/utils/backups/mongo.ts

@@ -3,6 +3,7 @@ import {
 	createDeploymentBackup,
 	updateDeploymentStatus,
 } from "@dokploy/server/services/deployment";
+import { findDestinationById } from "@dokploy/server/services/destination";
 import { findEnvironmentById } from "@dokploy/server/services/environment";
 import type { Mongo } from "@dokploy/server/services/mongo";
 import { findProjectById } from "@dokploy/server/services/project";
@@ -20,7 +21,7 @@ export const runMongoBackup = async (mongo: Mongo, backup: BackupSchedule) => {
 	const environment = await findEnvironmentById(environmentId);
 	const project = await findProjectById(environment.projectId);
 	const { prefix } = backup;
-	const destination = backup.destination;
+	const destination = await findDestinationById(backup.destinationId);
 	const backupFileName = `${getBackupTimestamp()}.bson.gz`;
 	const bucketDestination = `${appName}/${normalizeS3Path(prefix)}${backupFileName}`;
 	const deployment = await createDeploymentBackup({

packages/server/src/utils/backups/mysql.ts

@@ -3,6 +3,7 @@ import {
 	createDeploymentBackup,
 	updateDeploymentStatus,
 } from "@dokploy/server/services/deployment";
+import { findDestinationById } from "@dokploy/server/services/destination";
 import { findEnvironmentById } from "@dokploy/server/services/environment";
 import type { MySql } from "@dokploy/server/services/mysql";
 import { findProjectById } from "@dokploy/server/services/project";
@@ -20,7 +21,7 @@ export const runMySqlBackup = async (mysql: MySql, backup: BackupSchedule) => {
 	const environment = await findEnvironmentById(environmentId);
 	const project = await findProjectById(environment.projectId);
 	const { prefix } = backup;
-	const destination = backup.destination;
+	const destination = await findDestinationById(backup.destinationId);
 	const backupFileName = `${getBackupTimestamp()}.sql.gz`;
 	const bucketDestination = `${appName}/${normalizeS3Path(prefix)}${backupFileName}`;
 	const deployment = await createDeploymentBackup({

packages/server/src/utils/backups/postgres.ts

@@ -3,6 +3,7 @@ import {
 	createDeploymentBackup,
 	updateDeploymentStatus,
 } from "@dokploy/server/services/deployment";
+import { findDestinationById } from "@dokploy/server/services/destination";
 import { findEnvironmentById } from "@dokploy/server/services/environment";
 import type { Postgres } from "@dokploy/server/services/postgres";
 import { findProjectById } from "@dokploy/server/services/project";
@@ -29,7 +30,7 @@ export const runPostgresBackup = async (
 		description: "Initializing Backup",
 	});
 	const { prefix } = backup;
-	const destination = backup.destination;
+	const destination = await findDestinationById(backup.destinationId);
 	const backupFileName = `${getBackupTimestamp()}.sql.gz`;
 	const bucketDestination = `${appName}/${normalizeS3Path(prefix)}${backupFileName}`;
 	try {

packages/server/src/utils/builders/index.ts

@@ -1,3 +1,4 @@
+import { findRegistryByIdWithCredentials } from "@dokploy/server/services/registry";
 import type { InferResultType } from "@dokploy/server/types/with";
 import type { CreateServiceOptions } from "dockerode";
 import { getRegistryTag, uploadImageRemoteCommand } from "../cluster/upload";
@@ -28,9 +29,9 @@ export type ApplicationNested = InferResultType<
 		security: true;
 		redirects: true;
 		ports: true;
-		registry: true;
-		buildRegistry: true;
-		rollbackRegistry: true;
+		registry: { columns: { password: false } };
+		buildRegistry: { columns: { password: false } };
+		rollbackRegistry: { columns: { password: false } };
 		deployments: true;
 		environment: { with: { project: true } };
 	}
@@ -121,8 +122,8 @@ export const mechanizeDockerContainer = async (
 		application.environment.env,
 	);
 
-	const image = getImageName(application);
-	const authConfig = getAuthConfig(application);
+	const image = await getImageName(application);
+	const authConfig = await getAuthConfig(application);
 	const docker = await getRemoteDocker(application.serverId);
 
 	const settings: CreateServiceOptions = {
@@ -190,7 +191,7 @@ export const mechanizeDockerContainer = async (
 	}
 };
 
-const getImageName = (application: ApplicationNested) => {
+const getImageName = async (application: ApplicationNested) => {
 	const { appName, sourceType, dockerImage, registry, buildRegistry } =
 		application;
 	const imageName = `${appName}:latest`;
@@ -199,18 +200,18 @@ const getImageName = (application: ApplicationNested) => {
 	}
 
 	if (registry) {
-		const registryTag = getRegistryTag(registry, imageName);
-		return registryTag;
+		const r = await findRegistryByIdWithCredentials(registry.registryId);
+		return getRegistryTag(r, imageName);
 	}
 	if (buildRegistry) {
-		const registryTag = getRegistryTag(buildRegistry, imageName);
-		return registryTag;
+		const r = await findRegistryByIdWithCredentials(buildRegistry.registryId);
+		return getRegistryTag(r, imageName);
 	}
 
 	return imageName;
 };
 
-export const getAuthConfig = (application: ApplicationNested) => {
+export const getAuthConfig = async (application: ApplicationNested) => {
 	const {
 		registry,
 		buildRegistry,
@@ -222,23 +223,21 @@ export const getAuthConfig = (application: ApplicationNested) => {
 
 	if (sourceType === "docker") {
 		if (username && password) {
-			return {
-				password,
-				username,
-				serveraddress: registryUrl || "",
-			};
+			return { password, username, serveraddress: registryUrl || "" };
 		}
 	} else if (registry) {
+		const r = await findRegistryByIdWithCredentials(registry.registryId);
 		return {
-			password: registry.password,
-			username: registry.username,
-			serveraddress: registry.registryUrl,
+			password: r.password,
+			username: r.username,
+			serveraddress: r.registryUrl,
 		};
 	} else if (buildRegistry) {
+		const r = await findRegistryByIdWithCredentials(buildRegistry.registryId);
 		return {
-			password: buildRegistry.password,
-			username: buildRegistry.username,
-			serveraddress: buildRegistry.registryUrl,
+			password: r.password,
+			username: r.username,
+			serveraddress: r.registryUrl,
 		};
 	}
 

packages/server/src/utils/cluster/upload.ts

@@ -1,5 +1,9 @@
 import { findAllDeploymentsByApplicationId } from "@dokploy/server/services/deployment";
-import type { Registry } from "@dokploy/server/services/registry";
+import {
+	findRegistryByIdWithCredentials,
+	safeDockerLoginCommand,
+	type Registry,
+} from "@dokploy/server/services/registry";
 import { createRollback } from "@dokploy/server/services/rollbacks";
 import type { ApplicationNested } from "../builders";
 
@@ -22,19 +26,19 @@ export const uploadImageRemoteCommand = async (
 
 	const commands: string[] = [];
 	if (registry) {
-		const registryTag = getRegistryTag(registry, imageName);
+		const r = await findRegistryByIdWithCredentials(registry.registryId);
+		const registryTag = getRegistryTag(r, imageName);
 		if (registryTag) {
 			commands.push(`echo "📦 [Enabled Registry Swarm]"`);
-			commands.push(getRegistryCommands(registry, imageName, registryTag));
+			commands.push(getRegistryCommands(r, imageName, registryTag));
 		}
 	}
 	if (buildRegistry) {
-		const buildRegistryTag = getRegistryTag(buildRegistry, imageName);
+		const r = await findRegistryByIdWithCredentials(buildRegistry.registryId);
+		const buildRegistryTag = getRegistryTag(r, imageName);
 		if (buildRegistryTag) {
 			commands.push(`echo "🔑 [Enabled Build Registry]"`);
-			commands.push(
-				getRegistryCommands(buildRegistry, imageName, buildRegistryTag),
-			);
+			commands.push(getRegistryCommands(r, imageName, buildRegistryTag));
 			commands.push(
 				`echo "⚠️ INFO: After the build is finished, you need to wait a few seconds for the server to download the image and run the container."`,
 			);
@@ -57,15 +61,13 @@ export const uploadImageRemoteCommand = async (
 			deploymentId: deploymentId,
 		});
 
-		const rollbackRegistryTag = getRegistryTag(
-			rollbackRegistry,
-			rollback?.image || "",
+		const r = await findRegistryByIdWithCredentials(
+			rollbackRegistry.registryId,
 		);
+		const rollbackRegistryTag = getRegistryTag(r, rollback?.image || "");
 		if (rollbackRegistryTag) {
 			commands.push(`echo "🔄 [Enabled Rollback Registry]"`);
-			commands.push(
-				getRegistryCommands(rollbackRegistry, imageName, rollbackRegistryTag),
-			);
+			commands.push(getRegistryCommands(r, imageName, rollbackRegistryTag));
 		}
 	}
 	try {
@@ -74,6 +76,7 @@ export const uploadImageRemoteCommand = async (
 		throw error;
 	}
 };
+
 /**
  * Extract the repository name from imageName by taking the last part after '/'
  * Examples:
@@ -115,19 +118,24 @@ const getRegistryCommands = (
 	imageName: string,
 	registryTag: string,
 ): string => {
+	const loginCmd = safeDockerLoginCommand(
+		registry.registryUrl,
+		registry.username,
+		registry.password,
+	);
 	return `
 echo "📦 [Enabled Registry] Uploading image to '${registry.registryType}' | '${registryTag}'" ;
-echo "${registry.password}" | docker login ${registry.registryUrl} -u '${registry.username}' --password-stdin || { 
+${loginCmd} || {
 	echo "❌ DockerHub Failed" ;
 	exit 1;
 }
 echo "✅ Registry Login Success" ;
-docker tag ${imageName} ${registryTag} || { 
+docker tag ${imageName} ${registryTag} || {
 	echo "❌ Error tagging image" ;
 	exit 1;
 }
 echo "✅ Image Tagged" ;
-docker push ${registryTag} || { 
+docker push ${registryTag} || {
 	echo "❌ Error pushing image" ;
 	exit 1;
 }

packages/server/src/utils/databases/libsql.ts

@@ -140,7 +140,11 @@ export const buildLibsql = async (libsql: LibsqlNested) => {
 					: []),
 			],
 		},
-		UpdateConfig,
+		UpdateConfig: libsql.updateConfigSwarm ?? {
+			Parallelism: 1,
+			Order: "stop-first" as const,
+			FailureAction: "rollback" as const,
+		},
 	};
 	try {
 		const service = docker.getService(appName);

packages/server/src/utils/databases/mariadb.ts

@@ -111,7 +111,11 @@ export const buildMariadb = async (mariadb: MariadbNested) => {
 							]
 						: [],
 				},
-		UpdateConfig,
+		UpdateConfig: mariadb.updateConfigSwarm ?? {
+			Parallelism: 1,
+			Order: "stop-first" as const,
+			FailureAction: "rollback" as const,
+		},
 	};
 	try {
 		const service = docker.getService(appName);

packages/server/src/utils/databases/mongo.ts

@@ -167,7 +167,11 @@ ${command ?? "wait $MONGOD_PID"}`;
 							]
 						: [],
 				},
-		UpdateConfig,
+		UpdateConfig: mongo.updateConfigSwarm ?? {
+			Parallelism: 1,
+			Order: "stop-first" as const,
+			FailureAction: "rollback" as const,
+		},
 	};
 
 	try {

packages/server/src/utils/databases/mysql.ts

@@ -117,7 +117,11 @@ export const buildMysql = async (mysql: MysqlNested) => {
 							]
 						: [],
 				},
-		UpdateConfig,
+		UpdateConfig: mysql.updateConfigSwarm ?? {
+			Parallelism: 1,
+			Order: "stop-first" as const,
+			FailureAction: "rollback" as const,
+		},
 	};
 	try {
 		const service = docker.getService(appName);

packages/server/src/utils/databases/postgres.ts

@@ -109,7 +109,11 @@ export const buildPostgres = async (postgres: PostgresNested) => {
 							]
 						: [],
 				},
-		UpdateConfig,
+		UpdateConfig: postgres.updateConfigSwarm ?? {
+			Parallelism: 1,
+			Order: "stop-first" as const,
+			FailureAction: "rollback" as const,
+		},
 	};
 	try {
 		const service = docker.getService(appName);

packages/server/src/utils/databases/redis.ts

@@ -115,7 +115,11 @@ export const buildRedis = async (redis: RedisNested) => {
 							]
 						: [],
 				},
-		UpdateConfig,
+		UpdateConfig: redis.updateConfigSwarm ?? {
+			Parallelism: 1,
+			Order: "stop-first" as const,
+			FailureAction: "rollback" as const,
+		},
 	};
 
 	try {

packages/server/src/utils/providers/docker.ts

@@ -1,3 +1,4 @@
+import { safeDockerLoginCommand } from "@dokploy/server/services/registry";
 import type { ApplicationNested } from "../builders";
 
 export const buildRemoteDocker = async (application: ApplicationNested) => {
@@ -13,7 +14,7 @@ echo "Pulling ${dockerImage}";
 
 		if (username && password) {
 			command += `
-if ! echo "${password}" | docker login --username "${username}" --password-stdin "${registryUrl || ""}" 2>&1; then
+if ! ${safeDockerLoginCommand(registryUrl || "", username, password)} 2>&1; then
 	echo "❌ Login failed";
 	exit 1;
 fi

packages/server/src/utils/restore/compose.ts

@@ -77,9 +77,9 @@ export const restoreComposeBackup = async (
 		});
 
 		emit("Starting restore...");
-		emit(`Backup path: ${backupPath}`);
-
-		emit(`Executing command: ${restoreCommand}`);
+		emit(
+			`Restoring database: ${backupInput.databaseName} from ${backupInput.backupFile}`,
+		);
 
 		if (serverId) {
 			await execAsyncRemote(serverId, restoreCommand);

packages/server/src/utils/restore/libsql.ts

@@ -21,15 +21,13 @@ export const restoreLibsqlBackup = async (
 
 		const rcloneCommand = `rclone cat ${rcloneFlags.join(" ")} "${backupPath}"`;
 
-		emit("Starting restore...");
-		emit(`Backup path: ${backupPath}`);
-
 		const containerSearch = getServiceContainerCommand(appName);
 		const restoreCommand = `docker exec -i $CONTAINER_ID sh -c "tar xzf - -C /var/lib/sqld"`;
 
 		const command = `CONTAINER_ID=$(${containerSearch}) && ${rcloneCommand} | ${restoreCommand}`;
 
-		emit(`Executing command: ${command}`);
+		emit("Starting restore...");
+		emit(`Restoring libsql from ${backupInput.backupFile}`);
 
 		if (serverId) {
 			await execAsyncRemote(serverId, command);

packages/server/src/utils/restore/mariadb.ts

@@ -34,8 +34,9 @@ export const restoreMariadbBackup = async (
 		});
 
 		emit("Starting restore...");
-
-		emit(`Executing command: ${command}`);
+		emit(
+			`Restoring database: ${backupInput.databaseName} from ${backupInput.backupFile}`,
+		);
 
 		if (serverId) {
 			await execAsyncRemote(serverId, command);

packages/server/src/utils/restore/mongo.ts

@@ -34,8 +34,9 @@ export const restoreMongoBackup = async (
 		});
 
 		emit("Starting restore...");
-
-		emit(`Executing command: ${command}`);
+		emit(
+			`Restoring database: ${backupInput.databaseName} from ${backupInput.backupFile}`,
+		);
 
 		if (serverId) {
 			await execAsyncRemote(serverId, command);

packages/server/src/utils/restore/mysql.ts

@@ -33,8 +33,9 @@ export const restoreMySqlBackup = async (
 		});
 
 		emit("Starting restore...");
-
-		emit(`Executing command: ${command}`);
+		emit(
+			`Restoring database: ${backupInput.databaseName} from ${backupInput.backupFile}`,
+		);
 
 		if (serverId) {
 			await execAsyncRemote(serverId, command);

packages/server/src/utils/restore/postgres.ts

@@ -22,9 +22,6 @@ export const restorePostgresBackup = async (
 
 		const rcloneCommand = `rclone cat ${rcloneFlags.join(" ")} "${backupPath}" | gunzip`;
 
-		emit("Starting restore...");
-		emit(`Backup path: ${backupPath}`);
-
 		const command = getRestoreCommand({
 			appName,
 			credentials: {
@@ -36,7 +33,10 @@ export const restorePostgresBackup = async (
 			restoreType: "database",
 		});
 
-		emit(`Executing command: ${command}`);
+		emit("Starting restore...");
+		emit(
+			`Restoring database: ${backupInput.databaseName} from ${backupInput.backupFile}`,
+		);
 
 		if (serverId) {
 			await execAsyncRemote(serverId, command);

packages/server/src/utils/traefik/domain.ts

@@ -10,6 +10,11 @@ import {
 	writeTraefikConfigRemote,
 } from "./application";
 import type { FileConfig, HttpRouter } from "./file-types";
+import {
+	createForwardAuthMiddleware,
+	forwardAuthMiddlewareName,
+	removeForwardAuthMiddleware,
+} from "./forward-auth";
 import { createPathMiddlewares, removePathMiddlewares } from "./middleware";
 
 export const manageDomain = async (app: ApplicationNested, domain: Domain) => {
@@ -48,6 +53,10 @@ export const manageDomain = async (app: ApplicationNested, domain: Domain) => {
 	config.http.services[serviceName] = createServiceConfig(appName, domain);
 
 	await createPathMiddlewares(app, domain);
+	// SSO forward-auth: writes the per-app forwardAuth + errors middlewares (the
+	// /oauth2/* router lives on the central auth domain, not here). No-op unless
+	// the domain links a provider and the org has an auth domain configured.
+	await createForwardAuthMiddleware(app, domain);
 
 	if (app.serverId) {
 		await writeTraefikConfigRemote(config, appName, app.serverId);
@@ -84,6 +93,7 @@ export const removeDomain = async (
 	}
 
 	await removePathMiddlewares(application, uniqueKey);
+	await removeForwardAuthMiddleware(application, uniqueKey);
 
 	// verify if is the last router if so we delete the router
 	if (
@@ -184,6 +194,16 @@ export const createRouterConfig = async (
 			routerConfig.middlewares?.push(middlewareName);
 		}
 
+		// Enterprise SSO forward-auth gate. Placed before custom middlewares so
+		// authentication runs first. No-op unless the domain links a provider.
+		// The -errors middleware must come first so a 401 from the auth check is
+		// rewritten to a 302 redirect to the login page.
+		if (domain.forwardAuthEnabled) {
+			const name = forwardAuthMiddlewareName(appName, uniqueConfigKey);
+			routerConfig.middlewares?.push(`${name}-errors`);
+			routerConfig.middlewares?.push(name);
+		}
+
 		// custom middlewares from domain
 		if (domain.middlewares && domain.middlewares.length > 0) {
 			routerConfig.middlewares?.push(...domain.middlewares);

packages/server/src/utils/traefik/file-types.ts

@@ -652,6 +652,13 @@ export interface ErrorsMiddleware {
 	 * The URL for the error page (hosted by service). You can use {status} in the query, that will be replaced by the received status code.
 	 */
 	query?: string;
+	/**
+	 * Rewrites the returning status code, mapping the original status to a new one
+	 * (e.g. { "401": 302 } so the browser follows the redirect to the login page).
+	 */
+	statusRewrites?: {
+		[k: string]: number;
+	};
 }
 /**
  * The ForwardAuth middleware delegate the authentication to an external service. If the service response code is 2XX, access is granted and the original request is performed. Otherwise, the response from the authentication server is returned.

packages/server/src/utils/traefik/forward-auth.ts

@@ -0,0 +1,204 @@
+import { db } from "@dokploy/server/db";
+import { forwardAuthSettings } from "@dokploy/server/db/schema";
+import type { Domain } from "@dokploy/server/services/domain";
+import {
+	FORWARD_AUTH_PORT,
+	FORWARD_AUTH_SERVICE_NAME,
+} from "@dokploy/server/setup/forward-auth-setup";
+import { eq, isNull } from "drizzle-orm";
+import type { ApplicationNested } from "../builders";
+import {
+	removeTraefikConfig,
+	removeTraefikConfigRemote,
+	writeTraefikConfig,
+	writeTraefikConfigRemote,
+} from "./application";
+import type { FileConfig } from "./file-types";
+import {
+	loadMiddlewares,
+	loadRemoteMiddlewares,
+	writeMiddleware,
+} from "./middleware";
+
+export interface AuthDomainConfig {
+	authDomain: string;
+	https: boolean;
+	certificateType: "none" | "letsencrypt" | "custom";
+	customCertResolver?: string | null;
+}
+
+const TRAEFIK_SERVICE = "forward-auth-proxy";
+
+export const forwardAuthMiddlewareName = (
+	appName: string,
+	uniqueConfigKey: number,
+): string => `forward-auth-${appName}-${uniqueConfigKey}`;
+
+const proxyUrl = () =>
+	`http://${FORWARD_AUTH_SERVICE_NAME}:${FORWARD_AUTH_PORT}`;
+
+const loadOrEmptyMiddlewares = async (
+	serverId: string | null,
+): Promise<FileConfig> => {
+	try {
+		return serverId
+			? await loadRemoteMiddlewares(serverId)
+			: loadMiddlewares<FileConfig>();
+	} catch {
+		return { http: { middlewares: {} } };
+	}
+};
+
+const persistMiddlewares = async (
+	config: FileConfig,
+	serverId: string | null,
+) => {
+	if (serverId) {
+		await writeTraefikConfigRemote(config, "middlewares", serverId);
+	} else {
+		writeMiddleware(config);
+	}
+};
+
+const loadAuthGateDomain = async (serverId: string | null) => {
+	return db.query.forwardAuthSettings.findFirst({
+		where: serverId
+			? eq(forwardAuthSettings.serverId, serverId)
+			: isNull(forwardAuthSettings.serverId),
+		columns: { authDomain: true, https: true },
+	});
+};
+
+export const createForwardAuthMiddleware = async (
+	app: ApplicationNested,
+	domain: Domain,
+) => {
+	if (!domain.forwardAuthEnabled) {
+		return;
+	}
+
+	const authGate = await loadAuthGateDomain(app.serverId ?? null);
+	if (!authGate) {
+		return;
+	}
+	const authDomain = authGate.authDomain;
+	const authDomainHttps = authGate.https;
+
+	const { appName, serverId } = app;
+	const config = await loadOrEmptyMiddlewares(serverId);
+
+	config.http = config.http || {};
+	config.http.middlewares = config.http.middlewares || {};
+
+	const name = forwardAuthMiddlewareName(appName, domain.uniqueConfigKey);
+	const scheme = authDomainHttps ? "https" : "http";
+
+	config.http.middlewares[name] = {
+		forwardAuth: {
+			address: `${scheme}://${authDomain}/oauth2/auth`,
+			trustForwardHeader: true,
+			authResponseHeaders: [
+				"X-Auth-Request-User",
+				"X-Auth-Request-Email",
+				"X-Auth-Request-Preferred-Username",
+				"Authorization",
+			],
+		},
+	};
+
+	config.http.middlewares[`${name}-errors`] = {
+		errors: {
+			status: ["401-403"],
+			service: TRAEFIK_SERVICE,
+			query: "/oauth2/sign_in?rd={url}",
+			statusRewrites: { "401": 302 },
+		},
+	};
+
+	await persistMiddlewares(config, serverId);
+};
+
+export const removeForwardAuthMiddleware = async (
+	app: ApplicationNested,
+	uniqueConfigKey: number,
+) => {
+	const { appName, serverId } = app;
+	let config: FileConfig;
+	try {
+		config = serverId
+			? await loadRemoteMiddlewares(serverId)
+			: loadMiddlewares<FileConfig>();
+	} catch {
+		return;
+	}
+
+	const name = forwardAuthMiddlewareName(appName, uniqueConfigKey);
+	let changed = false;
+	for (const key of [name, `${name}-errors`]) {
+		if (config.http?.middlewares?.[key]) {
+			delete config.http.middlewares[key];
+			changed = true;
+		}
+	}
+	if (changed) {
+		await persistMiddlewares(config, serverId);
+	}
+};
+
+export const buildAuthDomainRouter = (cfg: AuthDomainConfig): FileConfig => {
+	const entry = cfg.https ? "websecure" : "web";
+	const oauthRouter: NonNullable<
+		NonNullable<FileConfig["http"]>["routers"]
+	>[string] = {
+		rule: `Host(\`${cfg.authDomain}\`) && PathPrefix(\`/oauth2/\`)`,
+		service: TRAEFIK_SERVICE,
+		entryPoints: [entry],
+		priority: 1000,
+	};
+
+	if (cfg.https) {
+		if (cfg.certificateType === "letsencrypt") {
+			oauthRouter.tls = { certResolver: "letsencrypt" };
+		} else if (cfg.certificateType === "custom" && cfg.customCertResolver) {
+			oauthRouter.tls = { certResolver: cfg.customCertResolver };
+		} else {
+			oauthRouter.tls = {};
+		}
+	}
+
+	return {
+		http: {
+			routers: { "forward-auth-oauth": oauthRouter },
+			services: {
+				[TRAEFIK_SERVICE]: {
+					loadBalancer: {
+						servers: [{ url: proxyUrl() }],
+						passHostHeader: true,
+					},
+				},
+			},
+		},
+	};
+};
+
+export const authDomainConfigName = "forward-auth-domain";
+
+export const manageForwardAuthDomain = async (
+	serverId: string | null,
+	cfg: AuthDomainConfig,
+) => {
+	const config = buildAuthDomainRouter(cfg);
+	if (serverId) {
+		await writeTraefikConfigRemote(config, authDomainConfigName, serverId);
+	} else {
+		writeTraefikConfig(config, authDomainConfigName);
+	}
+};
+
+export const removeForwardAuthDomain = async (serverId: string | null) => {
+	if (serverId) {
+		await removeTraefikConfigRemote(authDomainConfigName, serverId);
+	} else {
+		await removeTraefikConfig(authDomainConfigName);
+	}
+};

packages/server/src/utils/volume-backups/backup.ts

@@ -1,6 +1,7 @@
 import path from "node:path";
 import { paths } from "@dokploy/server/constants";
 import { findComposeById } from "@dokploy/server/services/compose";
+import { findDestinationById } from "@dokploy/server/services/destination";
 import type { findVolumeBackupById } from "@dokploy/server/services/volume-backups";
 import {
 	getBackupTimestamp,
@@ -31,14 +32,14 @@ export const backupVolume = async (
 	volumeBackup: Awaited<ReturnType<typeof findVolumeBackupById>>,
 ) => {
 	const { serviceType, volumeName, turnOff, prefix } = volumeBackup;
+	const destination = await findDestinationById(volumeBackup.destinationId);
 	const serverId =
 		volumeBackup.application?.serverId || volumeBackup.compose?.serverId;
 	const { VOLUME_BACKUPS_PATH, VOLUME_BACKUP_LOCK_PATH } = paths(!!serverId);
-	const destination = volumeBackup.destination;
 	const s3AppName = getVolumeServiceAppName(volumeBackup);
 	const backupFileName = `${volumeName}-${getBackupTimestamp()}.tar`;
 	const bucketDestination = `${s3AppName}/${normalizeS3Path(prefix || "")}${backupFileName}`;
-	const rcloneFlags = getS3Credentials(volumeBackup.destination);
+	const rcloneFlags = getS3Credentials(destination);
 	const rcloneDestination = `:s3:${destination.bucket}/${bucketDestination}`;
 	const volumeBackupPath = path.join(VOLUME_BACKUPS_PATH, volumeBackup.appName);
 

packages/server/src/utils/volume-backups/utils.ts

@@ -4,6 +4,7 @@ import {
 	createDeploymentVolumeBackup,
 	updateDeploymentStatus,
 } from "@dokploy/server/services/deployment";
+import { findDestinationById } from "@dokploy/server/services/destination";
 import { findVolumeBackupById } from "@dokploy/server/services/volume-backups";
 import {
 	execAsync,
@@ -77,7 +78,8 @@ const cleanupOldVolumeBackups = async (
 	volumeBackup: Awaited<ReturnType<typeof findVolumeBackupById>>,
 	serverId?: string | null,
 ) => {
-	const { keepLatestCount, destination, prefix, volumeName } = volumeBackup;
+	const { keepLatestCount, prefix, volumeName } = volumeBackup;
+	const destination = await findDestinationById(volumeBackup.destinationId);
 
 	if (!keepLatestCount) return;