mirror of
https://github.com/dokploy/dokploy.git
synced 2026-06-13 19:09:49 +00:00
github-actions[bot]
a07106d649
* fix(migrate-auth-secret): exit cleanly when there are no 2FA records The empty-records branch of `main()` returned without calling `process.exit(0)`, leaving the Drizzle Postgres connection pool holding the event loop open. The `migrate-auth-secret` process then hangs indefinitely after printing "No 2FA records found, nothing to migrate." causing the upstream `0.29.3.sh` security migration script (which calls this via `docker exec`) to never reach its final `docker service update` step that mounts the new Docker Secret. Operators end up with the new secret created but the dokploy service still configured with the hardcoded `BETTER_AUTH_SECRET`, while believing the migration completed. Match the success branch a few lines below which already does `process.exit(0)`, and the pattern used in sibling scripts `reset-password.ts` and `reset-2fa.ts`. Closes #4392 * feat(compose): add import from base64 in create service dropdown Adds an "Import" option to the Create Service dropdown that lets users paste a base64-encoded compose export, preview the template (compose YAML, domains, envs, mounts) before confirming, and create the service only on confirm. Adds a `previewTemplate` tRPC procedure that processes the base64 without touching the DB, with server access validation via session. * [autofix.ci] apply automated fixes * Enhance version synchronization workflow to include SDK repository - Updated the GitHub Actions workflow to sync versioning across MCP, CLI, and SDK repositories. - Added steps to bump the version in the SDK repository and regenerate tools from the latest OpenAPI spec. - Improved commit message formatting to include source and release information for all repositories. - Ensured successful synchronization messages for each repository after the version update. * feat(deployment): add readLogs procedure to fetch deployment logs - Introduced a new `readLogs` procedure that allows users to retrieve logs for a specific deployment by providing the deployment ID and an optional tail parameter. - Implemented permission checks to ensure users have access to the requested logs. - Enhanced log retrieval for both cloud and non-cloud environments, utilizing appropriate commands based on the server context. Resolve https://github.com/Dokploy/mcp/issues/14 * feat(deployment): add server access validation for deployment actions - Implemented server access validation in deployment procedures to ensure users can only access deployments associated with their active organization. - Added checks to throw an UNAUTHORIZED error if a user attempts to access a deployment linked to a server outside their organization. This enhancement improves security and access control within the deployment management system. * feat(organization): prevent inviting users with owner role - Added validation to prevent users from being invited with the owner role in the organization and user routers. - Implemented TRPCError responses to ensure proper error handling when attempting to assign the owner role. This change enhances role management and security within the organization structure. https://github.com/Dokploy/dokploy/security/advisories/GHSA-fm9p-wmpw-gxjh * feat(user): implement session cleanup on user update - Added functionality to delete old sessions when a user updates their password, ensuring that only the current session remains active. - This change enhances security by preventing unauthorized access from previous sessions after a password change. Close here https://github.com/Dokploy/dokploy/security/advisories/GHSA-rr9m-w87g-46f3 * feat(settings): add copy button to server IP in web server settings (#4397) * fix: copy Dokploy server IP when clicking server badge (#4390) * fix: copy Dokploy server IP when clicking server badge When a service runs on the local Dokploy server (no remote server), clicking the server badge did nothing because `data.server` is null. Now falls back to the server IP from settings so the badge always copies an IP address. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat(copy-ip): implement IP address copying functionality across database service components - Added the ability to copy the server IP address to the clipboard when clicking the server badge in various database service components (Libsql, MariaDB, MongoDB, MySQL, PostgreSQL, Redis). - Integrated the `copy-to-clipboard` library and `sonner` for user feedback upon successful copy action. - Ensured fallback to the server IP from settings when the service data is not available, enhancing user experience and functionality. --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Mauricio Siu <siumauricio@icloud.com> * fix: responsive layout (#4391) Signed-off-by: Nahidujjaman Hridoy <hridoyboss12@gmail.com> * fix: automatically converting username to lowercase both in creation of register, and build for extra. (#4382) * fix: allow square brackets in zip path validation for Next.js dynamic routes (#4468) * fix: allow square brackets in zip drop path validation for Next.js dynamic routes ZIP uploads containing Next.js dynamic route files (e.g. app/api/[id]/route.ts, pages/[slug].tsx) were rejected by readValidDirectory because the path regex did not include square bracket characters. * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * fix: prevent webhook deploy crash when commit data lacks modified files (#4470) shouldDeploy passed undefined/null entries from commit.modified straight into micromatch, which throws "Expected input to be a string" and fails every webhook deployment when watch paths are configured. Filter out non-string values before matching. * fix: add type="button" to TooltipTrigger in form components to prevent accidental submission (#4422) Co-authored-by: Maks Pikov <mixelburg@users.noreply.github.com> * fix: enable comment toggle shortcut in env variable editor (#4402) (#4473) * fix: add tls=true label for domains when certificateType is none (#4018) (#4474) * fix: add tls=true label for compose domains when certificateType is none (#4018) * test: cover tls=true label for certificateType none, require https * fix: scope tls fix to compose labels, leave traefik file config unchanged (#4018) * chore: update version to v0.29.5 in package.json --------- Signed-off-by: Nahidujjaman Hridoy <hridoyboss12@gmail.com> Co-authored-by: ngenohkevin <ngenohkevin19@gmail.com> Co-authored-by: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com> Co-authored-by: Mauricio Siu <siumauricio@icloud.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Volodymyr Kravchuk <volodymyr.kravch@gmail.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Nahidujjaman Hridoy <75487507+nhridoy@users.noreply.github.com> Co-authored-by: Francis <9560564+Baker@users.noreply.github.com> Co-authored-by: mixelburg <52622705+mixelburg@users.noreply.github.com> Co-authored-by: Maks Pikov <mixelburg@users.noreply.github.com>
732 lines
18 KiB
TypeScript
732 lines
18 KiB
TypeScript
import {
|
|
createApiKey,
|
|
createOrganizationUserWithCredentials,
|
|
findNotificationById,
|
|
findOrganizationById,
|
|
findUserById,
|
|
getDokployUrl,
|
|
getUserByToken,
|
|
getWebServerSettings,
|
|
IS_CLOUD,
|
|
removeUserById,
|
|
renderInvitationEmail,
|
|
sendEmailNotification,
|
|
sendResendNotification,
|
|
updateUser,
|
|
} from "@dokploy/server";
|
|
import { db } from "@dokploy/server/db";
|
|
import {
|
|
account,
|
|
apiAssignPermissions,
|
|
apiFindOneToken,
|
|
apikey,
|
|
apiUpdateUser,
|
|
invitation,
|
|
member,
|
|
session,
|
|
user,
|
|
} from "@dokploy/server/db/schema";
|
|
import {
|
|
hasPermission,
|
|
resolvePermissions,
|
|
} from "@dokploy/server/services/permission";
|
|
import { hasValidLicense } from "@dokploy/server/services/proprietary/license-key";
|
|
import { TRPCError } from "@trpc/server";
|
|
import * as bcrypt from "bcrypt";
|
|
import { and, asc, eq, gt, ne } from "drizzle-orm";
|
|
import { z } from "zod";
|
|
import { audit } from "@/server/api/utils/audit";
|
|
import {
|
|
adminProcedure,
|
|
createTRPCRouter,
|
|
protectedProcedure,
|
|
publicProcedure,
|
|
withPermission,
|
|
} from "../trpc";
|
|
|
|
const apiCreateApiKey = z.object({
|
|
name: z.string().min(1),
|
|
prefix: z.string().optional(),
|
|
expiresIn: z.number().optional(),
|
|
metadata: z.object({
|
|
organizationId: z.string(),
|
|
}),
|
|
// Rate limiting
|
|
rateLimitEnabled: z.boolean().optional(),
|
|
rateLimitTimeWindow: z.number().optional(),
|
|
rateLimitMax: z.number().optional(),
|
|
// Request limiting
|
|
remaining: z.number().optional(),
|
|
refillAmount: z.number().optional(),
|
|
refillInterval: z.number().optional(),
|
|
});
|
|
|
|
export const userRouter = createTRPCRouter({
|
|
all: withPermission("member", "read").query(async ({ ctx }) => {
|
|
return await db.query.member.findMany({
|
|
where: eq(member.organizationId, ctx.session.activeOrganizationId),
|
|
with: {
|
|
user: true,
|
|
},
|
|
orderBy: [asc(member.createdAt)],
|
|
});
|
|
}),
|
|
one: protectedProcedure
|
|
.input(
|
|
z.object({
|
|
userId: z.string(),
|
|
}),
|
|
)
|
|
.query(async ({ input, ctx }) => {
|
|
const memberResult = await db.query.member.findFirst({
|
|
where: and(
|
|
eq(member.userId, input.userId),
|
|
eq(member.organizationId, ctx.session?.activeOrganizationId || ""),
|
|
),
|
|
with: {
|
|
user: true,
|
|
},
|
|
});
|
|
|
|
// If user not found in the organization, deny access
|
|
if (!memberResult) {
|
|
throw new TRPCError({
|
|
code: "NOT_FOUND",
|
|
message: "User not found in this organization",
|
|
});
|
|
}
|
|
|
|
// Allow access if:
|
|
// 1. User is requesting their own information
|
|
// 2. User is owner/admin
|
|
// 3. User has member.update permission (custom roles managing permissions)
|
|
if (
|
|
memberResult.userId !== ctx.user.id &&
|
|
ctx.user.role !== "owner" &&
|
|
ctx.user.role !== "admin"
|
|
) {
|
|
const canUpdate = await hasPermission(ctx, { member: ["update"] });
|
|
if (!canUpdate) {
|
|
throw new TRPCError({
|
|
code: "UNAUTHORIZED",
|
|
message: "You are not authorized to access this user",
|
|
});
|
|
}
|
|
}
|
|
|
|
return memberResult;
|
|
}),
|
|
session: publicProcedure.query(async ({ ctx }) => {
|
|
if (!ctx.user || !ctx.session || !ctx.session.activeOrganizationId) {
|
|
return null;
|
|
}
|
|
return {
|
|
user: {
|
|
id: ctx.user.id,
|
|
},
|
|
session: {
|
|
activeOrganizationId: ctx.session.activeOrganizationId,
|
|
},
|
|
};
|
|
}),
|
|
get: protectedProcedure.query(async ({ ctx }) => {
|
|
const memberResult = await db.query.member.findFirst({
|
|
where: and(
|
|
eq(member.userId, ctx.user.id),
|
|
eq(member.organizationId, ctx.session?.activeOrganizationId || ""),
|
|
),
|
|
with: {
|
|
user: {
|
|
with: {
|
|
apiKeys: true,
|
|
},
|
|
},
|
|
},
|
|
});
|
|
|
|
return memberResult;
|
|
}),
|
|
getPermissions: protectedProcedure.query(async ({ ctx }) => {
|
|
return resolvePermissions(ctx);
|
|
}),
|
|
haveRootAccess: protectedProcedure.query(async ({ ctx }) => {
|
|
if (!IS_CLOUD) {
|
|
return false;
|
|
}
|
|
if (
|
|
process.env.USER_ADMIN_ID === ctx.user.id ||
|
|
ctx.session?.impersonatedBy === process.env.USER_ADMIN_ID
|
|
) {
|
|
return true;
|
|
}
|
|
return false;
|
|
}),
|
|
getBackups: adminProcedure.query(async ({ ctx }) => {
|
|
const memberResult = await db.query.member.findFirst({
|
|
where: and(
|
|
eq(member.userId, ctx.user.id),
|
|
eq(member.organizationId, ctx.session?.activeOrganizationId || ""),
|
|
),
|
|
with: {
|
|
user: {
|
|
with: {
|
|
backups: {
|
|
with: {
|
|
destination: true,
|
|
deployments: true,
|
|
},
|
|
},
|
|
apiKeys: true,
|
|
},
|
|
},
|
|
},
|
|
});
|
|
|
|
return memberResult?.user;
|
|
}),
|
|
getServerMetrics: withPermission("monitoring", "read").query(
|
|
async ({ ctx }) => {
|
|
const memberResult = await db.query.member.findFirst({
|
|
where: and(
|
|
eq(member.userId, ctx.user.id),
|
|
eq(member.organizationId, ctx.session?.activeOrganizationId || ""),
|
|
),
|
|
with: {
|
|
user: true,
|
|
},
|
|
});
|
|
|
|
return memberResult?.user;
|
|
},
|
|
),
|
|
update: protectedProcedure
|
|
.input(apiUpdateUser)
|
|
.mutation(async ({ input, ctx }) => {
|
|
if (input.password || input.currentPassword) {
|
|
const currentAuth = await db.query.account.findFirst({
|
|
where: eq(account.userId, ctx.user.id),
|
|
});
|
|
const correctPassword = bcrypt.compareSync(
|
|
input.currentPassword || "",
|
|
currentAuth?.password || "",
|
|
);
|
|
|
|
if (!correctPassword) {
|
|
throw new TRPCError({
|
|
code: "BAD_REQUEST",
|
|
message: "Current password is incorrect",
|
|
});
|
|
}
|
|
|
|
if (!input.password) {
|
|
throw new TRPCError({
|
|
code: "BAD_REQUEST",
|
|
message: "New password is required",
|
|
});
|
|
}
|
|
await db
|
|
.update(account)
|
|
.set({
|
|
password: bcrypt.hashSync(input.password, 10),
|
|
})
|
|
.where(eq(account.userId, ctx.user.id));
|
|
|
|
await db
|
|
.delete(session)
|
|
.where(
|
|
and(
|
|
eq(session.userId, ctx.user.id),
|
|
ne(session.id, ctx.session.id),
|
|
),
|
|
);
|
|
}
|
|
|
|
try {
|
|
const result = await updateUser(ctx.user.id, input);
|
|
await audit(ctx, {
|
|
action: "update",
|
|
resourceType: "user",
|
|
resourceId: ctx.user.id,
|
|
resourceName: ctx.user.email,
|
|
});
|
|
return result;
|
|
} catch (error) {
|
|
throw new TRPCError({
|
|
code: "BAD_REQUEST",
|
|
message:
|
|
error instanceof Error ? error.message : "Failed to update user",
|
|
});
|
|
}
|
|
}),
|
|
getUserByToken: publicProcedure
|
|
.input(apiFindOneToken)
|
|
.query(async ({ input }) => {
|
|
return await getUserByToken(input.token);
|
|
}),
|
|
getMetricsToken: withPermission("monitoring", "read").query(
|
|
async ({ ctx }) => {
|
|
const user = await findUserById(ctx.user.ownerId);
|
|
const settings = await getWebServerSettings();
|
|
return {
|
|
serverIp: settings?.serverIp,
|
|
enabledFeatures: user.enablePaidFeatures,
|
|
metricsConfig: settings?.metricsConfig,
|
|
};
|
|
},
|
|
),
|
|
remove: protectedProcedure
|
|
.input(
|
|
z.object({
|
|
userId: z.string(),
|
|
}),
|
|
)
|
|
.mutation(async ({ input, ctx }) => {
|
|
if (IS_CLOUD) {
|
|
return true;
|
|
}
|
|
|
|
// Ensure the acting user has admin privileges in the active organization
|
|
if (ctx.user.role !== "owner" && ctx.user.role !== "admin") {
|
|
throw new TRPCError({
|
|
code: "FORBIDDEN",
|
|
message: "Only owners or admins can delete users",
|
|
});
|
|
}
|
|
|
|
// Fetch target member within the active organization
|
|
const targetMember = await db.query.member.findFirst({
|
|
where: and(
|
|
eq(member.userId, input.userId),
|
|
eq(member.organizationId, ctx.session?.activeOrganizationId || ""),
|
|
),
|
|
});
|
|
|
|
if (!targetMember) {
|
|
throw new TRPCError({
|
|
code: "NOT_FOUND",
|
|
message: "Target user is not a member of this organization",
|
|
});
|
|
}
|
|
|
|
// Never allow deleting the organization owner via this endpoint
|
|
if (targetMember.role === "owner") {
|
|
throw new TRPCError({
|
|
code: "FORBIDDEN",
|
|
message: "You cannot delete the organization owner",
|
|
});
|
|
}
|
|
|
|
// Admin self-protection: an admin cannot delete themselves
|
|
if (targetMember.role === "admin" && input.userId === ctx.user.id) {
|
|
throw new TRPCError({
|
|
code: "FORBIDDEN",
|
|
message:
|
|
"Admins cannot delete themselves. Ask the owner or another admin.",
|
|
});
|
|
}
|
|
|
|
// Only owners can delete admins
|
|
// Admins can only delete members
|
|
if (ctx.user.role === "admin" && targetMember.role === "admin") {
|
|
throw new TRPCError({
|
|
code: "FORBIDDEN",
|
|
message:
|
|
"Only the organization owner can delete admins. Admins can only delete members.",
|
|
});
|
|
}
|
|
|
|
const result = await removeUserById(input.userId);
|
|
await audit(ctx, {
|
|
action: "delete",
|
|
resourceType: "user",
|
|
resourceId: input.userId,
|
|
});
|
|
return result;
|
|
}),
|
|
assignPermissions: withPermission("member", "update")
|
|
.input(apiAssignPermissions)
|
|
.mutation(async ({ input, ctx }) => {
|
|
try {
|
|
const organization = await findOrganizationById(
|
|
ctx.session?.activeOrganizationId || "",
|
|
);
|
|
|
|
if (organization?.ownerId !== ctx.user.ownerId) {
|
|
throw new TRPCError({
|
|
code: "UNAUTHORIZED",
|
|
message: "You are not allowed to assign permissions",
|
|
});
|
|
}
|
|
|
|
const { id, accessedGitProviders, accessedServers, ...rest } = input;
|
|
|
|
const licensed = await hasValidLicense(
|
|
ctx.session?.activeOrganizationId || "",
|
|
);
|
|
|
|
await db
|
|
.update(member)
|
|
.set({
|
|
...rest,
|
|
...(licensed && accessedGitProviders !== undefined
|
|
? { accessedGitProviders }
|
|
: {}),
|
|
...(licensed && accessedServers !== undefined
|
|
? { accessedServers }
|
|
: {}),
|
|
})
|
|
.where(
|
|
and(
|
|
eq(member.userId, input.id),
|
|
eq(
|
|
member.organizationId,
|
|
ctx.session?.activeOrganizationId || "",
|
|
),
|
|
),
|
|
);
|
|
await audit(ctx, {
|
|
action: "update",
|
|
resourceType: "user",
|
|
resourceId: input.id,
|
|
metadata: { permissions: rest },
|
|
});
|
|
} catch (error) {
|
|
throw error;
|
|
}
|
|
}),
|
|
getInvitations: protectedProcedure.query(async ({ ctx }) => {
|
|
return await db.query.invitation.findMany({
|
|
where: and(
|
|
eq(invitation.email, ctx.user.email),
|
|
gt(invitation.expiresAt, new Date()),
|
|
eq(invitation.status, "pending"),
|
|
),
|
|
with: {
|
|
organization: true,
|
|
},
|
|
});
|
|
}),
|
|
|
|
getContainerMetrics: withPermission("monitoring", "read")
|
|
.input(
|
|
z.object({
|
|
url: z.string(),
|
|
token: z.string(),
|
|
appName: z.string(),
|
|
dataPoints: z.string(),
|
|
}),
|
|
)
|
|
.query(async ({ input }) => {
|
|
try {
|
|
if (!input.appName) {
|
|
throw new Error(
|
|
[
|
|
"No Application Selected:",
|
|
"",
|
|
"Make Sure to select an application to monitor.",
|
|
].join("\n"),
|
|
);
|
|
}
|
|
const url = new URL(`${input.url}/metrics/containers`);
|
|
url.searchParams.append("limit", input.dataPoints);
|
|
url.searchParams.append("appName", input.appName);
|
|
const response = await fetch(url.toString(), {
|
|
headers: {
|
|
Authorization: `Bearer ${input.token}`,
|
|
},
|
|
});
|
|
if (!response.ok) {
|
|
throw new Error(
|
|
`Error ${response.status}: ${response.statusText}. Please verify that the application "${input.appName}" is running and this service is included in the monitoring configuration.`,
|
|
);
|
|
}
|
|
|
|
const data = await response.json();
|
|
if (!Array.isArray(data) || data.length === 0) {
|
|
throw new Error(
|
|
[
|
|
`No monitoring data available for "${input.appName}". This could be because:`,
|
|
"",
|
|
"1. The container was recently started - wait a few minutes for data to be collected",
|
|
"2. The container is not running - verify its status",
|
|
"3. The service is not included in your monitoring configuration",
|
|
].join("\n"),
|
|
);
|
|
}
|
|
return data as {
|
|
containerId: string;
|
|
containerName: string;
|
|
containerImage: string;
|
|
containerLabels: string;
|
|
containerCommand: string;
|
|
containerCreated: string;
|
|
}[];
|
|
} catch (error) {
|
|
throw error;
|
|
}
|
|
}),
|
|
|
|
generateToken: protectedProcedure.mutation(async () => {
|
|
return "token";
|
|
}),
|
|
|
|
deleteApiKey: protectedProcedure
|
|
.input(
|
|
z.object({
|
|
apiKeyId: z.string(),
|
|
}),
|
|
)
|
|
.mutation(async ({ input, ctx }) => {
|
|
try {
|
|
const apiKeyToDelete = await db.query.apikey.findFirst({
|
|
where: eq(apikey.id, input.apiKeyId),
|
|
});
|
|
|
|
if (!apiKeyToDelete) {
|
|
throw new TRPCError({
|
|
code: "NOT_FOUND",
|
|
message: "API key not found",
|
|
});
|
|
}
|
|
|
|
if (apiKeyToDelete.referenceId !== ctx.user.id) {
|
|
throw new TRPCError({
|
|
code: "UNAUTHORIZED",
|
|
message: "You are not authorized to delete this API key",
|
|
});
|
|
}
|
|
|
|
await db.delete(apikey).where(eq(apikey.id, input.apiKeyId));
|
|
await audit(ctx, {
|
|
action: "delete",
|
|
resourceType: "user",
|
|
resourceId: input.apiKeyId,
|
|
resourceName: apiKeyToDelete.name || undefined,
|
|
});
|
|
return true;
|
|
} catch (error) {
|
|
throw error;
|
|
}
|
|
}),
|
|
|
|
createApiKey: protectedProcedure
|
|
.input(apiCreateApiKey)
|
|
.mutation(async ({ input, ctx }) => {
|
|
// Verify user is a member of the organization specified in metadata
|
|
if (input.metadata?.organizationId) {
|
|
const userMember = await db.query.member.findFirst({
|
|
where: and(
|
|
eq(member.organizationId, input.metadata.organizationId),
|
|
eq(member.userId, ctx.user.id),
|
|
),
|
|
});
|
|
|
|
if (!userMember) {
|
|
throw new TRPCError({
|
|
code: "FORBIDDEN",
|
|
message: "You are not a member of this organization",
|
|
});
|
|
}
|
|
}
|
|
|
|
const apiKey = await createApiKey(ctx.user.id, input);
|
|
await audit(ctx, {
|
|
action: "create",
|
|
resourceType: "user",
|
|
resourceId: apiKey.id,
|
|
resourceName: input.name,
|
|
});
|
|
return apiKey;
|
|
}),
|
|
|
|
checkUserOrganizations: protectedProcedure
|
|
.input(
|
|
z.object({
|
|
userId: z.string(),
|
|
}),
|
|
)
|
|
.query(async ({ input, ctx }) => {
|
|
// Users can check their own organizations
|
|
// Admins and owners can check organizations of members in their active organization
|
|
if (input.userId !== ctx.user.id) {
|
|
// Verify the target user is a member of the active organization
|
|
const targetMember = await db.query.member.findFirst({
|
|
where: and(
|
|
eq(member.userId, input.userId),
|
|
eq(member.organizationId, ctx.session?.activeOrganizationId || ""),
|
|
),
|
|
});
|
|
|
|
if (!targetMember) {
|
|
throw new TRPCError({
|
|
code: "FORBIDDEN",
|
|
message: "User is not a member of your active organization",
|
|
});
|
|
}
|
|
|
|
// Only admins and owners can check other users' organizations
|
|
if (ctx.user.role !== "owner" && ctx.user.role !== "admin") {
|
|
throw new TRPCError({
|
|
code: "FORBIDDEN",
|
|
message:
|
|
"Only admins and owners can check other users' organizations",
|
|
});
|
|
}
|
|
}
|
|
|
|
const organizations = await db.query.member.findMany({
|
|
where: eq(member.userId, input.userId),
|
|
});
|
|
|
|
return organizations.length;
|
|
}),
|
|
createUserWithCredentials: withPermission("member", "create")
|
|
.input(
|
|
z.object({
|
|
email: z.string().email(),
|
|
password: z.string().min(8),
|
|
role: z.string().min(1),
|
|
}),
|
|
)
|
|
.mutation(async ({ input, ctx }) => {
|
|
if (IS_CLOUD) {
|
|
throw new TRPCError({
|
|
code: "FORBIDDEN",
|
|
message:
|
|
"Creating users with initial credentials is only available in self-hosted mode",
|
|
});
|
|
}
|
|
|
|
if (!ctx.session.activeOrganizationId) {
|
|
throw new TRPCError({
|
|
code: "BAD_REQUEST",
|
|
message: "Active organization is required",
|
|
});
|
|
}
|
|
|
|
if (input.role === "owner") {
|
|
throw new TRPCError({
|
|
code: "FORBIDDEN",
|
|
message: "Cannot create a user with the owner role",
|
|
});
|
|
}
|
|
|
|
return await createOrganizationUserWithCredentials({
|
|
organizationId: ctx.session.activeOrganizationId,
|
|
email: input.email,
|
|
password: input.password,
|
|
role: input.role,
|
|
});
|
|
}),
|
|
sendInvitation: withPermission("member", "create")
|
|
.input(
|
|
z.object({
|
|
invitationId: z.string().min(1),
|
|
notificationId: z.string().min(1),
|
|
}),
|
|
)
|
|
.mutation(async ({ input, ctx }) => {
|
|
if (IS_CLOUD) {
|
|
return;
|
|
}
|
|
|
|
const notification = await findNotificationById(input.notificationId);
|
|
|
|
const email = notification.email;
|
|
const resend = notification.resend;
|
|
|
|
const currentInvitation = await db.query.invitation.findFirst({
|
|
where: eq(invitation.id, input.invitationId),
|
|
});
|
|
|
|
if (!email && !resend) {
|
|
throw new TRPCError({
|
|
code: "NOT_FOUND",
|
|
message: "Email provider not found",
|
|
});
|
|
}
|
|
|
|
const host =
|
|
process.env.NODE_ENV === "development"
|
|
? "http://localhost:3000"
|
|
: await getDokployUrl();
|
|
const inviteLink = `${host}/invitation?token=${input.invitationId}`;
|
|
|
|
const organization = await findOrganizationById(
|
|
ctx.session.activeOrganizationId,
|
|
);
|
|
|
|
try {
|
|
const toEmail = currentInvitation?.email || "";
|
|
const orgName = organization?.name || "organization";
|
|
const subject = `You've been invited to join ${orgName} on Dokploy`;
|
|
const html = await renderInvitationEmail({
|
|
email: toEmail,
|
|
inviteLink,
|
|
organizationName: orgName,
|
|
});
|
|
|
|
if (email) {
|
|
await sendEmailNotification(
|
|
{ ...email, toAddresses: [toEmail] },
|
|
subject,
|
|
html,
|
|
);
|
|
} else if (resend) {
|
|
await sendResendNotification(
|
|
{ ...resend, toAddresses: [toEmail] },
|
|
subject,
|
|
html,
|
|
);
|
|
}
|
|
} catch (error) {
|
|
console.log(error);
|
|
throw error;
|
|
}
|
|
await audit(ctx, {
|
|
action: "create",
|
|
resourceType: "user",
|
|
resourceId: input.invitationId,
|
|
resourceName: currentInvitation?.email || "",
|
|
metadata: { type: "sendInvitation" },
|
|
});
|
|
return inviteLink;
|
|
}),
|
|
|
|
getBookmarkedTemplates: protectedProcedure.query(async ({ ctx }) => {
|
|
const result = await db.query.user.findFirst({
|
|
where: eq(user.id, ctx.user.id),
|
|
columns: { bookmarkedTemplates: true },
|
|
});
|
|
|
|
return result?.bookmarkedTemplates ?? [];
|
|
}),
|
|
|
|
toggleTemplateBookmark: protectedProcedure
|
|
.input(
|
|
z.object({
|
|
templateId: z.string().min(1),
|
|
}),
|
|
)
|
|
.mutation(async ({ input, ctx }) => {
|
|
const result = await db.query.user.findFirst({
|
|
where: eq(user.id, ctx.user.id),
|
|
columns: { bookmarkedTemplates: true },
|
|
});
|
|
|
|
const current = result?.bookmarkedTemplates ?? [];
|
|
const isBookmarked = current.includes(input.templateId);
|
|
|
|
const updated = isBookmarked
|
|
? current.filter((id) => id !== input.templateId)
|
|
: [...current, input.templateId];
|
|
|
|
await db
|
|
.update(user)
|
|
.set({ bookmarkedTemplates: updated })
|
|
.where(eq(user.id, ctx.user.id));
|
|
|
|
return { isBookmarked: !isBookmarked };
|
|
}),
|
|
});
|