From 17393af717a18bdc29dc177be8c2fdc25fb544cc Mon Sep 17 00:00:00 2001
From: Mauricio Siu <siumauricio@icloud.com>
Date: Sun, 5 Apr 2026 12:35:23 -0600
Subject: [PATCH] fix: enhance invitation validation in authentication logic

- Updated the authentication process to check if the email of the user matches the email associated with the invitation token.
- Improved error handling for cases where the user is not found or the email does not match the invitation.
---
 packages/server/src/lib/auth.ts | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/packages/server/src/lib/auth.ts b/packages/server/src/lib/auth.ts
index c05253a13..051e11797 100644
--- a/packages/server/src/lib/auth.ts
+++ b/packages/server/src/lib/auth.ts
@@ -148,12 +148,17 @@ const { handler, api } = betterAuth({
 						const xDokployToken =
 							context?.request?.headers?.get("x-dokploy-token");
 						if (xDokployToken) {
-							const user = await getUserByToken(xDokployToken);
-							if (!user) {
+							const invitation = await getUserByToken(xDokployToken);
+							if (!invitation) {
 								throw new APIError("BAD_REQUEST", {
 									message: "User not found",
 								});
 							}
+							if (_user.email !== invitation.email) {
+								throw new APIError("BAD_REQUEST", {
+									message: "Email does not match invitation",
+								});
+							}
 						} else {
 							const isSSORequest = context?.path.includes("/sso");
 							if (isSSORequest) {