Implement Single Sign-On (SSO) Feature: Add SSO settings page, integrate OIDC provider registration dialog, and update dependencies for better-auth to version 1.4.18. Enhance user interface with new SSO menu item and improve database schema for SSO providers.

apps/dokploy/components/layouts/side.tsx

@@ -30,6 +30,7 @@ import {
 	Trash2,
 	User,
 	Users,
+	LogIn,
 } from "lucide-react";
 import Link from "next/link";
 import { usePathname } from "next/navigation";
@@ -406,6 +407,15 @@ const MENU: Menu = {
 			isEnabled: ({ auth, isCloud }) =>
 				!!((auth?.role === "owner" || auth?.role === "admin") && !isCloud),
 		},
+		{
+			isSingle: true,
+			title: "SSO",
+			url: "/dashboard/settings/sso",
+			icon: LogIn,
+			// Only enabled for admins in non-cloud environments (enterprise)
+			isEnabled: ({ auth, isCloud }) =>
+				!!((auth?.role === "owner" || auth?.role === "admin") && !isCloud),
+		},
 	],
 
 	help: [

apps/dokploy/components/proprietary/sso/register-oidc-dialog.tsx

@@ -0,0 +1,206 @@
+"use client";
+
+import { Loader2 } from "lucide-react";
+import { useState } from "react";
+import { toast } from "sonner";
+import { authClient } from "@/lib/auth-client";
+import { Button } from "@/components/ui/button";
+import {
+	Dialog,
+	DialogContent,
+	DialogDescription,
+	DialogFooter,
+	DialogHeader,
+	DialogTitle,
+	DialogTrigger,
+} from "@/components/ui/dialog";
+import { Input } from "@/components/ui/input";
+import { Label } from "@/components/ui/label";
+
+const DEFAULT_SCOPES = ["openid", "email", "profile"];
+
+interface RegisterOidcDialogProps {
+	children: React.ReactNode;
+	onSuccess?: () => void;
+}
+
+export function RegisterOidcDialog({ children, onSuccess }: RegisterOidcDialogProps) {
+	const [open, setOpen] = useState(false);
+	const [isSubmitting, setIsSubmitting] = useState(false);
+	const [form, setForm] = useState({
+		providerId: "",
+		issuer: "",
+		domain: "",
+		clientId: "",
+		clientSecret: "",
+		scopes: DEFAULT_SCOPES.join(" "),
+	});
+
+	const handleSubmit = async (e: React.FormEvent) => {
+		e.preventDefault();
+		if (
+			!form.providerId.trim() ||
+			!form.issuer.trim() ||
+			!form.domain.trim() ||
+			!form.clientId.trim() ||
+			!form.clientSecret.trim()
+		) {
+			toast.error("Please fill in all required fields");
+			return;
+		}
+
+		setIsSubmitting(true);
+		try {
+			const scopes = form.scopes
+				.trim()
+				.split(/\s+/)
+				.filter(Boolean);
+			const { data, error } = await authClient.sso.register({
+				providerId: form.providerId.trim(),
+				issuer: form.issuer.trim(),
+				domain: form.domain.trim(),
+				oidcConfig: {
+					clientId: form.clientId.trim(),
+					clientSecret: form.clientSecret.trim(),
+					scopes: scopes.length > 0 ? scopes : DEFAULT_SCOPES,
+					pkce: true,
+				},
+			});
+
+			if (error) {
+				toast.error(error.message ?? "Failed to register SSO provider");
+				return;
+			}
+
+			toast.success("OIDC provider registered successfully");
+			setForm({
+				providerId: "",
+				issuer: "",
+				domain: "",
+				clientId: "",
+				clientSecret: "",
+				scopes: DEFAULT_SCOPES.join(" "),
+			});
+			setOpen(false);
+			onSuccess?.();
+		} catch (err) {
+			toast.error(
+				err instanceof Error ? err.message : "Failed to register SSO provider",
+			);
+		} finally {
+			setIsSubmitting(false);
+		}
+	};
+
+	return (
+		<Dialog open={open} onOpenChange={setOpen}>
+			<DialogTrigger asChild>{children}</DialogTrigger>
+			<DialogContent className="sm:max-w-[500px]">
+				<DialogHeader>
+					<DialogTitle>Register OIDC provider</DialogTitle>
+					<DialogDescription>
+						Add an OpenID Connect (OIDC) identity provider. Discovery will
+						fill endpoints from the issuer URL when possible.
+					</DialogDescription>
+				</DialogHeader>
+				<form onSubmit={handleSubmit} className="space-y-4">
+					<div className="grid gap-2">
+						<Label htmlFor="providerId">Provider ID</Label>
+						<Input
+							id="providerId"
+							placeholder="e.g. okta or my-idp"
+							value={form.providerId}
+							onChange={(e) =>
+								setForm((f) => ({ ...f, providerId: e.target.value }))
+							}
+						/>
+						<p className="text-xs text-muted-foreground">
+							Unique identifier; used in callback URL path.
+						</p>
+					</div>
+					<div className="grid gap-2">
+						<Label htmlFor="issuer">Issuer URL</Label>
+						<Input
+							id="issuer"
+							placeholder="https://idp.example.com"
+							value={form.issuer}
+							onChange={(e) =>
+								setForm((f) => ({ ...f, issuer: e.target.value }))
+							}
+						/>
+						<p className="text-xs text-muted-foreground">
+							Discovery document is fetched from{" "}
+							<code className="rounded bg-muted px-1">
+								{"{issuer}"}/.well-known/openid-configuration
+							</code>
+						</p>
+					</div>
+					<div className="grid gap-2">
+						<Label htmlFor="domain">Domain</Label>
+						<Input
+							id="domain"
+							placeholder="example.com"
+							value={form.domain}
+							onChange={(e) =>
+								setForm((f) => ({ ...f, domain: e.target.value }))
+							}
+						/>
+						<p className="text-xs text-muted-foreground">
+							Email domain(s) that use this provider (e.g. for sign-in by email).
+						</p>
+					</div>
+					<div className="grid gap-2">
+						<Label htmlFor="clientId">Client ID</Label>
+						<Input
+							id="clientId"
+							placeholder="Client ID from IdP"
+							value={form.clientId}
+							onChange={(e) =>
+								setForm((f) => ({ ...f, clientId: e.target.value }))
+							}
+						/>
+					</div>
+					<div className="grid gap-2">
+						<Label htmlFor="clientSecret">Client secret</Label>
+						<Input
+							id="clientSecret"
+							type="password"
+							placeholder="Client secret from IdP"
+							value={form.clientSecret}
+							onChange={(e) =>
+								setForm((f) => ({ ...f, clientSecret: e.target.value }))
+							}
+						/>
+					</div>
+					<div className="grid gap-2">
+						<Label htmlFor="scopes">Scopes (optional)</Label>
+						<Input
+							id="scopes"
+							placeholder="openid email profile"
+							value={form.scopes}
+							onChange={(e) =>
+								setForm((f) => ({ ...f, scopes: e.target.value }))
+							}
+						/>
+					</div>
+					<DialogFooter>
+						<Button
+							type="button"
+							variant="outline"
+							onClick={() => setOpen(false)}
+							disabled={isSubmitting}
+						>
+							Cancel
+						</Button>
+						<Button type="submit" disabled={isSubmitting}>
+							{isSubmitting && (
+								<Loader2 className="mr-2 size-4 animate-spin" />
+							)}
+							Register provider
+						</Button>
+					</DialogFooter>
+				</form>
+			</DialogContent>
+		</Dialog>
+	);
+}

apps/dokploy/components/proprietary/sso/sso-settings.tsx

@@ -0,0 +1,263 @@
+"use client";
+
+import { Loader2, LogIn, ShieldCheck, Trash2 } from "lucide-react";
+import { useState } from "react";
+import { toast } from "sonner";
+import { DialogAction } from "@/components/shared/dialog-action";
+import { Badge } from "@/components/ui/badge";
+import { Button } from "@/components/ui/button";
+import {
+	Card,
+	CardContent,
+	CardDescription,
+	CardHeader,
+	CardTitle,
+} from "@/components/ui/card";
+import { authClient } from "@/lib/auth-client";
+import { api } from "@/utils/api";
+import { RegisterOidcDialog } from "./register-oidc-dialog";
+
+export function SSOSettings() {
+	const utils = api.useUtils();
+	const { data: providers, isLoading } = api.sso.listProviders.useQuery();
+	const { mutateAsync: deleteProvider, isLoading: isDeleting } =
+		api.sso.deleteProvider.useMutation();
+
+	const [verifyingId, setVerifyingId] = useState<string | null>(null);
+	const [requestingVerificationId, setRequestingVerificationId] = useState<
+		string | null
+	>(null);
+
+	const handleVerifyDomain = async (providerId: string) => {
+		setVerifyingId(providerId);
+		try {
+			const { data, error } = await authClient.sso.verifyDomain({
+				providerId,
+			});
+			if (error) {
+				toast.error(error.message ?? "Domain verification failed");
+				return;
+			}
+			toast.success("Domain verified successfully");
+			await utils.sso.listProviders.invalidate();
+		} catch (err) {
+			toast.error(
+				err instanceof Error ? err.message : "Domain verification failed",
+			);
+		} finally {
+			setVerifyingId(null);
+		}
+	};
+
+	const handleRequestDomainVerification = async (providerId: string) => {
+		setRequestingVerificationId(providerId);
+		try {
+			const { data, error } = await authClient.sso.requestDomainVerification({
+				providerId,
+			});
+			if (error) {
+				toast.error(error.message ?? "Failed to request domain verification");
+				return;
+			}
+			toast.success(
+				"Verification token created. Add the TXT DNS record and verify.",
+			);
+			await utils.sso.listProviders.invalidate();
+		} catch (err) {
+			toast.error(
+				err instanceof Error
+					? err.message
+					: "Failed to request domain verification",
+			);
+		} finally {
+			setRequestingVerificationId(null);
+		}
+	};
+
+	return (
+		<div className="flex flex-col gap-4 rounded-lg border p-4">
+			<div className="flex flex-col gap-2">
+				<div className="flex items-center gap-2">
+					<LogIn className="size-6 text-muted-foreground" />
+					<CardTitle className="text-xl">Single Sign-On (SSO)</CardTitle>
+				</div>
+				<CardDescription>
+					Configure OIDC or SAML identity providers for enterprise sign-in.
+					Users can sign in with their organization&apos;s IdP.
+				</CardDescription>
+			</div>
+
+			{isLoading ? (
+				<div className="flex items-center gap-2 justify-center min-h-[25vh]">
+					<Loader2 className="size-6 text-muted-foreground animate-spin" />
+					<span className="text-sm text-muted-foreground">
+						Loading providers...
+					</span>
+				</div>
+			) : (
+				<>
+					{providers && providers.length > 0 && (
+						<div className="flex flex-wrap items-center gap-2">
+							<RegisterOidcDialog
+								onSuccess={() => utils.sso.listProviders.invalidate()}
+							>
+								<Button variant="secondary" size="sm">
+									<LogIn className="mr-2 size-4" />
+									Add OIDC provider
+								</Button>
+							</RegisterOidcDialog>
+							<span className="text-xs text-muted-foreground">
+								SAML support can be added via API or future UI.
+							</span>
+						</div>
+					)}
+
+					{providers && providers.length > 0 ? (
+						<div className="space-y-3">
+							<span className="text-sm font-medium">Registered providers</span>
+							<div className="grid gap-3 sm:grid-cols-2">
+								{providers.map((provider) => {
+									const isOidc = !!provider.oidcConfig;
+									const isSaml = !!provider.samlConfig;
+									const verified = !!provider.domainVerified;
+
+									return (
+										<Card key={provider.id} className="overflow-hidden">
+											<CardHeader className="pb-2">
+												<div className="flex items-start justify-between gap-2">
+													<div className="flex flex-col gap-1">
+														<CardTitle className="text-base font-medium">
+															{provider.providerId}
+														</CardTitle>
+														<CardDescription className="text-xs">
+															{provider.issuer}
+														</CardDescription>
+														<div className="flex flex-wrap gap-1 mt-1">
+															<Badge variant="secondary" className="text-xs">
+																{provider.domain}
+															</Badge>
+															{isOidc && (
+																<Badge variant="outline" className="text-xs">
+																	OIDC
+																</Badge>
+															)}
+															{isSaml && (
+																<Badge variant="outline" className="text-xs">
+																	SAML
+																</Badge>
+															)}
+															{verified && (
+																<Badge
+																	variant="default"
+																	className="text-xs bg-green-600"
+																>
+																	Verified
+																</Badge>
+															)}
+														</div>
+													</div>
+												</div>
+											</CardHeader>
+											<CardContent className="flex flex-wrap gap-2 pt-0">
+												{!verified && (
+													<>
+														<Button
+															variant="outline"
+															size="sm"
+															disabled={verifyingId === provider.providerId}
+															onClick={() =>
+																handleVerifyDomain(provider.providerId)
+															}
+														>
+															{verifyingId === provider.providerId ? (
+																<Loader2 className="mr-1 size-3 animate-spin" />
+															) : (
+																<ShieldCheck className="mr-1 size-3" />
+															)}
+															Verify domain
+														</Button>
+														<Button
+															variant="ghost"
+															size="sm"
+															disabled={
+																requestingVerificationId === provider.providerId
+															}
+															onClick={() =>
+																handleRequestDomainVerification(
+																	provider.providerId,
+																)
+															}
+														>
+															{requestingVerificationId ===
+															provider.providerId ? (
+																<Loader2 className="mr-1 size-3 animate-spin" />
+															) : null}
+															New verification token
+														</Button>
+													</>
+												)}
+												<DialogAction
+													title="Remove SSO provider"
+													description={`Remove provider "${provider.providerId}"? Users will no longer be able to sign in with this IdP.`}
+													type="destructive"
+													onClick={async () => {
+														try {
+															await deleteProvider({
+																providerId: provider.providerId,
+															});
+															toast.success("Provider removed");
+															await utils.sso.listProviders.invalidate();
+														} catch (err) {
+															toast.error(
+																err instanceof Error
+																	? err.message
+																	: "Failed to remove provider",
+															);
+														}
+													}}
+												>
+													<Button
+														variant="ghost"
+														size="sm"
+														className="text-destructive hover:text-destructive"
+														disabled={isDeleting}
+													>
+														<Trash2 className="mr-1 size-3" />
+														Remove
+													</Button>
+												</DialogAction>
+											</CardContent>
+										</Card>
+									);
+								})}
+							</div>
+						</div>
+					) : (
+						<div className="flex flex-col items-center gap-4 justify-center min-h-[30vh] text-center">
+							<div className="flex flex-col items-center gap-2 max-w-[400px]">
+								<div className="rounded-full bg-muted p-4">
+									<LogIn className="size-8 text-muted-foreground" />
+								</div>
+								<div className="space-y-1">
+									<h3 className="text-lg font-semibold">No SSO providers</h3>
+									<p className="text-sm text-muted-foreground">
+										Add an OIDC provider to allow users to sign in with their
+										organization&apos;s identity provider (e.g. Okta, Azure AD).
+									</p>
+								</div>
+							</div>
+							<RegisterOidcDialog
+								onSuccess={() => utils.sso.listProviders.invalidate()}
+							>
+								<Button variant="secondary">
+									<LogIn className="mr-2 size-4" />
+									Add OIDC provider
+								</Button>
+							</RegisterOidcDialog>
+						</div>
+					)}
+				</>
+			)}
+		</div>
+	);
+}

apps/dokploy/drizzle/0138_common_mathemanic.sql

@@ -0,0 +1,13 @@
+CREATE TABLE "sso_provider" (
+	"id" text PRIMARY KEY NOT NULL,
+	"issuer" text NOT NULL,
+	"oidc_config" text,
+	"saml_config" text,
+	"user_id" text,
+	"provider_id" text NOT NULL,
+	"organization_id" text,
+	"domain" text NOT NULL,
+	CONSTRAINT "sso_provider_provider_id_unique" UNIQUE("provider_id")
+);
+--> statement-breakpoint
+ALTER TABLE "sso_provider" ADD CONSTRAINT "sso_provider_user_id_user_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."user"("id") ON DELETE cascade ON UPDATE no action;

apps/dokploy/drizzle/meta/_journal.json

@@ -967,6 +967,13 @@
       "when": 1769616589728,
       "tag": "0137_naive_power_pack",
       "breakpoints": true
+    },
+    {
+      "idx": 138,
+      "version": "7",
+      "when": 1769745328628,
+      "tag": "0138_common_mathemanic",
+      "breakpoints": true
     }
   ]
 }

apps/dokploy/lib/auth-client.ts

@@ -1,3 +1,4 @@
+import { ssoClient } from "@better-auth/sso/client";
 import {
 	adminClient,
 	apiKeyClient,
@@ -13,6 +14,7 @@ export const authClient = createAuthClient({
 		organizationClient(),
 		twoFactorClient(),
 		apiKeyClient(),
+		ssoClient(),
 		adminClient(),
 		inferAdditionalFields({
 			user: {

apps/dokploy/package.json

@@ -37,6 +37,7 @@
 		"generate:openapi": "tsx -r dotenv/config scripts/generate-openapi.ts"
 	},
 	"dependencies": {
+		"@better-auth/sso": "1.4.18",
 		"@ai-sdk/anthropic": "^2.0.5",
 		"@ai-sdk/azure": "^2.0.16",
 		"@ai-sdk/cohere": "^2.0.4",
@@ -94,7 +95,7 @@
 		"ai": "^5.0.17",
 		"ai-sdk-ollama": "^0.5.1",
 		"bcrypt": "5.1.1",
-		"better-auth": "v1.2.8",
+		"better-auth": "1.4.18",
 		"bl": "6.0.11",
 		"boxen": "^7.1.1",
 		"bullmq": "5.4.2",

apps/dokploy/pages/dashboard/settings/sso.tsx

@@ -0,0 +1,84 @@
+import { IS_CLOUD, validateRequest } from "@dokploy/server";
+import { createServerSideHelpers } from "@trpc/react-query/server";
+import type { GetServerSidePropsContext } from "next";
+import type { ReactElement } from "react";
+import superjson from "superjson";
+import { DashboardLayout } from "@/components/layouts/dashboard-layout";
+import { SSOSettings } from "@/components/proprietary/sso/sso-settings";
+import { Card } from "@/components/ui/card";
+import { appRouter } from "@/server/api/root";
+import { getLocale, serverSideTranslations } from "@/utils/i18n";
+
+const Page = () => {
+	return (
+		<div className="w-full">
+			<div className="h-full rounded-xl max-w-5xl mx-auto flex flex-col gap-4">
+				<Card className="h-full bg-sidebar p-2.5 rounded-xl mx-auto w-full">
+					<div className="rounded-xl bg-background shadow-md">
+						<div className="p-6">
+							<SSOSettings />
+						</div>
+					</div>
+				</Card>
+			</div>
+		</div>
+	);
+};
+
+export default Page;
+
+Page.getLayout = (page: ReactElement) => {
+	return <DashboardLayout metaName="SSO">{page}</DashboardLayout>;
+};
+
+export async function getServerSideProps(
+	ctx: GetServerSidePropsContext<Record<string, unknown>>,
+) {
+	const { req, res } = ctx;
+	const locale = await getLocale(req.cookies);
+	if (IS_CLOUD) {
+		return {
+			redirect: {
+				permanent: true,
+				destination: "/dashboard/projects",
+			},
+		};
+	}
+	const { user, session } = await validateRequest(ctx.req);
+	if (!user) {
+		return {
+			redirect: {
+				permanent: true,
+				destination: "/",
+			},
+		};
+	}
+	if (user.role === "member") {
+		return {
+			redirect: {
+				permanent: true,
+				destination: "/dashboard/settings/profile",
+			},
+		};
+	}
+
+	const helpers = createServerSideHelpers({
+		router: appRouter,
+		ctx: {
+			req: req as any,
+			res: res as any,
+			db: null as any,
+			session: session as any,
+			user: user as any,
+		},
+		transformer: superjson,
+	});
+	await helpers.user.get.prefetch();
+
+	return {
+		props: {
+			trpcState: helpers.dehydrate(),
+			...(await serverSideTranslations(locale, ["settings"])),
+		},
+	};
+}

apps/dokploy/server/api/root.ts

@@ -23,6 +23,7 @@ import { mysqlRouter } from "./routers/mysql";
 import { notificationRouter } from "./routers/notification";
 import { organizationRouter } from "./routers/organization";
 import { licenseKeyRouter } from "./routers/proprietary/license-key";
+import { ssoRouter } from "./routers/proprietary/sso";
 import { portRouter } from "./routers/port";
 import { postgresRouter } from "./routers/postgres";
 import { previewDeploymentRouter } from "./routers/preview-deployment";
@@ -84,6 +85,7 @@ export const appRouter = createTRPCRouter({
 	ai: aiRouter,
 	organization: organizationRouter,
 	licenseKey: licenseKeyRouter,
+	sso: ssoRouter,
 	schedule: scheduleRouter,
 	rollback: rollbackRouter,
 	volumeBackups: volumeBackupsRouter,

apps/dokploy/server/api/routers/proprietary/sso.ts

@@ -0,0 +1,48 @@
+import { ssoProvider } from "@dokploy/server/db/schema";
+import { TRPCError } from "@trpc/server";
+import { and, eq } from "drizzle-orm";
+import { z } from "zod";
+import { adminProcedure, createTRPCRouter } from "@/server/api/trpc";
+import { db } from "@/server/db";
+
+export const ssoRouter = createTRPCRouter({
+	listProviders: adminProcedure.query(async ({ ctx }) => {
+		const providers = await db.query.ssoProvider.findMany({
+			where: eq(ssoProvider.userId, ctx.user.id),
+			columns: {
+				id: true,
+				providerId: true,
+				issuer: true,
+				domain: true,
+				oidcConfig: true,
+				samlConfig: true,
+				organizationId: true,
+			},
+		});
+		return providers;
+	}),
+
+	deleteProvider: adminProcedure
+		.input(z.object({ providerId: z.string().min(1) }))
+		.mutation(async ({ ctx, input }) => {
+			const [deleted] = await db
+				.delete(ssoProvider)
+				.where(
+					and(
+						eq(ssoProvider.providerId, input.providerId),
+						eq(ssoProvider.userId, ctx.user.id),
+					),
+				)
+				.returning({ id: ssoProvider.id });
+
+			if (!deleted) {
+				throw new TRPCError({
+					code: "NOT_FOUND",
+					message:
+						"SSO provider not found or you do not have permission to delete it",
+				});
+			}
+
+			return { success: true };
+		}),
+});

packages/server/auth-schema2.ts

@@ -0,0 +1,274 @@
+import { relations } from "drizzle-orm";
+import {
+  pgTable,
+  text,
+  timestamp,
+  boolean,
+  integer,
+  index,
+  uniqueIndex,
+} from "drizzle-orm/pg-core";
+
+export const user = pgTable("user", {
+  id: text("id").primaryKey(),
+  firstName: text("first_name").notNull(),
+  email: text("email").notNull().unique(),
+  emailVerified: boolean("email_verified").default(false).notNull(),
+  image: text("image"),
+  createdAt: timestamp("created_at").defaultNow().notNull(),
+  updatedAt: timestamp("updated_at")
+    .defaultNow()
+    .$onUpdate(() => /* @__PURE__ */ new Date())
+    .notNull(),
+  twoFactorEnabled: boolean("two_factor_enabled").default(false),
+  role: text("role"),
+  ownerId: text("owner_id"),
+  allowImpersonation: boolean("allow_impersonation").default(false),
+  lastName: text("last_name").default(""),
+});
+
+export const session = pgTable(
+  "session",
+  {
+    id: text("id").primaryKey(),
+    expiresAt: timestamp("expires_at").notNull(),
+    token: text("token").notNull().unique(),
+    createdAt: timestamp("created_at").defaultNow().notNull(),
+    updatedAt: timestamp("updated_at")
+      .$onUpdate(() => /* @__PURE__ */ new Date())
+      .notNull(),
+    ipAddress: text("ip_address"),
+    userAgent: text("user_agent"),
+    userId: text("user_id")
+      .notNull()
+      .references(() => user.id, { onDelete: "cascade" }),
+    activeOrganizationId: text("active_organization_id"),
+  },
+  (table) => [index("session_userId_idx").on(table.userId)],
+);
+
+export const account = pgTable(
+  "account",
+  {
+    id: text("id").primaryKey(),
+    accountId: text("account_id").notNull(),
+    providerId: text("provider_id").notNull(),
+    userId: text("user_id")
+      .notNull()
+      .references(() => user.id, { onDelete: "cascade" }),
+    accessToken: text("access_token"),
+    refreshToken: text("refresh_token"),
+    idToken: text("id_token"),
+    accessTokenExpiresAt: timestamp("access_token_expires_at"),
+    refreshTokenExpiresAt: timestamp("refresh_token_expires_at"),
+    scope: text("scope"),
+    password: text("password"),
+    createdAt: timestamp("created_at").defaultNow().notNull(),
+    updatedAt: timestamp("updated_at")
+      .$onUpdate(() => /* @__PURE__ */ new Date())
+      .notNull(),
+  },
+  (table) => [index("account_userId_idx").on(table.userId)],
+);
+
+export const verification = pgTable(
+  "verification",
+  {
+    id: text("id").primaryKey(),
+    identifier: text("identifier").notNull(),
+    value: text("value").notNull(),
+    expiresAt: timestamp("expires_at").notNull(),
+    createdAt: timestamp("created_at").defaultNow().notNull(),
+    updatedAt: timestamp("updated_at")
+      .defaultNow()
+      .$onUpdate(() => /* @__PURE__ */ new Date())
+      .notNull(),
+  },
+  (table) => [index("verification_identifier_idx").on(table.identifier)],
+);
+
+export const apikey = pgTable(
+  "apikey",
+  {
+    id: text("id").primaryKey(),
+    name: text("name"),
+    start: text("start"),
+    prefix: text("prefix"),
+    key: text("key").notNull(),
+    userId: text("user_id")
+      .notNull()
+      .references(() => user.id, { onDelete: "cascade" }),
+    refillInterval: integer("refill_interval"),
+    refillAmount: integer("refill_amount"),
+    lastRefillAt: timestamp("last_refill_at"),
+    enabled: boolean("enabled").default(true),
+    rateLimitEnabled: boolean("rate_limit_enabled").default(true),
+    rateLimitTimeWindow: integer("rate_limit_time_window").default(86400000),
+    rateLimitMax: integer("rate_limit_max").default(10),
+    requestCount: integer("request_count").default(0),
+    remaining: integer("remaining"),
+    lastRequest: timestamp("last_request"),
+    expiresAt: timestamp("expires_at"),
+    createdAt: timestamp("created_at").notNull(),
+    updatedAt: timestamp("updated_at").notNull(),
+    permissions: text("permissions"),
+    metadata: text("metadata"),
+  },
+  (table) => [
+    index("apikey_key_idx").on(table.key),
+    index("apikey_userId_idx").on(table.userId),
+  ],
+);
+
+export const ssoProvider = pgTable("sso_provider", {
+  id: text("id").primaryKey(),
+  issuer: text("issuer").notNull(),
+  oidcConfig: text("oidc_config"),
+  samlConfig: text("saml_config"),
+  userId: text("user_id").references(() => user.id, { onDelete: "cascade" }),
+  providerId: text("provider_id").notNull().unique(),
+  organizationId: text("organization_id"),
+  domain: text("domain").notNull(),
+});
+
+export const twoFactor = pgTable(
+  "two_factor",
+  {
+    id: text("id").primaryKey(),
+    secret: text("secret").notNull(),
+    backupCodes: text("backup_codes").notNull(),
+    userId: text("user_id")
+      .notNull()
+      .references(() => user.id, { onDelete: "cascade" }),
+  },
+  (table) => [
+    index("twoFactor_secret_idx").on(table.secret),
+    index("twoFactor_userId_idx").on(table.userId),
+  ],
+);
+
+export const organization = pgTable(
+  "organization",
+  {
+    id: text("id").primaryKey(),
+    name: text("name").notNull(),
+    slug: text("slug").notNull().unique(),
+    logo: text("logo"),
+    createdAt: timestamp("created_at").notNull(),
+    metadata: text("metadata"),
+  },
+  (table) => [uniqueIndex("organization_slug_uidx").on(table.slug)],
+);
+
+export const member = pgTable(
+  "member",
+  {
+    id: text("id").primaryKey(),
+    organizationId: text("organization_id")
+      .notNull()
+      .references(() => organization.id, { onDelete: "cascade" }),
+    userId: text("user_id")
+      .notNull()
+      .references(() => user.id, { onDelete: "cascade" }),
+    role: text("role").default("member").notNull(),
+    createdAt: timestamp("created_at").notNull(),
+  },
+  (table) => [
+    index("member_organizationId_idx").on(table.organizationId),
+    index("member_userId_idx").on(table.userId),
+  ],
+);
+
+export const invitation = pgTable(
+  "invitation",
+  {
+    id: text("id").primaryKey(),
+    organizationId: text("organization_id")
+      .notNull()
+      .references(() => organization.id, { onDelete: "cascade" }),
+    email: text("email").notNull(),
+    role: text("role"),
+    status: text("status").default("pending").notNull(),
+    expiresAt: timestamp("expires_at").notNull(),
+    createdAt: timestamp("created_at").defaultNow().notNull(),
+    inviterId: text("inviter_id")
+      .notNull()
+      .references(() => user.id, { onDelete: "cascade" }),
+  },
+  (table) => [
+    index("invitation_organizationId_idx").on(table.organizationId),
+    index("invitation_email_idx").on(table.email),
+  ],
+);
+
+export const userRelations = relations(user, ({ many }) => ({
+  sessions: many(session),
+  accounts: many(account),
+  apikeys: many(apikey),
+  ssoProviders: many(ssoProvider),
+  twoFactors: many(twoFactor),
+  members: many(member),
+  invitations: many(invitation),
+}));
+
+export const sessionRelations = relations(session, ({ one }) => ({
+  user: one(user, {
+    fields: [session.userId],
+    references: [user.id],
+  }),
+}));
+
+export const accountRelations = relations(account, ({ one }) => ({
+  user: one(user, {
+    fields: [account.userId],
+    references: [user.id],
+  }),
+}));
+
+export const apikeyRelations = relations(apikey, ({ one }) => ({
+  user: one(user, {
+    fields: [apikey.userId],
+    references: [user.id],
+  }),
+}));
+
+export const ssoProviderRelations = relations(ssoProvider, ({ one }) => ({
+  user: one(user, {
+    fields: [ssoProvider.userId],
+    references: [user.id],
+  }),
+}));
+
+export const twoFactorRelations = relations(twoFactor, ({ one }) => ({
+  user: one(user, {
+    fields: [twoFactor.userId],
+    references: [user.id],
+  }),
+}));
+
+export const organizationRelations = relations(organization, ({ many }) => ({
+  members: many(member),
+  invitations: many(invitation),
+}));
+
+export const memberRelations = relations(member, ({ one }) => ({
+  organization: one(organization, {
+    fields: [member.organizationId],
+    references: [organization.id],
+  }),
+  user: one(user, {
+    fields: [member.userId],
+    references: [user.id],
+  }),
+}));
+
+export const invitationRelations = relations(invitation, ({ one }) => ({
+  organization: one(organization, {
+    fields: [invitation.organizationId],
+    references: [organization.id],
+  }),
+  user: one(user, {
+    fields: [invitation.inviterId],
+    references: [user.id],
+  }),
+}));

packages/server/package.json

@@ -26,7 +26,8 @@
     "dev": "rm -rf ./dist && pnpm esbuild && tsc --emitDeclarationOnly --outDir dist -p tsconfig.server.json",
     "esbuild": "tsx ./esbuild.config.ts && tsc --project tsconfig.server.json --emitDeclarationOnly ",
     "typecheck": "tsc --noEmit",
-    "dbml:generate": "npx tsx src/db/schema/dbml.ts"
+    "dbml:generate": "npx tsx src/db/schema/dbml.ts",
+    "generate:drizzle": "pnpm dlx  @better-auth/cli generate --output auth-schema2.ts --config src/lib/auth.ts"
   },
   "dependencies": {
     "@ai-sdk/anthropic": "^2.0.5",
@@ -43,12 +44,13 @@
     "@oslojs/crypto": "1.0.1",
     "@oslojs/encoding": "1.1.0",
     "@react-email/components": "^0.0.21",
+    "@better-auth/sso":"1.4.18",
     "@trpc/server": "^10.45.2",
     "adm-zip": "^0.5.16",
     "ai": "^5.0.17",
     "ai-sdk-ollama": "^0.5.1",
     "bcrypt": "5.1.1",
-    "better-auth": "v1.2.8",
+    "better-auth": "1.4.18",
     "bl": "6.0.11",
     "boxen": "^7.1.1",
     "date-fns": "3.6.0",
@@ -82,6 +84,7 @@
     "semver": "7.7.3"
   },
   "devDependencies": {
+		"@better-auth/cli": "1.4.18",
     "@types/semver": "7.7.1",
     "@types/adm-zip": "^0.5.7",
     "@types/bcrypt": "5.0.2",

packages/server/src/db/constants.ts

@@ -34,6 +34,5 @@ if (DATABASE_URL) {
 		Please migrate to Docker Secrets using POSTGRES_PASSWORD_FILE.
 		Please execute this command in your server: curl -sSL https://dokploy.com/security/0.26.6.sh | bash
 		`);
-	dbUrl =
-		"postgres://dokploy:amukds4wi9001583845717ad2@dokploy-postgres:5432/dokploy";
+	dbUrl = "postgres://dokploy:amukds4wi9001583845717ad2@localhost:5432/dokploy";
 }

packages/server/src/db/schema/account.ts

@@ -203,3 +203,21 @@ export const apikeyRelations = relations(apikey, ({ one }) => ({
 		references: [user.id],
 	}),
 }));
+
+export const ssoProvider = pgTable("sso_provider", {
+	id: text("id").primaryKey(),
+	issuer: text("issuer").notNull(),
+	oidcConfig: text("oidc_config"),
+	samlConfig: text("saml_config"),
+	userId: text("user_id").references(() => user.id, { onDelete: "cascade" }),
+	providerId: text("provider_id").notNull().unique(),
+	organizationId: text("organization_id"),
+	domain: text("domain").notNull(),
+});
+
+export const ssoProviderRelations = relations(ssoProvider, ({ one }) => ({
+	user: one(user, {
+		fields: [ssoProvider.userId],
+		references: [user.id],
+	}),
+}));

packages/server/src/db/schema/user.ts

@@ -10,7 +10,7 @@ import {
 import { createInsertSchema } from "drizzle-zod";
 import { nanoid } from "nanoid";
 import { z } from "zod";
-import { account, apikey, organization } from "./account";
+import { account, apikey, organization, ssoProvider } from "./account";
 import { backups } from "./backups";
 import { projects } from "./project";
 import { schedules } from "./schedule";
@@ -69,6 +69,7 @@ export const usersRelations = relations(user, ({ one, many }) => ({
 		references: [account.userId],
 	}),
 	organizations: many(organization),
+	ssoProviders: many(ssoProvider),
 	projects: many(projects),
 	apiKeys: many(apikey),
 	backups: many(backups),

packages/server/src/lib/auth.ts

@@ -1,4 +1,5 @@
 import type { IncomingMessage } from "node:http";
+import { sso } from "@better-auth/sso";
 import * as bcrypt from "bcrypt";
 import { betterAuth } from "better-auth";
 import { drizzleAdapter } from "better-auth/adapters/drizzle";
@@ -17,7 +18,7 @@ import { getHubSpotUTK, submitToHubSpot } from "../utils/tracking/hubspot";
 import { sendEmail } from "../verification/send-verification-email";
 import { getPublicIpWithFallback } from "../wss/utils";
 
-const { handler, api } = betterAuth({
+export const { handler, api } = betterAuth({
 	database: drizzleAdapter(db, {
 		provider: "pg",
 		schema: schema,
@@ -240,6 +241,7 @@ const { handler, api } = betterAuth({
 		apiKey({
 			enableMetadata: true,
 		}),
+		sso(),
 		twoFactor(),
 		organization({
 			async sendInvitationEmail(data, _request) {