feat: add SQL migration for lucky echo and update foreign key constraints

- Introduced a new SQL migration file `0171_lucky_echo.sql` to modify the foreign key constraint on the `sso_provider` table, changing the `ON DELETE` behavior from `cascade` to `set null`.
- Updated the journal to include the new migration version and its associated tag.
- Added a snapshot file for version 7 of the database schema, reflecting the current state of the `sso_provider` and other related tables.

These changes enhance the integrity of the database by ensuring that user references are set to null instead of being deleted when the referenced user is removed.

apps/dokploy/drizzle/0171_lucky_echo.sql

@@ -0,0 +1,3 @@
+ALTER TABLE "sso_provider" DROP CONSTRAINT "sso_provider_user_id_user_id_fk";
+--> statement-breakpoint
+ALTER TABLE "sso_provider" ADD CONSTRAINT "sso_provider_user_id_user_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."user"("id") ON DELETE set null ON UPDATE no action;

apps/dokploy/drizzle/meta/_journal.json

@@ -1198,6 +1198,13 @@
       "when": 1780739532982,
       "tag": "0170_amusing_spot",
       "breakpoints": true
+    },
+    {
+      "idx": 171,
+      "version": "7",
+      "when": 1780775037209,
+      "tag": "0171_lucky_echo",
+      "breakpoints": true
     }
   ]
 }

apps/dokploy/server/api/routers/proprietary/forward-auth.ts

@@ -19,13 +19,27 @@ import {
 	apiForwardAuthServerTarget,
 	apiSetForwardAuthSettings,
 } from "@dokploy/server/db/schema";
-import { createTRPCRouter, enterpriseProcedure } from "@/server/api/trpc";
+import { TRPCError } from "@trpc/server";
+import {
+	createTRPCRouter,
+	enterpriseProcedure,
+	withPermission,
+} from "@/server/api/trpc";
 import { audit } from "@/server/api/utils/audit";
 
 export const forwardAuthRouter = createTRPCRouter({
 	getAuthDomain: enterpriseProcedure
 		.input(apiForwardAuthServerTarget)
-		.query(async ({ input }) => {
+		.query(async ({ ctx, input }) => {
+			if (input.serverId) {
+				const server = await findServerById(input.serverId);
+				if (server.organizationId !== ctx.session?.activeOrganizationId) {
+					throw new TRPCError({
+						code: "UNAUTHORIZED",
+						message: "You are not authorized to access this server",
+					});
+				}
+			}
 			const settings = await getForwardAuthSettings(input.serverId);
 			if (!settings) return null;
 			return {
@@ -43,7 +57,15 @@ export const forwardAuthRouter = createTRPCRouter({
 	setAuthDomain: enterpriseProcedure
 		.input(apiSetForwardAuthSettings)
 		.mutation(async ({ ctx, input }) => {
-			if (input.serverId) await findServerById(input.serverId);
+			if (input.serverId) {
+				const server = await findServerById(input.serverId);
+				if (server.organizationId !== ctx.session?.activeOrganizationId) {
+					throw new TRPCError({
+						code: "UNAUTHORIZED",
+						message: "You are not authorized to access this server",
+					});
+				}
+			}
 			const result = await setForwardAuthSettings({
 				organizationId: ctx.session.activeOrganizationId,
 				serverId: input.serverId,
@@ -64,7 +86,15 @@ export const forwardAuthRouter = createTRPCRouter({
 	removeAuthDomain: enterpriseProcedure
 		.input(apiForwardAuthServerTarget)
 		.mutation(async ({ ctx, input }) => {
-			if (input.serverId) await findServerById(input.serverId);
+			if (input.serverId) {
+				const server = await findServerById(input.serverId);
+				if (server.organizationId !== ctx.session?.activeOrganizationId) {
+					throw new TRPCError({
+						code: "UNAUTHORIZED",
+						message: "You are not authorized to access this server",
+					});
+				}
+			}
 			const result = await removeForwardAuthSettings(input.serverId);
 			await audit(ctx, {
 				action: "delete",
@@ -76,10 +106,7 @@ export const forwardAuthRouter = createTRPCRouter({
 		}),
 
 	listProviders: enterpriseProcedure.query(({ ctx }) =>
-		listSsoProvidersForOrg(
+		listSsoProvidersForOrg(ctx.session.activeOrganizationId),
-			ctx.session.activeOrganizationId,
-			ctx.session.userId,
-		),
 	),
 
 	serverStatus: enterpriseProcedure.query(({ ctx }) =>
@@ -89,7 +116,15 @@ export const forwardAuthRouter = createTRPCRouter({
 	deployOnServer: enterpriseProcedure
 		.input(apiDeployForwardAuthOnServer)
 		.mutation(async ({ ctx, input }) => {
-			if (input.serverId) await findServerById(input.serverId);
+			if (input.serverId) {
+				const server = await findServerById(input.serverId);
+				if (server.organizationId !== ctx.session?.activeOrganizationId) {
+					throw new TRPCError({
+						code: "UNAUTHORIZED",
+						message: "You are not authorized to access this server",
+					});
+				}
+			}
 			const result = await deployForwardAuthOnServer({
 				serverId: input.serverId ?? undefined,
 				providerId: input.providerId,
@@ -107,7 +142,15 @@ export const forwardAuthRouter = createTRPCRouter({
 	removeOnServer: enterpriseProcedure
 		.input(apiForwardAuthServerTarget)
 		.mutation(async ({ ctx, input }) => {
-			if (input.serverId) await findServerById(input.serverId);
+			if (input.serverId) {
+				const server = await findServerById(input.serverId);
+				if (server.organizationId !== ctx.session?.activeOrganizationId) {
+					throw new TRPCError({
+						code: "UNAUTHORIZED",
+						message: "You are not authorized to access this server",
+					});
+				}
+			}
 			const result = await removeForwardAuthProxy(input.serverId);
 			await audit(ctx, {
 				action: "delete",
@@ -118,11 +161,11 @@ export const forwardAuthRouter = createTRPCRouter({
 			return result;
 		}),
 
-	status: enterpriseProcedure
+	status: withPermission("domain", "read")
 		.input(apiForwardAuthDomainTarget)
 		.query(({ ctx, input }) => getDomainSsoStatus(ctx, input.domainId)),
 
-	enable: enterpriseProcedure
+	enable: withPermission("domain", "create")
 		.input(apiForwardAuthDomainTarget)
 		.mutation(async ({ ctx, input }) => {
 			const domain = await assertApplicationDomainAccess(
@@ -142,7 +185,7 @@ export const forwardAuthRouter = createTRPCRouter({
 			return result;
 		}),
 
-	disable: enterpriseProcedure
+	disable: withPermission("domain", "create")
 		.input(apiForwardAuthDomainTarget)
 		.mutation(async ({ ctx, input }) => {
 			const domain = await assertApplicationDomainAccess(

apps/dokploy/server/api/routers/proprietary/sso.ts

@@ -53,10 +53,7 @@ export const ssoRouter = createTRPCRouter({
 	}),
 	listProviders: enterpriseProcedure.query(async ({ ctx }) => {
 		const providers = await db.query.ssoProvider.findMany({
-			where: and(
+			where: eq(ssoProvider.organizationId, ctx.session.activeOrganizationId),
-				eq(ssoProvider.organizationId, ctx.session.activeOrganizationId),
-				eq(ssoProvider.userId, ctx.session.userId),
-			),
 			columns: {
 				id: true,
 				providerId: true,
@@ -88,7 +85,6 @@ export const ssoRouter = createTRPCRouter({
 				where: and(
 					eq(ssoProvider.providerId, input.providerId),
 					eq(ssoProvider.organizationId, ctx.session.activeOrganizationId),
-					eq(ssoProvider.userId, ctx.session.userId),
 				),
 				columns: {
 					id: true,
@@ -116,12 +112,12 @@ export const ssoRouter = createTRPCRouter({
 				where: and(
 					eq(ssoProvider.providerId, input.providerId),
 					eq(ssoProvider.organizationId, ctx.session.activeOrganizationId),
-					eq(ssoProvider.userId, ctx.session.userId),
 				),
 				columns: {
 					id: true,
 					issuer: true,
 					domain: true,
+					userId: true,
 				},
 			});
 
@@ -133,6 +129,13 @@ export const ssoRouter = createTRPCRouter({
 				});
 			}
 
+			if (existing.userId !== ctx.session.userId) {
+				await db
+					.update(ssoProvider)
+					.set({ userId: ctx.session.userId })
+					.where(eq(ssoProvider.id, existing.id));
+			}
+
 			const providers = await db.query.ssoProvider.findMany({
 				where: eq(ssoProvider.organizationId, ctx.session.activeOrganizationId),
 				columns: { providerId: true, domain: true },
@@ -218,7 +221,6 @@ export const ssoRouter = createTRPCRouter({
 				where: and(
 					eq(ssoProvider.providerId, input.providerId),
 					eq(ssoProvider.organizationId, ctx.session.activeOrganizationId),
-					eq(ssoProvider.userId, ctx.session.userId),
 				),
 				columns: {
 					id: true,
@@ -241,7 +243,6 @@ export const ssoRouter = createTRPCRouter({
 					and(
 						eq(ssoProvider.providerId, input.providerId),
 						eq(ssoProvider.organizationId, ctx.session.activeOrganizationId),
-						eq(ssoProvider.userId, ctx.session.userId),
 					),
 				)
 				.returning({ id: ssoProvider.id });

packages/server/src/db/schema/sso.ts

@@ -10,7 +10,7 @@ export const ssoProvider = pgTable("sso_provider", {
 	oidcConfig: text("oidc_config"),
 	samlConfig: text("saml_config"),
 	providerId: text("provider_id").notNull().unique(),
-	userId: text("user_id").references(() => user.id, { onDelete: "cascade" }),
+	userId: text("user_id").references(() => user.id, { onDelete: "set null" }),
 	organizationId: text("organization_id").references(() => organization.id, {
 		onDelete: "cascade",
 	}),

packages/server/src/services/proprietary/forward-auth.ts

@@ -84,14 +84,10 @@ const findProviderForOrg = async (
 	return provider;
 };
 
-export const listSsoProvidersForOrg = async (
+export const listSsoProvidersForOrg = async (organizationId: string) => {
-	organizationId: string,
-	userId: string,
-) => {
 	return db.query.ssoProvider.findMany({
 		where: and(
 			eq(ssoProvider.organizationId, organizationId),
-			eq(ssoProvider.userId, userId),
 			isNotNull(ssoProvider.oidcConfig),
 		),
 		columns: { providerId: true, issuer: true, domain: true },